RE: [expert] Security and permissions problems

2003-07-03 Thread Frankie
yeah, i think that is one thing mandrake could really really improve.
Msec has the potential to be a really fantastic hardning script..
But as it stands now, even on servers i use level 3 and tighten up manually.

it needs a console and/or a X11 GUI..

Just something where it displays the level, and gives you a list of the msec
options so you check and uncheck specific settings. (rather then just
choosing a level.)
It could be done without changing any of its current functionality I'd
imagine.)

that would serve two benefits..

1. tells you want msec is actually doing at a given level.
2. allows you to easily stop it.. or enable it.

personally i think a console GUI'd be fine, but suspect others would prefer
X11.
and if its the latter, it could be part of control center.


rgds

Franki

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Vox
Sent: Thursday, 3 July 2003 6:44 AM
To: [EMAIL PROTECTED]
Subject: Re: [expert] Security and permissions problems


On September 1993 plus 3591 days Praedor Atrebates wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 After I originally found that all users could see other user's home
contents,
 I tried first changing to security level 3.  Someone else mentioned I
could
 set the home permission to 700.

 Both methods have screwed up my system and I can't seem to get it back
even
 though I switched to security level 2.  My system is OK at the moment but
 there will come a time (how long it takes is unknown as yet) when all of a
 sudden, I cannot open konsoles, xterms, or start any app for that matter.
 The perms on my home directory will change that will 1) prevent KDE from
 working because it can't get write permissions to my home, and 2) kmail
wont
 be able to download/store email because it wont have write permission to
my
 ~/Mail directories.  I have had to twice login as root and chown
 praedor.praedor /home/praedor and set my home perm to 711, then 755.

 I restarted DrakConf and then went to Drakperms and set the security level
to
 2 and made sure that /home/* was no longer editable and no longer 700 but
 nevertheless I get this repetitious problem.

 What security level will allow users to actually USE their home
directories,
 window managers, etc, without problems but also prevent other users from
 looking at the contents of their HOME dirs?

  Uhm...I use msec3 always, on all machines, and never have problems
  using any apps...I think you messed up the perms in drakperms in
  some way. What I *have* noticed a couple of times (not tried
  lately...this happened in the 8.x days) is that if you go from a
  higher level to a lower level of msec, some perms do get messed up
  and you have to fix them by hand before msec will start listening to
  you again. But that happened both times going from 5 to 3, and the
  problems you are referring to are not problems that I can relate to
  3 in any way.

  Vox

--
Think of the Linux community as a niche economy isolated by its beliefs.
Kind
of like the Amish, except that our religion requires us to use _higher_
technology than everyone else.   -- Donald B. Marti Jr.


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com


RE: [expert] Security and permissions problems

2003-07-03 Thread James Sparenberg
On Wed, 2003-07-02 at 23:22, Frankie wrote:
 yeah, i think that is one thing mandrake could really really improve.
 Msec has the potential to be a really fantastic hardning script..
 But as it stands now, even on servers i use level 3 and tighten up manually.
 
 it needs a console and/or a X11 GUI..
 
 Just something where it displays the level, and gives you a list of the msec
 options so you check and uncheck specific settings. (rather then just
 choosing a level.)
 It could be done without changing any of its current functionality I'd
 imagine.)
 
 that would serve two benefits..
 
 1. tells you want msec is actually doing at a given level.
 2. allows you to easily stop it.. or enable it.
 
 personally i think a console GUI'd be fine, but suspect others would prefer
 X11.
 and if its the latter, it could be part of control center.
 
 
 rgds
 
 Franki

Franki,

   Have you tried the MCC section Security then the button with the
lengthy title starting out Drak Perm?  I think this is supposed to be
what you want.

James



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com


Re: [expert] Security and permissions problems

2003-07-03 Thread James Sparenberg
On Thu, 2003-07-03 at 07:35, Praedor Atrebates wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 I just fought with security settings again last night.  I don't yet know if I 
 have it beat.  I could not get things back to even a low/no security level so 
 I could start over.  This is a problem.  I used MCC - security to set my 
 system to 3, then to 2 but nothing changed.  I was unable to get into my 
 home, I could not start any wm because they didn't have write perms in my 
 home.  This even after I expressly set all home dirs to 777 and made sure I 
 had proper ownerships of my own dir.  MDK kept insisting on changing my 
 ownership to a numeric value (500) instead of to me the user name and this 
 ALWAYS screws up everything.  The system also kept insisting on giving user 
 and group ownership of my home dirs to adm.  When could that ever be useful?  
 I assures that one can't do anything in or with their own homes.  
 
 I'll check the system tnoght when I get home to see if it has remained with my 
 good settings or has switched back to broken/unusable again.  What good is 
 the MCC security app if it refuses to really change anything - particularly 
 when going from a higher level to a lower level?  What does standard or 
 high mean in security setting wrt msec levels?  

Praedor,

   Don't have an answer to the last question but ... what I would do is 

rpm -e msec and then remove the rpmsave's it leaves behind, and make
sure /etc/msec is gone.

modify things such so that you can login again and do what you need.

If you want then do urpmi msec  to re-install it and start all over.

James

 
 praedor
 
 On Thursday 03 July 2003 02:18 am, James Sparenberg wrote:
  On Wed, 2003-07-02 at 23:22, Frankie wrote:
   yeah, i think that is one thing mandrake could really really improve.
   Msec has the potential to be a really fantastic hardning script..
   But as it stands now, even on servers i use level 3 and tighten up
   manually.
  
   it needs a console and/or a X11 GUI..
  
   Just something where it displays the level, and gives you a list of the
   msec options so you check and uncheck specific settings. (rather then
   just choosing a level.)
   It could be done without changing any of its current functionality I'd
   imagine.)
  
   that would serve two benefits..
  
   1. tells you want msec is actually doing at a given level.
   2. allows you to easily stop it.. or enable it.
  
   personally i think a console GUI'd be fine, but suspect others would
   prefer X11.
   and if its the latter, it could be part of control center.
  
  
   rgds
  
   Franki
 
  Franki,
 
 Have you tried the MCC section Security then the button with the
  lengthy title starting out Drak Perm?  I think this is supposed to be
  what you want.
 
  James
 
 - -- 
 Not a single 9/11 terrorist came from Iraq, nor did a single one train in 
 Iraq. Iraq had NOTHING to do with 9/11.
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.2.2 (GNU/Linux)
 
 iD8DBQE/BD9MaKr9sJYeTxgRAlWXAKC5l7j4boqBvpoMV8JQL3CLGNITEwCgptn5
 wPYWwi8Mt7hxCMM7PQuVP/g=
 =7y9U
 -END PGP SIGNATURE-
 
 
 __
 Want to buy your Pack or Services from MandrakeSoft? 
 Go to http://www.mandrakestore.com


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com


Re: [expert] Security and permissions problems

2003-07-03 Thread Jack Coates
On Thu, 2003-07-03 at 07:35, Praedor Atrebates wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 I just fought with security settings again last night.  I don't yet know if I 
 have it beat.  I could not get things back to even a low/no security level so 
 I could start over.  This is a problem.  I used MCC - security to set my 
 system to 3, then to 2 but nothing changed.  I was unable to get into my 
 home, I could not start any wm because they didn't have write perms in my 
 home.  This even after I expressly set all home dirs to 777 and made sure I 
 had proper ownerships of my own dir.  MDK kept insisting on changing my 
 ownership to a numeric value (500) instead of to me the user name and this 
 ALWAYS screws up everything.  The system also kept insisting on giving user 
 and group ownership of my home dirs to adm.  When could that ever be useful?  
 I assures that one can't do anything in or with their own homes.  
 

silly question here, but is your UID really 500? The first user created
by the install program is 501, not 500.

 I'll check the system tnoght when I get home to see if it has remained with my 
 good settings or has switched back to broken/unusable again.  What good is 
 the MCC security app if it refuses to really change anything - particularly 
 when going from a higher level to a lower level?  What does standard or 
 high mean in security setting wrt msec levels?  
 
 praedor
 
 On Thursday 03 July 2003 02:18 am, James Sparenberg wrote:
  On Wed, 2003-07-02 at 23:22, Frankie wrote:
   yeah, i think that is one thing mandrake could really really improve.
   Msec has the potential to be a really fantastic hardning script..
   But as it stands now, even on servers i use level 3 and tighten up
   manually.
  
   it needs a console and/or a X11 GUI..
  
   Just something where it displays the level, and gives you a list of the
   msec options so you check and uncheck specific settings. (rather then
   just choosing a level.)
   It could be done without changing any of its current functionality I'd
   imagine.)
  
   that would serve two benefits..
  
   1. tells you want msec is actually doing at a given level.
   2. allows you to easily stop it.. or enable it.
  
   personally i think a console GUI'd be fine, but suspect others would
   prefer X11.
   and if its the latter, it could be part of control center.
  
  
   rgds
  
   Franki
 
  Franki,
 
 Have you tried the MCC section Security then the button with the
  lengthy title starting out Drak Perm?  I think this is supposed to be
  what you want.
 
  James
 
 - -- 
 Not a single 9/11 terrorist came from Iraq, nor did a single one train in 
 Iraq. Iraq had NOTHING to do with 9/11.
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.2.2 (GNU/Linux)
 
 iD8DBQE/BD9MaKr9sJYeTxgRAlWXAKC5l7j4boqBvpoMV8JQL3CLGNITEwCgptn5
 wPYWwi8Mt7hxCMM7PQuVP/g=
 =7y9U
 -END PGP SIGNATURE-
 
 
 __
 
 Want to buy your Pack or Services from MandrakeSoft? 
 Go to http://www.mandrakestore.com
-- 
Jack Coates
Monkeynoodle: A Scientific Venture...
http://www.monkeynoodle.org/resume.html


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com


Re: [expert] Security and permissions problems

2003-07-03 Thread Toshiro
El Mié 02 Jul 2003 19:12, Praedor Atrebates escribió:
 After I originally found that all users could see other user's home
 contents, I tried first changing to security level 3.  Someone else
 mentioned I could set the home permission to 700.
[...]

I never use Mandrake´s security levels, I don´t like side effects :) 

I usually set home dirs like this:

chmod 751 /home
chown root.root /home

Then I set every user´s home directory:

chmod 700 /home/user
chown user.user /home/user

Try this, it works.

--
Toshiro.




INTERNET URUGUAY: http://www.internet.com.uy
Acceso ilimitado a INTERNET por un 30% menos


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com


Re: [expert] Security and permissions problems

2003-07-02 Thread Vox
On September 1993 plus 3591 days Praedor Atrebates wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 After I originally found that all users could see other user's home contents, 
 I tried first changing to security level 3.  Someone else mentioned I could 
 set the home permission to 700.  

 Both methods have screwed up my system and I can't seem to get it back even 
 though I switched to security level 2.  My system is OK at the moment but 
 there will come a time (how long it takes is unknown as yet) when all of a 
 sudden, I cannot open konsoles, xterms, or start any app for that matter.  
 The perms on my home directory will change that will 1) prevent KDE from 
 working because it can't get write permissions to my home, and 2) kmail wont 
 be able to download/store email because it wont have write permission to my 
 ~/Mail directories.  I have had to twice login as root and chown 
 praedor.praedor /home/praedor and set my home perm to 711, then 755.  

 I restarted DrakConf and then went to Drakperms and set the security level to 
 2 and made sure that /home/* was no longer editable and no longer 700 but 
 nevertheless I get this repetitious problem.  

 What security level will allow users to actually USE their home directories, 
 window managers, etc, without problems but also prevent other users from 
 looking at the contents of their HOME dirs?

  Uhm...I use msec3 always, on all machines, and never have problems
  using any apps...I think you messed up the perms in drakperms in
  some way. What I *have* noticed a couple of times (not tried
  lately...this happened in the 8.x days) is that if you go from a
  higher level to a lower level of msec, some perms do get messed up
  and you have to fix them by hand before msec will start listening to
  you again. But that happened both times going from 5 to 3, and the
  problems you are referring to are not problems that I can relate to
  3 in any way.

  Vox

-- 
Think of the Linux community as a niche economy isolated by its beliefs.  Kind
of like the Amish, except that our religion requires us to use _higher_
technology than everyone else.   -- Donald B. Marti Jr.


pgp0.pgp
Description: PGP signature


Re: [expert] Security and permissions problems

2003-07-02 Thread chort
On Wed, 2 Jul 2003, Vox wrote:

 On September 1993 plus 3591 days Praedor Atrebates wrote:
 
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA1
 
  After I originally found that all users could see other user's home contents, 
  I tried first changing to security level 3.  Someone else mentioned I could 
  set the home permission to 700.  
 
  Both methods have screwed up my system and I can't seem to get it back even 
  though I switched to security level 2.  My system is OK at the moment but 
  there will come a time (how long it takes is unknown as yet) when all of a 
  sudden, I cannot open konsoles, xterms, or start any app for that matter.  
  The perms on my home directory will change that will 1) prevent KDE from 
  working because it can't get write permissions to my home, and 2) kmail wont 
  be able to download/store email because it wont have write permission to my 
  ~/Mail directories.  I have had to twice login as root and chown 
  praedor.praedor /home/praedor and set my home perm to 711, then 755.  
 
  I restarted DrakConf and then went to Drakperms and set the security level to 
  2 and made sure that /home/* was no longer editable and no longer 700 but 
  nevertheless I get this repetitious problem.  
 
  What security level will allow users to actually USE their home directories, 
  window managers, etc, without problems but also prevent other users from 
  looking at the contents of their HOME dirs?
 
   Uhm...I use msec3 always, on all machines, and never have problems
   using any apps...I think you messed up the perms in drakperms in
   some way. What I *have* noticed a couple of times (not tried
   lately...this happened in the 8.x days) is that if you go from a
   higher level to a lower level of msec, some perms do get messed up
   and you have to fix them by hand before msec will start listening to
   you again. But that happened both times going from 5 to 3, and the
   problems you are referring to are not problems that I can relate to
   3 in any way.
 
   Vox
 
 

I use msec 4, with a few custom tweaks.  I've never* had any problems
(with using apps, any way).  All my homedirs are 700.

*Unless you consider that promiscuous check a problem.  That crazy thing
would always spam my logs until I finally figured out how to disable it
for good.  Also a few of the other directories were mod'd to some
annoying level, but I fixed them in the perms file.

-- 
-chort
AKA Brian Keefer
The thoughts I express are generally piped from /dev/random,
needless to say they do not represent my fine employer:
CipherTrust, Inc - www.ciphertrust.com

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com


Re: [expert] Security and permissions problems

2003-07-02 Thread Vincent Danen
On Wed Jul 02, 2003 at 05:12:13PM -0500, Praedor Atrebates wrote:

 After I originally found that all users could see other user's home contents, 
 I tried first changing to security level 3.  Someone else mentioned I could 
 set the home permission to 700.  
 
 Both methods have screwed up my system and I can't seem to get it back even 
 though I switched to security level 2.  My system is OK at the moment but 
 there will come a time (how long it takes is unknown as yet) when all of a 
 sudden, I cannot open konsoles, xterms, or start any app for that matter.  
 The perms on my home directory will change that will 1) prevent KDE from 
 working because it can't get write permissions to my home, and 2) kmail wont 
 be able to download/store email because it wont have write permission to my 
 ~/Mail directories.  I have had to twice login as root and chown 
 praedor.praedor /home/praedor and set my home perm to 711, then 755.  
 
 I restarted DrakConf and then went to Drakperms and set the security level to 
 2 and made sure that /home/* was no longer editable and no longer 700 but 
 nevertheless I get this repetitious problem.  
 
 What security level will allow users to actually USE their home directories, 
 window managers, etc, without problems but also prevent other users from 
 looking at the contents of their HOME dirs?

# msec 3

This is the level I always use.  Any further tightening I do on my own.

-- 
MandrakeSoft Security; http://www.mandrakesecure.net/
Online Security Resource Book; http://linsec.ca/
lynx -source http://linsec.ca/vdanen.asc | gpg --import
{FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD}



pgp0.pgp
Description: PGP signature