At 03:00 AM 5/23/02, you wrote:
>Try http://www.mandrakesecure.net/en/docs/msec.php
>Paragraph "Customizing msec With Overrides" might answer your question.
>
>raffaele
>
>[EMAIL PROTECTED] wrote:
>>When a secure mandrake boots up, it appears to check through the system
>>and set permissions on files and directories throughout the system
>>according to some pre-defined criteria.
>>Where is this criteria set so I can customize it?
>>-- jeremy
The complications go far beyond this!
Script /etc/sysconfig/msec defines security level and umasks. Mine looks like:
UMASK_ROOT=022
SECURE_LEVEL=3
UMASK_USER=022
TMOUT=0
Every day at 04:02, as part of /etc/cron.daily, script
/usr/share/msec/security.sh is run. Using UMASK_ROOT, in /var/log/security
the script creates the *.today files (unowned_group.today,
unowned_user.today, writeable.today, etc). These files are created with
0644 permissions (-rw-r--r--).
Then at 05:01, as part of /etc/cron.hourly, script /usr/sbin/msec is run
and complains:
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
May 22 05:02:18 osage msec: changed mode of
/var/log/security/open_port.today from 644 to 640
May 22 05:02:18 osage msec: changed mode of
/var/log/security/suid_root.today from 644 to 640
May 22 05:02:18 osage msec: changed mode of
/var/log/security/suid_group.today from 644 to 640
May 22 05:02:18 osage msec: changed mode of
/var/log/security/unowned_group.today from 644 to 640
May 22 05:02:18 osage msec: changed mode of
/var/log/security/writeable.today from 644 to 640
The expected value of 640 varies according to security level, with level 1
having 644, levels 2 and 3 using 640, and levels 4 and 5 using
600. Here're two sets of patches for creating proper permissions for these
files. The first method generates the ROOT_UMASK statement from values
stored in an array and the second method generates the ROOT_UMASK statement
using nested if statements.
Please fix msec!!! I don't care if you use one of these patches, or an
alternative method, but please DO fix msec.
Thanks.
David
##### generate the ROOT_UMASK statement from values stored in an array
--- msec.py.orig Fri Feb 22 16:55:18 2002
+++ msec.py Thu May 23 10:56:57 2002
@@ -110,13 +110,14 @@
enable_ip_spoofing_protection(server)
# differences between level 5 and others
+root_masks=( '022', '026', '026', '077', '077' )
+set_root_umask( root_masks[level-1])
+
if level == 5:
- set_root_umask('077')
set_shell_timeout(900)
authorize_services(NONE)
enable_pam_wheel_for_su(1)
else:
- set_root_umask('022')
if level == 4:
set_shell_timeout(3600)
authorize_services(LOCAL)
##### generate the ROOT_UMASK statement using nested if statements
--- msec.py.orig Fri Feb 22 16:55:18 2002
+++ msec.py Thu May 23 10:58:29 2002
@@ -111,12 +111,10 @@
# differences between level 5 and others
if level == 5:
- set_root_umask('077')
set_shell_timeout(900)
authorize_services(NONE)
enable_pam_wheel_for_su(1)
else:
- set_root_umask('022')
if level == 4:
set_shell_timeout(3600)
authorize_services(LOCAL)
@@ -125,6 +123,14 @@
authorize_services(ALL)
enable_pam_wheel_for_su(0)
+# umask differences between levels
+if level >= 4:
+ set_root_umask('077')
+ if level >= 4:
+ set_root_umask('026')
+ else:
+ set_root_umask('022')
+
# differences between level 4,5 and others
if level >= 4:
set_user_umask('077')
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
