[COLUG] Permissions Problem

[Brian]

On Sun, Mar 23, 2008 at 2:22 PM, Rick Troth <rmt at casita.net> wrote:
>  I have seen 'chown' reset the set-uid bit on files.
>  Dunno the origin of this behaviour, but it is annoying.
>  Also, if you blanketly 'chgrp' to "root" some important group IDs
>  will be lost.

This is interesting.  If you think about it, however, it is likely a
security feature.  Suppose a normal user needs the ability to change
the group and owners of files, but should not be allowed full root
access.  So you configure sudo to allow the user to run chown and
chgrp.  However, now the user can copy /bin/bash to his home
directory, set the SUID bit, and then change ownership to root.  This
gives the user full root access, UNLESS the chown and chgrp commands
remove suid and guid bits.

Moving back to Stephen's problem, however, I think the quickest
solution would be to run (as root) the two commands I mentioned
earlier:
"chkstat -set /etc/permissions"  and "chkstat -set /etc/permissions.easy"

SuSE provides several files under /etc/ that can be used to set
default permissions for files and directories.  /etc/permissions sets
the permissions for most of the standard directories (if used as an
argument to the chkstat program).  Then you have the
/etc/permssions.{easy | secure | paranoid } files.  Each of these sets
the owner, group and modes for most important files.  They suggest
permissions.easy for a workstation, permissions.secure for a networked
server, and permissions.paranoid for a system where you don't trust
anyone.  The last config file actually removes all suid/guid bits from
any executable (like passwd, mount, etc.).  But if he runs the
"chkstat -set /etc/permissions.easy", the system will restore the
owner and suid/guid bits to those same files.  You can configure the
system to run the chkstat program on every boot, but I forget the
details at the moment.  Often installing a new program, causing YaST
to run SuSE-config, will run it also. One final note:  If you create a
file "/etc/permissions.local" and make a change to your system that
might add/remove important files, the chkstat program will be run, and
any file permissions you put into the .local file will overwrite
whatever defaults you have selected.

You can also cause the changes by opening Yast --> Security and Users
--> Local Security, and run through the wizard.  Towards the end there
is a page titled "Miscellaneous Settings".  One of the entries on this
page is "File Permissions".  It defaults to Easy.  You would likely
need to change this to secure or paranoid, click on Finish, and then
re-run the wizard, but this time select easy.  If you leave it set on
paranoid, your system will be unusable as a workstation.  Making the
change twice will clearly tell the system to run the chkstat program
and change the file ownership and modes (including suid and guid).