[COLUG] Permissions Problem

Wed Mar 26 04:01:21 EST 2008

Very interesting.  I want to thank all who contributed.

Rebooting the system solved the problem.

At 09:57 AM 3/24/2008, you wrote:
>On Sun, Mar 23, 2008 at 2:22 PM, Rick Troth <rmt at casita.net> wrote:
> >  I have seen 'chown' reset the set-uid bit on files.
> >  Dunno the origin of this behaviour, but it is annoying.
> >  Also, if you blanketly 'chgrp' to "root" some important group IDs
> >  will be lost.
>
>This is interesting.  If you think about it, however, it is likely a
>security feature.  Suppose a normal user needs the ability to change
>the group and owners of files, but should not be allowed full root
>access.  So you configure sudo to allow the user to run chown and
>chgrp.  However, now the user can copy /bin/bash to his home
>directory, set the SUID bit, and then change ownership to root.  This
>gives the user full root access, UNLESS the chown and chgrp commands
>remove suid and guid bits.
>
>Moving back to Stephen's problem, however, I think the quickest
>solution would be to run (as root) the two commands I mentioned
>earlier:
>"chkstat -set /etc/permissions"  and "chkstat -set /etc/permissions.easy"
>
>SuSE provides several files under /etc/ that can be used to set
>default permissions for files and directories.  /etc/permissions sets
>the permissions for most of the standard directories (if used as an
>argument to the chkstat program).  Then you have the
>/etc/permssions.{easy | secure | paranoid } files.  Each of these sets
>the owner, group and modes for most important files.  They suggest
>permissions.easy for a workstation, permissions.secure for a networked
>server, and permissions.paranoid for a system where you don't trust
>anyone.  The last config file actually removes all suid/guid bits from
>any executable (like passwd, mount, etc.).  But if he runs the
>"chkstat -set /etc/permissions.easy", the system will restore the
>owner and suid/guid bits to those same files.  You can configure the
>system to run the chkstat program on every boot, but I forget the
>details at the moment.  Often installing a new program, causing YaST
>to run SuSE-config, will run it also. One final note:  If you create a
>file "/etc/permissions.local" and make a change to your system that
>might add/remove important files, the chkstat program will be run, and
>any file permissions you put into the .local file will overwrite
>whatever defaults you have selected.
>
>You can also cause the changes by opening Yast --> Security and Users
>--> Local Security, and run through the wizard.  Towards the end there
>is a page titled "Miscellaneous Settings".  One of the entries on this
>page is "File Permissions".  It defaults to Easy.  You would likely
>need to change this to secure or paranoid, click on Finish, and then
>re-run the wizard, but this time select easy.  If you leave it set on
>paranoid, your system will be unusable as a workstation.  Making the
>change twice will clearly tell the system to run the chkstat program
>and change the file ownership and modes (including suid and guid).
>_______________________________________________
>colug432 mailing list colug432 at colug.net
>http://www.colug.net/mailman/listinfo/colug432
>
>
>--
>No virus found in this incoming message.
>Checked by AVG.
>Version: 7.5.519 / Virus Database: 269.22.0/1342 - Release Date: 
>3/25/2008 10:26 AM