On Wed Jul 23, 2003 at 01:26:27PM -0700, David Guntner wrote: > Glad to see you're still on the list, Vincent. :-)
Someone has to make sure you guys behave.. =) > > > I hope someone from Mandrake is still reading this list. I got the > > > advisary for the new kernel in my mail, and installed the new kernel. > > > Since, then, any number of processes which used to write files that were > > > writable only by themselves (leafnode as user news, mailman as user mail > > > and so on) are now writing their files in a world readable setting. My > > > security logs this morning started reporting files in /var/spool/news, > > > /var/lock/subsys, /var/run, /var/lib/mailman/lists and so on as being > > > writable. Checking those directories, I find sure enough that everything > > > is -rw-rw-rw- -- clearly, this is not acceptable! Can someone please > > > look into this and fix it and issue a new kernel? This needs to not > > > continue to happen. When I su to the user IDs in question and do a umask > > > command, I see 0022 like it should be - so I can't see any reason why this > > > should be happening. > > > > We've not seen this at all during testing. Which kernel did you install? > > secure, up, smp, etc... uname -a would be good. > > uname -a won't be of any help now, because I've reverted back to the prior > kernel (2.4.21-0.18mdk). Not smp, secure or anthing else. Just kernel- > 2.4.21-0.18mdk. Same for the new version, which is 2.4.21-0.24mdk, which > was installed from kernel-2.4.21.0.24mdk-1-1mdk.i586.rpm. Ok. So normal kernel. > > That is really really wierd. > > > > Just ran msec here and it just shows me that my initrd is world-writable so > > I don't think your problem is due to the kernel. > > The initrd file never *used* to be world-writable.... Not until this > release of the kernel, anyway. Personally, I would consider that a bad > sign. Agreed. I'm really not sure why the initrd's are written world writeable. > > cc'ing this to Juan just so he can check as well. > > Me, too, so that he can see the followup. Ok. Did a little playing here, using /var/lock/subsys/* as my determination point. kernel: everything world writeable kernel-secure: normal perms (most everything world readable except syslog IIRC) kernel-enterprise: normal perms This leads me to believe there is something wrong with the regular kernel. I also have reiserfs for my / partition, so possibly it has something to do with reiserfs, I'm not sure. Checked my vmware test install and it has reiserfs as well, so that isn't conclusive. Ok, just checked my 9.1/PPC machine with ext2 as the / and it has the same issue. There is definitely something wrong with the up (normal) kernel. I'm going to fire off an email on the announce mailing list indicating to people to either back out of 24mdk or use the enterprise/secure kernels (if someone is using a smp kernel, can you please tell me if you get the same behaviour?). Juan will have to look at this first thing tomorrow so we can hopefully get a fixed up kernel out ASAP. On a side note, I don't see your msec issue here at all, even with the up kernel so I'm really not sure if that is a kernel problem or not. -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
