On Thu, 2003-10-23 at 08:36, Ralph Crpngeyer wrote: > Jack, Your right. > The user.group for the entire jail is root.root only the file > permissions are different. Also looking at /usr/share/msec/perm.5 the > directory "/opt" is not touched at all. I think that something else must > have been happening. I wasn't the only one with root access to this > system, till now. I just ran "msec 5" and all is well. > > I think the answer to the question (How do I get msec to skip a dir?) is > to make sure that it is not listed in the /usr/share/msec/perm.2/3/4/5 > file. In other words, msec only changes "owner.group perms" for the > dir's listed in the perm.2/3/4/5 file. > > Does that sound right? >
or perm.local. Yeah, that sounds right. > Thanks for your help. > > Ralph > > I think the answer to the question (How do I get msec to skip a dir?) is > to make sure that it is not > > Jack Coates wrote: > > >On Thu, 2003-10-23 at 07:33, Ralph Crpngeyer wrote: > > > > > >>Hi Jack, Thanks for the info. > >> > >>If I: > >> > >>edit /etc/security/msec/perm.local > >> > >>/opt/is4 owner.group octalperms > >>/opt/is4/* owner.group octalperms > >> > >>then (as per the second line) won't that change the owner.group > >>octalperms ie. (775 for instance)for all of the sub dirs also? > >> > >>Remember that each of the dirs below (/opt/is4/) have different > >>"owner.group and permissions" inside the chroot jail. > >> > >>I need to skip this dir not set/reset the owner.group and octalperms. > >> > >> > >> > > > >uh, then why don't you add lines for each of those directories? IIRC > >there is a way to make msec ignore a directory, probably something like > >dots or asterisks, but... > > > > > > > >>So far the only way I have been able to avoid this is to stop the msec > >>scripts from running. > >> > >> > >> > > > >Isn't the point of using a chroot to improve your security? If you're > >going to the trouble of using chroot, wouldn't you like to prevent > >ownership and permissions changes within the jails? Chroot jails are not > >playgrounds for the bad guys, they're subsystems that need the same if > >not higher security restrictions as the rest of the system. > > > > > > > >>Any other ideas? > >> > >> > > > >I just looked through /usr/share/msec/perm.3, you can put "current" in > >the user.group area to preserve whatever's there. Dunno about perms. > > > > > > > >>Thanks > >>Ralph > >> > >> > >> > >> > >> > >>Jack Coates wrote: > >> > >> > >> > >>>On Wed, 2003-10-22 at 18:37, Ralph C wrote: > >>> > >>> > >>> > >>> > >>>>Hi all, > >>>> > >>>>I have Bynari Insight Server installed and it installs everything inside > >>>>/opt/is4/ directory as a chroot jail, where it runs it's own services > >>>>like Postfix, Apache, Proftpd, etc... msec is changing the permissions. > >>>> > >>>>I need to make msec skip this directory and all sub dirs. How do I do this? > >>>> > >>>>Ralph > >>>> > >>>> > >>>> > >>>> > >>>edit /etc/security/msec/perm.local > >>> > >>>/opt/is4 owner.group octalperms > >>>/opt/is4/* owner.group octalperms > >>> > >>> > >>> > >>>------------------------------------------------------------------------ > >>> > >>>Want to buy your Pack or Services from MandrakeSoft? > >>>Go to http://www.mandrakestore.com > >>> > >>> > >>> > >>> > >> > >> > >> > >>______________________________________________________________________ > >>Want to buy your Pack or Services from MandrakeSoft? > >>Go to http://www.mandrakestore.com > >> > >> > >>------------------------------------------------------------------------ > >> > >>Want to buy your Pack or Services from MandrakeSoft? > >>Go to http://www.mandrakestore.com > >> > >> > > > > > ______________________________________________________________________ > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com -- Jack Coates Monkeynoodle: A Scientific Venture...
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com