Re: [Cooker] msec: excessive assumptions in networked environment,and solution
Le lun 11/03/2002 à 09:16, Stephane Gourichon a écrit : The new msec package fiddles quite a lot about file permissions, and assumes for certain things that are common but not guaranteed. For example: *it assumes that every entry in /home is always the homedir of a user. While this is true in a vanilla lonely Mandrake system freshly installed from scratch, it is wrong in many places. True. On one of my server I keep the home directories of users that are no more in the users defined in /etc/passwd. So bad assumption. All directories in /home are not home directories of valid users. -- Luc Roseberry Consultant Tivoli certifié / Certified Tivoli Consultant Facilité Informatique Canada
[Cooker] msec: excessive assumptions in networked environment, and solution
Beware of excessive assumptions in programs. Remember that Ariane 501 rocket exploded because programmers assumed some circumstances without first verifying that they are true... The new msec package fiddles quite a lot about file permissions, and assumes for certain things that are common but not guaranteed. For example: *it assumes that every entry in /home is always the homedir of a user. While this is true in a vanilla lonely Mandrake system freshly installed from scratch, it is wrong in many places. When the station is a node in a cluster of machines sharing users, userdirs are often mounted from other places, like: /home/teamname/username. *also, msec fiddles with kdm display of users icons. kfm offers at least: none, selected, or all. msec forces it to all or none. In our case, each station is in a team, display about 10 users, not the 100+ users of the whole lab! Networked pools of machine are the traditional setup for Unix systems. Please be careful, while trying to extend Linux on the home market, not to lose the original niche. ... and it looks like msec comes quite often back to force changes against the system administrator will. This has the potential of getting many systems administrators upset. *** Solution (well, idea at least) There could be some interface à la kudzu that spots each change: msec has noticed that the permission of /home/team/ was changed from 711/drwx--x--x to 755/drwxr-xr-x. What should msec do ? * change it back to 711/drwx--x--x * let 755/drwx--x--x be the new normal value to enforce * from now on, don't check /home/team/ permissions again Remember this situation and do not ask again [y/N]: _ My two euro-cents for today. -- Stéphane Gourichon - Labo. d'Informatique de Paris 6 - AnimatLab http://animatlab.lip6.fr - philo du dimanche http://amphi-gouri.org/ Bonjour, je ne suis qu'une phrase entre guillemets dans une signature, mais si vous me recopiez dans votre signature automatique d'e-mail, alors je pourrai continuer à me reproduire comme un virus. Merci !
Re: [Cooker] msec: excessive assumptions in networked environment, and solution
On Mon, Mar 11, 2002 at 03:16:33PM +0100, Stephane Gourichon alleged: *also, msec fiddles with kdm display of users icons. kfm offers at least: none, selected, or all. msec forces it to all or none. In our case, each station is in a team, display about 10 users, not the 100+ users of the whole lab! This is also fun with a 60,000 user NIS passwd map. Thx msec for constantly reverting my settings =P
Re: [Cooker] msec: excessive assumptions in networked environment, and solution
[EMAIL PROTECTED], [EMAIL PROTECTED] wrote: On Mon, Mar 11, 2002 at 03:16:33PM +0100, Stephane Gourichon alleged: *also, msec fiddles with kdm display of users icons. kfm offers at least: none, selected, or all. msec forces it to all or none. In our case, each station is in a team, display about 10 users, not the 100+ users of the whole lab! This is also fun with a 60,000 user NIS passwd map. Thx msec for constantly reverting my settings =P Well, this can be fixed, although it would be nice for msec not to enforce the user list (ok, so we only have 100 users in LDAP): Put the attached file in /etc/security/msec Also, see man mseclib (I think, running 8.1 ..) This is now part of our standard configuration rpm (for lack of a better method of config at this stage) ... Buchan level.local Description: Binary data
Re: [Cooker] msec: excessive assumptions in networked environment, and solution
On Mon, Mar 11, 2002 at 03:16:33PM +0100, Stephane Gourichon wrote: *it assumes that every entry in /home is always the homedir of a user. While this is true in a vanilla lonely Mandrake system freshly installed from scratch, it is wrong in many places. When the station is a node in a cluster of machines sharing users, userdirs are often mounted from other places, like: /home/teamname/username. While this is probably too late for 8.2. Why don't we make msec do the following. Use getpwent to enumarte the passwd file and enforce permissions on home directories? And something similar for NIS and ldap users (I'm not sure if getpwent() returns these users)? This prevents hosing peoples setups but still achieves the security protections that msec is trying to achieve. -- Ben Reser [EMAIL PROTECTED] http://ben.reser.org What difference does it make to the dead, the orphans, and the homeless, whether the mad destruction is wrought under the name of totalitarianism or the holy name of liberty and democracy? - Ghandi
Re: [Cooker] msec: excessive assumptions in networked environment,and solution
On Mon, 2002-03-11 at 22:45, Ben Reser wrote:
While this is probably too late for 8.2. Why don't we make msec do the
following. Use getpwent to enumarte the passwd file and enforce
permissions on home directories? And something similar for NIS and ldap
users (I'm not sure if getpwent() returns these users)?
This prevents hosing peoples setups but still achieves the security
protections that msec is trying to achieve.
I tried to stay out of this, since I have my own little tid bits with
msec and it's course of development, but like you said. It is rather
late for any changes like that.
Anyway, getpwent() surely does...
Example in C
char_dest[80];
struct passwd *_home;
struct stat _dest_stat;
struct stat _bin_stat;
int
main(void)
{
clearenv();
setenv(PATH, /bin:/usr/bin:/usr/local/bin, 1);
setenv(IFS, \t\n, 1);
_home = getpwent();
strncat(_dest, _home-pw_dir, 30);
printf( You live in %s\n, _dest);
exit(0);
}
Just have it loop(for i...) and pull a chmod() on i
What difference does it make to the dead, the orphans, and the homeless,
whether the mad destruction is wrought under the name of totalitarianism
or the holy name of liberty and democracy? - Ghandi
Great quote : )
--
Bryan Paxton
Public PGP key: http://www.deadhorse.net/bpaxton.gpg
Now, smell the rain of london, it still insists...
That we bed for our purity.
As if we are pure in the rain of our contentment!
As if I can think of this no more!
-- Jeff Buckley
