Re: [expert] kdm wierdness in 8.2
On Sunday 07 April 2002 09:49 am, Ric Tibbetts wrote:
> On Sat, 2002-04-06 at 06:47, Thomas Gamble wrote:
> > On Friday 05 April 2002 11:28 pm, Damian wrote:
> > > El vie, 05-04-2002 a las 02:51, Ric Tibbetts escribió:
> > > > On Thu, 2002-04-04 at 16:07, Thomas Gamble wrote:
> > > > > Since upgrading to 8.2 I have noticed that changes to the login
> > > > > manager don't stick. In particular, changing 'Show Users' to
> > > > > 'None'. After a couple of login cycles this reverts back to 'All
> > > > > but no show'. I've seen this same bahavior on three separate
> > > > > installations of MDK8.2 all clean installs. It seems as though a
> > > > > script is running somewhere that regenerates the
> > > > > /usr/share/config/kdm/kdmrc file, but I've been unsuccessful in
> > > > > finding anything. Editing this file directly has the same result.
> > > > > Has anyone else had this problem, and have you found a solution?
> > > >
> > > > It's not just kdm. I'm having exactly the same problem with gdm. I
> > > > thought it was just me.
> > > >
> > > > Anyone have a fix yet? Or at least a cause?
> > > >
> > > > Thanks!
> > > >
> > > > Ric
> > >
> > > possible cause: security level? just wondering...
> >
> > It turns out this is exactly the cause.
> >
> > In particular, it is related to the msec script that gets run from both
> > /etc/cron.daily and /etc/cron.hourly. This script is a link to
> > /usr/share/msec/security.sh which calls /usr/share/msec/msec.py. msec.py
> > tests for security levels and makes corrections to certain system setting
> > based on the current level setting.
> >
> > The following code snippet from /usr/share/msec/msec.py appears to be the
> > offender:
> >
> > if level >= 4:
> > set_user_umask('077')
> > set_shell_history_size(10)
> > allow_root_login(0)
> > enable_sulogin(1)
> > allow_user_list(0)
> > enable_promisc_check(1)
> > accept_icmp_echo(0)
> > accept_bogus_error_responses(0)
> > allow_reboot(0)
> > enable_at_crontab(0)
> > if level == 4:
> > password_aging(60, 30)
> > else:
> > password_aging(30, 15)
> > else:
> > set_user_umask('022')
> > set_shell_history_size(-1)
> > allow_root_login(1)
> > enable_sulogin(0)
> > allow_user_list(1)
> > enable_promisc_check(0)
> > accept_icmp_echo(1)
> > accept_bogus_error_responses(1)
> > allow_reboot(1)
> > enable_at_crontab(1)
> > password_aging(9)
> >
> > The call to 'allow_user_lists(1)' in the 'else' portion is the problem.
> > This has the result of forcing the 'ShowUsers' setting in kdmrc to 'All'.
> > Commenting this line out fixes the problem and still allows higher
> > security level settings to force 'ShowUsers' to 'None'. This script also
> > affects similar settings in gdm (I believe it's the 'Browser' setting)and
> > this change should fix that as well.
>
> Worked like a charm. Thanks!
>
> I found that alternate to commenting out the "allow_user_list(1)" entry,
> simply changing the value to (0) worked as well.
>
> Thanks again, for solving an annoying problem!
>
> Ric
No worries. Commenting the line out restores control to the KDM and GDM
configuration dialogs for the lower security levels, while changing the value
from 1 to 0 forces that setting regarless of what you do in the configuration
dialogs. But, the end result is the important part as long as you know where
the changes are being made.
Cheers
--
Thomas K. Gamble
[EMAIL PROTECTED]
Whoso loveth instruction loveth knowledge,
but he that hateth reproof is brutish.
(Proverbs 12:1)
Current Linux kernel 2.4.18-6mdksmp, Uptime: minutes.
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Re: [expert] kdm wierdness in 8.2
On Sat, 2002-04-06 at 06:47, Thomas Gamble wrote:
> On Friday 05 April 2002 11:28 pm, Damian wrote:
> > El vie, 05-04-2002 a las 02:51, Ric Tibbetts escribió:
> > > On Thu, 2002-04-04 at 16:07, Thomas Gamble wrote:
> > > > Since upgrading to 8.2 I have noticed that changes to the login manager
> > > > don't stick. In particular, changing 'Show Users' to 'None'. After a
> > > > couple of login cycles this reverts back to 'All but no show'. I've
> > > > seen this same bahavior on three separate installations of MDK8.2 all
> > > > clean installs. It seems as though a script is running somewhere that
> > > > regenerates the /usr/share/config/kdm/kdmrc file, but I've been
> > > > unsuccessful in finding anything. Editing this file directly has the
> > > > same result. Has anyone else had this problem, and have you found a
> > > > solution?
> > >
> > > It's not just kdm. I'm having exactly the same problem with gdm. I
> > > thought it was just me.
> > >
> > > Anyone have a fix yet? Or at least a cause?
> > >
> > > Thanks!
> > >
> > > Ric
> >
> > possible cause: security level? just wondering...
>
> It turns out this is exactly the cause.
>
> In particular, it is related to the msec script that gets run from both
> /etc/cron.daily and /etc/cron.hourly. This script is a link to
> /usr/share/msec/security.sh which calls /usr/share/msec/msec.py. msec.py
> tests for security levels and makes corrections to certain system setting
> based on the current level setting.
>
> The following code snippet from /usr/share/msec/msec.py appears to be the
> offender:
>
> if level >= 4:
> set_user_umask('077')
> set_shell_history_size(10)
> allow_root_login(0)
> enable_sulogin(1)
> allow_user_list(0)
> enable_promisc_check(1)
> accept_icmp_echo(0)
> accept_bogus_error_responses(0)
> allow_reboot(0)
> enable_at_crontab(0)
> if level == 4:
> password_aging(60, 30)
> else:
> password_aging(30, 15)
> else:
> set_user_umask('022')
> set_shell_history_size(-1)
> allow_root_login(1)
> enable_sulogin(0)
> allow_user_list(1)
> enable_promisc_check(0)
> accept_icmp_echo(1)
> accept_bogus_error_responses(1)
> allow_reboot(1)
> enable_at_crontab(1)
> password_aging(9)
>
> The call to 'allow_user_lists(1)' in the 'else' portion is the problem. This
> has the result of forcing the 'ShowUsers' setting in kdmrc to 'All'.
> Commenting this line out fixes the problem and still allows higher
> security level settings to force 'ShowUsers' to 'None'. This script also
> affects similar settings in gdm (I believe it's the 'Browser' setting)and
> this change should fix that as well.
Worked like a charm. Thanks!
I found that alternate to commenting out the "allow_user_list(1)" entry,
simply changing the value to (0) worked as well.
Thanks again, for solving an annoying problem!
Ric
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Re: [expert] kdm wierdness in 8.2
On Saturday 06 April 2002 10:47, you wrote:
> On Friday 05 April 2002 11:28 pm, Damian wrote:
> > El vie, 05-04-2002 a las 02:51, Ric Tibbetts escribió:
> > > On Thu, 2002-04-04 at 16:07, Thomas Gamble wrote:
> > > > Since upgrading to 8.2 I have noticed that changes to the login
> > > > manager don't stick. In particular, changing 'Show Users' to 'None'.
> > > > After a couple of login cycles this reverts back to 'All but no
> > > > show'. I've seen this same bahavior on three separate installations
> > > > of MDK8.2 all clean installs. It seems as though a script is running
> > > > somewhere that regenerates the /usr/share/config/kdm/kdmrc file, but
> > > > I've been unsuccessful in finding anything. Editing this file
> > > > directly has the same result. Has anyone else had this problem, and
> > > > have you found a solution?
> > >
> > > It's not just kdm. I'm having exactly the same problem with gdm. I
> > > thought it was just me.
> > >
> > > Anyone have a fix yet? Or at least a cause?
> > >
> > > Thanks!
> > >
> > > Ric
> >
> > possible cause: security level? just wondering...
>
> It turns out this is exactly the cause.
>
> In particular, it is related to the msec script that gets run from both
> /etc/cron.daily and /etc/cron.hourly. This script is a link to
> /usr/share/msec/security.sh which calls /usr/share/msec/msec.py. msec.py
> tests for security levels and makes corrections to certain system setting
> based on the current level setting.
>
> The following code snippet from /usr/share/msec/msec.py appears to be the
> offender:
>
> if level >= 4:
> set_user_umask('077')
> set_shell_history_size(10)
> allow_root_login(0)
> enable_sulogin(1)
> allow_user_list(0)
> enable_promisc_check(1)
> accept_icmp_echo(0)
> accept_bogus_error_responses(0)
> allow_reboot(0)
> enable_at_crontab(0)
> if level == 4:
> password_aging(60, 30)
> else:
> password_aging(30, 15)
> else:
> set_user_umask('022')
> set_shell_history_size(-1)
> allow_root_login(1)
> enable_sulogin(0)
> allow_user_list(1)
> enable_promisc_check(0)
> accept_icmp_echo(1)
> accept_bogus_error_responses(1)
> allow_reboot(1)
> enable_at_crontab(1)
> password_aging(9)
>
> The call to 'allow_user_lists(1)' in the 'else' portion is the problem.
> This has the result of forcing the 'ShowUsers' setting in kdmrc to 'All'.
> Commenting this line out fixes the problem and still allows higher security
> level settings to force 'ShowUsers' to 'None'. This script also affects
> similar settings in gdm (I believe it's the 'Browser' setting)and this
> change should fix that as well.
The reccommended way to change these default security settings is to add the
appropriate entries to the file /etc/security/msec/level.local (create it if
necessary) . In this case just add the line "allow_user_list(0)" (without
quotes).
There is an excellent article on this at :
http://www.mandrakesecure.net/en/docs/msec.php
Also enter "man mseclib" in a terminal, or man:/mseclib in your browser for a
list of settings that can be manually configured.
Hope this helps,
--
Tim C
[EMAIL PROTECTED]
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Re: [expert] kdm wierdness in 8.2
On Friday 05 April 2002 11:28 pm, Damian wrote:
> El vie, 05-04-2002 a las 02:51, Ric Tibbetts escribió:
> > On Thu, 2002-04-04 at 16:07, Thomas Gamble wrote:
> > > Since upgrading to 8.2 I have noticed that changes to the login manager
> > > don't stick. In particular, changing 'Show Users' to 'None'. After a
> > > couple of login cycles this reverts back to 'All but no show'. I've
> > > seen this same bahavior on three separate installations of MDK8.2 all
> > > clean installs. It seems as though a script is running somewhere that
> > > regenerates the /usr/share/config/kdm/kdmrc file, but I've been
> > > unsuccessful in finding anything. Editing this file directly has the
> > > same result. Has anyone else had this problem, and have you found a
> > > solution?
> >
> > It's not just kdm. I'm having exactly the same problem with gdm. I
> > thought it was just me.
> >
> > Anyone have a fix yet? Or at least a cause?
> >
> > Thanks!
> >
> > Ric
>
> possible cause: security level? just wondering...
It turns out this is exactly the cause.
In particular, it is related to the msec script that gets run from both
/etc/cron.daily and /etc/cron.hourly. This script is a link to
/usr/share/msec/security.sh which calls /usr/share/msec/msec.py. msec.py
tests for security levels and makes corrections to certain system setting
based on the current level setting.
The following code snippet from /usr/share/msec/msec.py appears to be the
offender:
if level >= 4:
set_user_umask('077')
set_shell_history_size(10)
allow_root_login(0)
enable_sulogin(1)
allow_user_list(0)
enable_promisc_check(1)
accept_icmp_echo(0)
accept_bogus_error_responses(0)
allow_reboot(0)
enable_at_crontab(0)
if level == 4:
password_aging(60, 30)
else:
password_aging(30, 15)
else:
set_user_umask('022')
set_shell_history_size(-1)
allow_root_login(1)
enable_sulogin(0)
allow_user_list(1)
enable_promisc_check(0)
accept_icmp_echo(1)
accept_bogus_error_responses(1)
allow_reboot(1)
enable_at_crontab(1)
password_aging(9)
The call to 'allow_user_lists(1)' in the 'else' portion is the problem. This
has the result of forcing the 'ShowUsers' setting in kdmrc to 'All'.
Commenting this line out fixes the problem and still allows higher
security level settings to force 'ShowUsers' to 'None'. This script also
affects similar settings in gdm (I believe it's the 'Browser' setting)and
this change should fix that as well.
--
Thomas K. Gamble
[EMAIL PROTECTED]
Whoso loveth instruction loveth knowledge,
but he that hateth reproof is brutish.
(Proverbs 12:1)
Current Linux kernel 2.4.18-6mdksmp, Uptime: minutes.
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Re: [expert] kdm wierdness in 8.2
El vie, 05-04-2002 a las 02:51, Ric Tibbetts escribió: > On Thu, 2002-04-04 at 16:07, Thomas Gamble wrote: > > Since upgrading to 8.2 I have noticed that changes to the login manager > > don't stick. In particular, changing 'Show Users' to 'None'. After a > > couple of login cycles this reverts back to 'All but no show'. I've > > seen this same bahavior on three separate installations of MDK8.2 all > > clean installs. It seems as though a script is running somewhere that > > regenerates the /usr/share/config/kdm/kdmrc file, but I've been > > unsuccessful in finding anything. Editing this file directly has the same > > result. Has anyone else had this problem, and have you found a solution? > > > > It's not just kdm. I'm having exactly the same problem with gdm. I > thought it was just me. > > Anyone have a fix yet? Or at least a cause? > > Thanks! > > Ric possible cause: security level? just wondering... try swithcing permissions so no one can modify it.. only read access.. HTH Damian Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] kdm wierdness in 8.2
On Thu, 2002-04-04 at 16:07, Thomas Gamble wrote: > Since upgrading to 8.2 I have noticed that changes to the login manager > don't stick. In particular, changing 'Show Users' to 'None'. After a > couple of login cycles this reverts back to 'All but no show'. I've > seen this same bahavior on three separate installations of MDK8.2 all > clean installs. It seems as though a script is running somewhere that > regenerates the /usr/share/config/kdm/kdmrc file, but I've been > unsuccessful in finding anything. Editing this file directly has the same > result. Has anyone else had this problem, and have you found a solution? > It's not just kdm. I'm having exactly the same problem with gdm. I thought it was just me. Anyone have a fix yet? Or at least a cause? Thanks! Ric Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
