ACL's doesn't work with SUIDDIR
Hi all, I'm using FreeBSD 6.2-RELEASE, with suiddir set as option in kernel config and fstab (+ acl support). My goal is to have a directory (precisely a SVN repo) writable by X specific users, where all created/modified files remain owned by svn. I know that's not the only way to do it - but I have reasons to do it so and not differently. I tried following: drwx-- 7 svn users 512 21 Mär 17:30 braintrust = user thomas CANT'T write in braintrust setfacl -d -m u::rwx,g::---,o::---,u:thomas:rwx braintrust/ drwx-- 7 svn users 512 21 Mär 17:31 braintrust = user thomas CAN'T write in braintrust - but he got an default ACL that will apply on all created files in braintrust setfacl -m u:thomas:rwx braintrust/ drwxrwx---+ 7 svn users 512 21 Mär 17:34 braintrust = user thomas CAN write in braintrust - and all created files in braintrust got the default ACL chmod +s braintrust/ drwsrws---+ 7 svn users 512 21 Mär 17:35 braintrust = braintrust get the suidbit/sgidbit, and all files created by thomas in braintrust should be owned by svn|users BUT: after +s, user thomas CAN'T write anymore in braintrust, the error is not Permission denied, but Operation not permitted. However, he can read the directory content. If I do the same with a directory that hasn't ACL's, it works as expected... If I understand the manpages correctly, this isn't the correct behavior, but a bug. Can this be fixed? If I miss understand something, thanks to correct me. -- Cédric Jonas[EMAIL PROTECTED] GPG ID: 30CCFE8D GPG Key: http://box.decemplex.net/~cedric/cedric.key.asc GPG Fingerprint: CF03 E1FD 9428 1B6B E971 B107 9044 AA99 30CC FE8D Jabber-ID: [EMAIL PROTECTED] signature.asc Description: PGP signature
Re: Shared object libintl.so.6 not found
On Mon, 19 Mar 2007 18:15:06 -0400 Brian A. Seklecki [EMAIL PROTECTED] wrote: Reinstall gettext from ports as root. Rebuild your shells that are linked against it. Like, ldd /usr/local/bin/bash and see if it's looking for an old version. Maybe a temporary symlink for now? ~BAS On Mon, 2007-03-19 at 18:04 -0400, Gerard Seibert wrote: FreeBSD-6.2 After booting up my system, I receive an error message: Shared object libintl.so.6 not found This file should be in /usr/local/lib, but it isn't. I have no idea why. I can now only log in as root. Since I am not sure where this file even came from, I don't know how to replace it. I assume I don't have to reinstall the OS (I hope) so where do I go from here? Thanks! I think there should be an entry in UPDATING: portmaster -r gettext will help... -- Cédric Jonas[EMAIL PROTECTED] GPG ID: 30CCFE8D GPG Key: http://box.decemplex.net/~cedric/cedric.key.asc GPG Fingerprint: CF03 E1FD 9428 1B6B E971 B107 9044 AA99 30CC FE8D Jabber-ID: [EMAIL PROTECTED] signature.asc Description: PGP signature
Re: sshd: PAM + key authentication
On Sun, 04 Mar 2007 16:39:29 + Tom Judge [EMAIL PROTECTED] wrote: Cédric Jonas wrote: Hi all, I set up a some sshd servers which authenticates their users through a LDAP DB. To realize this, I used PAM. Everything ok until now. Then, via PAM (pam_filter) and the host attribute in the LDAP DB, I only allowed logon on specifical hosts for some users. After that, I tested this last functionality: I tried to login on a disallowed host, and it fails - so it works as expected. For this test, I used password authentication. Later, I tried the same test with key authentication, and could log in... After some more investigations, it seems sshd ignores PAM when someone tries to log in with a key... is there some way to force sshd to consider PAM in case of key authentication? Thanks you, There are some patches available for sshd that allow you to control both the SSH keys using an LDAP database and which users can log on to the ssh server (using both password/key based authentication i believe [I have never personally tested with password auth as our servers are set to key based auth only]). I can send patches against 6.1/6.2 if required. Tom Thanks you, but I just found the problem: I used pam_filter to exclude some user from specifics hosts, but this option is only verified in the auth chain - which isn't used with key auth (seems to be clear, since there isn't some password to be valided). So I try pam_check_host_attr, which is verified in the account chain - which is also used when I try to login with a key :-) BTW: I saw that pam_unix doesn't implement something for pam_sm_acct_mgmt except a return PAM_SUCCESS. Or, the manpage (pam_unix(8)) says: The function verifies that the authenticated user is allowed to login to the local user account by checking the password expiry date. I think it would be better to correct the entire manpage, since the only function which implements something is pam_sm_authenticate. If there are users whose rely on the manpage without testing their configuration, they could get some surprises :-) -- Cédric Jonas[EMAIL PROTECTED] GPG ID: 30CCFE8D GPG Key: http://box.decemplex.net/~cedric/cedric.key.asc GPG Fingerprint: CF03 E1FD 9428 1B6B E971 B107 9044 AA99 30CC FE8D Jabber-ID: [EMAIL PROTECTED] signature.asc Description: PGP signature
sshd: PAM + key authentication
Hi all, I set up a some sshd servers which authenticates their users through a LDAP DB. To realize this, I used PAM. Everything ok until now. Then, via PAM (pam_filter) and the host attribute in the LDAP DB, I only allowed logon on specifical hosts for some users. After that, I tested this last functionality: I tried to login on a disallowed host, and it fails - so it works as expected. For this test, I used password authentication. Later, I tried the same test with key authentication, and could log in... After some more investigations, it seems sshd ignores PAM when someone tries to log in with a key... is there some way to force sshd to consider PAM in case of key authentication? Thanks you, -- Cédric Jonas[EMAIL PROTECTED] GPG ID: 30CCFE8D GPG Key: http://box.decemplex.net/~cedric/cedric.key.asc GPG Fingerprint: CF03 E1FD 9428 1B6B E971 B107 9044 AA99 30CC FE8D Jabber-ID: [EMAIL PROTECTED] signature.asc Description: PGP signature
