On 7/11/06, Rick Troth [EMAIL PROTECTED] wrote:
Consider what Kris said about the '-i' flag on 'sudo'.
It appears there's no such flag in the sudo that I have with SuSE so I
can't tell.
I believe my approach with coding su for one command is similar in effect?
And even the auditing is as
Hi,
There is a lot of critical stuff in /sbin and /usr/sbin... First, you need
to fully harden the Linux installation. The lesser you have packages, the
better you are protected against vulnerabilities.
I would definitely not let non-admin user run the whole thing on these
folders...
I'm
Consider letting the user only executing your own hardened scripts
that does not require ANY environment variables - hardcode every
binary path - and do run Tripwire to verify that nobody alters the
critical files on the system. If you do not want to run Tripwire,
just put the scripts and
Rob van der Heij wrote:
On 7/11/06, John Summerfied [EMAIL PROTECTED] wrote:
Does sudo service apache restart work?
Don't see that on my SuSE system. There's rcapache but that is just a
symlink into /etc/init.d/apache so that does not buy anything. But as
I said, even if it were setting the
Rob van der Heij wrote:
On 7/11/06, Rick Troth [EMAIL PROTECTED] wrote:
Consider what Kris said about the '-i' flag on 'sudo'.
It appears there's no such flag in the sudo that I have with SuSE so I
can't tell.
It's fairly new: not in RHEL 4 or Fedora Core 3. I think SUSE 10 has it,
Dominic Coulombe wrote:
The C program is a good idea but :
1) remove the gcc and other build tools after the development !
2) you will still need Tripwire to be sure nobody replaces your binary...
or use a RR dasd.
The SETUID bit is a good idea if you are sure that the binary is not
modified
On 7/11/06, John Summerfied [EMAIL PROTECTED] wrote:
Rob van der Heij wrote:
On RHL derivatives, service is the one true way to run the init.d
scripts. I don't currently have a SUSE system to check for myself, but I
think it does have something.
You just have to run rcapache restart to
On Tuesday 11 July 2006 02:41, Rob van der Heij wrote:
On 7/11/06, Rick Troth [EMAIL PROTECTED] wrote:
Consider what Kris said about the '-i' flag on 'sudo'.
It appears there's no such flag in the sudo that I have with SuSE so I
can't tell.
I like using sudo to control root access for
It seems that option appeared with version 1.6.8. It is available on
SLE[SD} 10.
Mark Post
-Original Message-
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of
Rob van der Heij
Sent: Tuesday, July 11, 2006 2:42 AM
To: LINUX-390@VM.MARIST.EDU
Subject: Re: starting apache
Dominic Coulombe wrote:
On 7/11/06, John Summerfied [EMAIL PROTECTED] wrote:
Rob van der Heij wrote:
On RHL derivatives, service is the one true way to run the init.d
scripts. I don't currently have a SUSE system to check for myself, but I
think it does have something.
You just have to
One of my clients has a request that his users not be given root access
but should be allowed to stop/start the httpd process.
Does anyone have any suggestions/documentation on how to do this ?
TIA
--
For
One of my clients has a request that his users not be given root access
but should be allowed to stop/start the httpd process.
Does anyone have any suggestions/documentation on how to do this ?
Use sudo and permit them to run the init script in /etc/init.d. Install the
sudo package and 'man
Hi Alan,
I would use sudo for this purpose.
You can configure this user to execute only selected commands as root. The
user only need to provide his own password. Every attemps to run unallowed
commands is reported (logged).
You can allow the startup/shutdown script to be run by this user,
Where can I find sudo for s390 ? Is there an RPM somewhere ?
Alan Levy
W: 718-403-8020
C: 347-401-4629
-Original Message-
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of
David Boyes
Sent: Monday, July 10, 2006 11:42 AM
To: LINUX-390@VM.MARIST.EDU
Subject: Re: starting
-
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of
David Boyes
Sent: Monday, July 10, 2006 11:42 AM
To: LINUX-390@VM.MARIST.EDU
Subject: Re: starting apache
One of my clients has a request that his users not be given root
access
but should be allowed to stop/start the httpd process
It should be on your distribution media.
Where can I find sudo for s390 ? Is there an RPM somewhere ?
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO
I found it.
Thanks to all.
Alan Levy
W: 718-403-8020
C: 347-401-4629
-Original Message-
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of
David Boyes
Sent: Monday, July 10, 2006 11:52 AM
To: LINUX-390@VM.MARIST.EDU
Subject: Re: starting apache
It should be on your
On 7/10/06, David Boyes [EMAIL PROTECTED] wrote:
Use sudo and permit them to run the init script in /etc/init.d. Install the
sudo package and 'man sudo'.
Be aware that sudo is only as secure as the command you let them
invoke. When the customer also has write access to some of the
While I have not looked at the apache boot script, with most of them
it does not work because the script was supposed to run as root and
expects the typical root environment (e.g. for the PATH). If you end
up allowing them to do somehting likesudo sh -c
'/etc/init.d/apache start'
That's
@VM.MARIST.EDU
07/10/2006 01:56 PM
Please respond to Linux on 390 Port LINUX-390@VM.MARIST.EDU
From
Rob van der Heij [EMAIL PROTECTED]
To
LINUX-390@VM.MARIST.EDU
cc
Subject
Re: starting apache
On 7/10/06, David Boyes [EMAIL PROTECTED] wrote:
That's why you allow them only the init script
On 7/10/06, David Boyes [EMAIL PROTECTED] wrote:
That's why you allow them only the init script. The init template
provided with most distributions does not depend on the environment
beyond the basics. If you let them run a shell in any form, then yes,
you will lose.
You made me double check,
Many problems with running scripts like this through sudo can often be solved
by using the -i option to sudo, to force the script to run in a like-login
environment for the user sudo is going to execute as (root in this case).
Kris
On Mon, Jul 10, 2006 at 02:18:13PM -0400, David Boyes
You made me double check, and I found I was indeed right...
I was sure you would...8-)
[EMAIL PROTECTED]:~ sudo /etc/init.d/apache restart
Shutting down httpd/etc/init.d/apache: line 158: killproc: command not
found
failed
Starting httpd [ Mailman PERL PHP4 Python ]/etc/init.d/apache:
Dominic Coulombe wrote:
Hi Alan,
I would use sudo for this purpose.
You can configure this user to execute only selected commands as root. The
user only need to provide his own password. Every attemps to run unallowed
commands is reported (logged).
You can allow the startup/shutdown script
Rob van der Heij wrote:
On 7/10/06, David Boyes [EMAIL PROTECTED] wrote:
That's why you allow them only the init script. The init template
provided with most distributions does not depend on the environment
beyond the basics. If you let them run a shell in any form, then yes,
you will lose.
On 7/11/06, John Summerfied [EMAIL PROTECTED] wrote:
Does sudo service apache restart work?
Don't see that on my SuSE system. There's rcapache but that is just a
symlink into /etc/init.d/apache so that does not buy anything. But as
I said, even if it were setting the PATH and what else you
I'd argue that these are bugs that should be fixed, not ignored. The
Debian init scripts function properly using sudo because they're
required to. Apparently the SuSE ones still need a little work.
...
David ...
Personally, I try to code for more robust behaviour,
but I cannot fault SuSE
: Starting apache problem
I am installing the beta SuSE SLES. Trying to start apache I get the
following:
cdcl:~ # rcapache start
Starting httpd [ LDAP PERL ]
/usr/sbin/httpd: error while loading shared libraries: libmm.so.11: cannot
load
shared object file: No such file or directory
, Alpha and SPARC - so it's available for all supported SuSE
architectures except S/390.
Mark Post
-Original Message-
From: Kittendorf, Craig [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 02, 2002 3:50 PM
To: [EMAIL PROTECTED]
Subject: FW: Starting apache problem (re-sent)
Any one out
Now I got your response, only two days later.
Thanks,
Craig
-Original Message-
From: Post, Mark K [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 31, 2002 5:39 PM
To: [EMAIL PROTECTED]
Subject: Re: Starting apache problem
Install mm-1.1.3-35.s390.rpm off CD2.
Mark Post
never get an answer either.
-Original Message-
From: Kittendorf, Craig [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 31, 2002 4:34 PM
To: [EMAIL PROTECTED]
Subject: Starting apache problem
I am installing the beta SuSE SLES. Trying to start apache I get the
following:
cdcl
Install mm-1.1.3-35.s390.rpm off CD2.
Mark Post
-Original Message-
From: Kittendorf, Craig [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 31, 2002 4:34 PM
To: [EMAIL PROTECTED]
Subject: Starting apache problem
I am installing the beta SuSE SLES. Trying to start apache I get
Post, Mark K wrote:
Install mm-1.1.3-35.s390.rpm off CD2.
This version has a temporary file vulnerability which can be exploited
to gain root access. You should not install this version on a public web
server since this race could be used in conjunction with a remote
exploit for Apache (e.g.
I am installing the beta SuSE SLES. Trying to start apache I get the
following:
cdcl:~ # rcapache start
Starting httpd [ LDAP PERL ]
/usr/sbin/httpd: error while loading shared libraries: libmm.so.11: cannot
load
shared object file: No such file or directory
unused
cdcl:~ #
Might
34 matches
Mail list logo