On Tue, 2004-09-28 at 08:53, Tanner Lovelace wrote: > > > > If you want ping to work as a user then: > > chmod u+s /bin/ping > > > > Of course I'm betting that MSEC will change it back unless you edit the > > file: /usr/share/msec/perm.<msec level> > > Please don't edit these files. Besides changing msecs idea of defaults, > you run the risk of having your modifications undone if you upgrade msec. > Instead, you can add it to your local perm.local file in > /etc/security/msec/perm.local. > > If you do the command "grep ping /usr/share/msec/perm.?" you get this: > > perm.0:/bin/ping root.root > 4755 > perm.1:/bin/ping root.root > 4755 > perm.2:/bin/ping root.root > 4755 > perm.3:/bin/ping root.root > 4755 > perm.4:/bin/ping root.ntools > 4750 > perm.5:/bin/ping root.ntools > 4750 >
Oops! My bad. You are definitely right. Folks should NOT edit the default MSEC files. Thanks for catching that Tanner. As it turns out though, MSEC only issues a warning about it and doesn't change ping back. So if you can live with a one-time warning from MSEC then don't worry about this part at all. > So, take the line from perm.[0123] and add that to /etc/security/msec/perm.local > if you really want to change it back. > > Alternatively, and a more secure option, would be to add the users you want > to be able to use ping, and other network tools, to the ntools group. At higher > msec levels you can separate out privileges like that with groups. There are > groups for network tools which include the use of programs like ping, finger, > ssh, telnet, w, who, and traceroute. I'm running MSEC level 4 on my servers so I did need to add my username to the ntool group before I could ping. So that restriction of MSEC continues to work even once ping is set-uid root. Indeed, ping will not work *period* for a user unless it is set-uid root. Note: if you are running MSEC at lower levels you don't need to add the user to the ntool group, but you still need to set-uid root on /bin/ping > I would suggest > looking into this option before trying to modify file permissions. > The permissions > were set that way for a good reason and you should think about the ramifications > of those reasons before just changing them back. > I thought a lot about this and the only explanation I can gedanken is that they don't want (non-root) trojans to have access to icmp via ping. Still Mandrake has fping which comes set-uid root and works fine for users - so maybe the thought is that you simply need to obscure an application that has set-uid root and can use icmp freely? Anyway... Thank God it's open source and we can easily change it to match our needs! Jon Carnes -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
