Jump to content

The system changes my file permissions [solved]


banjo
 Share

Recommended Posts

I am on a home system running Mandy 2006. There are four users, and we often share files such as digital photos.

 

However, we are locked out of the other user's home areas because of file permissions on the home directories that are set to drwx--x--x. Yesterday, in order to allow file sharing among us, I changed all of them to drwxr-xr-x. That worked just fine. But today, the file permissions on the home directories are back to drwx--x--x and we are locked out. I am all in favor of secure systems, but I think that I (as the sysadmin) should be allowed to set them up as I wish.

 

Is it me, or is this really part of the Mandriva plan? This is all too fnWindows-esque for me.

 

How can I make my new file permissions stick?

 

Thanks in advance

Banjo

(_)=='=~

Link to comment
Share on other sites

Create a common usergroup (e.g. users), and make it primary for all. Easy, isn't it?

 

OK. I kinda understand your suggestion, but my Linux (Unix) admin skills are stale. Can you give me a pointer to a man page or two?

 

Thanks

Banjo

(_)=='=~

Link to comment
Share on other sites

Start the MCC and go to the user-management section. Right click on the users, select "change preferences" and check the "users" box. This will add them to the users-group that should enable you to share files.

Link to comment
Share on other sites

Start the MCC and go to the user-management section. Right click on the users, select "change preferences" and check the "users" box. This will add them to the users-group that should enable you to share files.

 

OK, I did that on a couple of users, then I did a chmod ug+r on my home directory. Then I rebooted to see what would happen and the new permissions stuck. But the directory still appears locked. I get permission denied on the directory when logged in as the other user. Does "users" have to be the primary group as scarecrow said?

 

Thanks again

Banjo

(_)=='=~

Link to comment
Share on other sites

Oops! Nope. I spoke too soon. It went away again. I closed down the terminal windows and then browsed for a few minutes. When I went back, my permissions were once again set to drwx--x--x for my home directory. Something is locking that directory. I cannot even enable group permissions on it, so it will not help to have other users in the same group...... I think.

 

Very strange.

 

I'm confused.

 

Banjo

(_)=='=~

Link to comment
Share on other sites

OK OK .... I got it now.

 

This is something new with Mandy 2006. During the installation, the default Security Level has been boosted up to High. I guess it used to be Standard. So, just taking a guess, I went into the MCC and changed it back down to Standard, and that seems to have fixed it.

 

How to change Security Level:

 

Open the MCC.

 

Options=>Expert Mode to see the utility that sets the Security Level.

 

Click on the item that says "Set the system security level and the periodic security audit". That popped up a dialog box that allowed me to set the security level back down to Standard. Once I had done that, I could set the permissions on the /home directories and they appear to stick. I even rebooted once to make sure that I still have access.

 

I guess the High security level runs a daemon that watches those directories and protects them. I don't know because I have not yet found a document that describes the details of those security levels.

 

Thanks to all for the help. This one really had me puzzled for a while.

 

Banjo

(_)=='=~

Link to comment
Share on other sites

They started setting to high with LE2005, and continued it since then. As I'm only normally running for desktop systems I set to standard each time I install, much easier and less hassle :P

 

I did one install once on High, and it just annoyed me with all the stuff, so I just changed it too back to standard.

Link to comment
Share on other sites

Anybody know where I could find out just exactly what these different security levels do?

 

It seems a bit too fnWindow-esque to provide nothing but boiled-down pablum don't-worry-your-pretty-little-head-just-trust-the-wizard stuff in a Linux distro. One of the reasons that I moved to Linux is so that I can have control of my OS and not have to just trust this kind of crap.

 

Oh, yeah, and one more rant.

 

They call them "Folders" now. I almost choked the first time I popped up a right-click menu and saw an entry for "Create Folder". Aaaahhhhh!! Those are directories not folders! Ahhhhh! :lol2: Old Unixers and new terminology tricks don't mix. :P

 

Other than that, I love my Mandy.

 

Banjo

(_)=='=~

Link to comment
Share on other sites

Oh, that sweet "high" security setting. It caused some nice problems in different scenarios for Joe Average already... I always use the "nromal" setting when I install Mandy.

Anybody know where I could find out just exactly what these different security levels do?
The MCC security settings tool is a frontend for Msec, which actually knows six different settings. Msec 0 is a horribly unprotected system, while Msec 5 is some kind of a paranoid system security setting. The Mandriva "normal" setting is Msec 2. The Msec settings can be changes either with the MCC or from the command line as root, e.g. type "msec 2" for setting your system to Msec2.

 

Here is a full listing of the security settings and what they do:

 

****************************

Security level 0 :

 

- no password

- umask is 002 ( user = read,write | group = read,write | other = read )

- easy file permission.

- everybody authorized to connect to X display.

- . in $PATH

 

****************************

Security level 1 :

 

- Global security check.

- umask is 002 ( user = read,write | group = read,write | other = read )

- easy file permission.

- localhost authorized to connect to X display and X server listens to tcp connections.

- . in $PATH

- Warning in /var/log/security.log

 

****************************

Security level 2 ( Aka normal system ) :

 

- Global security check

- Suid root file check

- Suid root file md5sum check

- Writable file check

- Warning in syslog

- Warning in /var/log/security.log

 

- umask is 022 ( user = read,write | group = read | other = read )

- easy file permission.

- localhost authorized to connect to X display and X server listens to tcp connections.

 

****************************

Security level 3 ( Aka more secure system ) :

 

- Global security check

- Permissions check

- Suid root file check

- Suid root file md5sum check

- Suid group file check

- Writable file check

- Unowned file check

- Promiscuous check

- Listening port check

- Passwd file integrity check

- Shadow file integrity check

- Warning in syslog

- Warning in /var/log/security.log

- rpm database checks

- send the results of checks by mail if they aren't empty

 

- umask is 022 ( user = read,write | group = read | other = read )

- Normal file permission.

- X server listens to tcp connections.

- All system events additionally logged to /dev/tty12

- Some system security check launched every midnight from the ( crontab ).

- no autologin

 

- home directories are accesible but not readable by others and group members.

 

****************************

Security level 4 ( Aka Secured system ) :

 

- Global security check

- Permissions check

- Suid root file check

- Suid root file md5sum check

- Suid group file check

- Writable file check

- Unowned file check

- Promiscuous check

- Listening port check

- Passwd file integrity check

- Shadow file integrity check

- Warning in syslog

- Warning in /var/log/security.log

- Warning directly on tty

- rpm database checks

- Send the results of checks by mail even if they are empty to show that the checks were run.

- umask 022 ( user = read,write | group = read | other = read ) for root

- umask 077 ( user = read,write | group = | other = ) for normal users

- restricted file permissions.

- All system events additionally logged to /dev/tty12

- System security check every midnight ( crontab ).

- localhost authorized to connect to X display.

- X server doesn't listen for tcp connections

- no autologin

- sulogin in single user

- no direct root login

- remote root login only with a pass phrase

- no list of users in kdm and gdm

- password aging at 60 days

- shell history limited to 10

- shell timeout 3600 seconds

- at and crontab not allowed to users not listd in /etc/at.allow and /etc/cron.allow

* - Services not contained in /etc/security/msec/server.4 are disabled during package installation ( considered as not really secure ) ( but the user can reenable it with chkconfig -add ).

- Connection to the system denyied for all except localhost (authorized services must be in /etc/hosts.allow).

- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ).

 

- most sensible files and directories are restricted to the members of the adm group.

- home directories are not accesible by others and group members.

- X commands from /usr/X11R6/bin restricted to the members of the xgrp group.

- network commands (ssh, scp, rsh, ...) restricted to the members of the ntools group.

- compilation commands (gcc, g++, ...) restricted to the members of the ctools group.

- rpm command restricted to the members of the rpm group.

- forbid exporting X display when switching from root to another user

 

*******************************

Security level 5 ( Aka Paranoid system ) :

 

- Global security check

- Permissions check

- Suid root file check

- Suid root file md5sum check

- Suid group file check

- Writable file check

- Unowned file check

- Promiscuous check

- Listening port check

- Passwd file integrity check

- Shadow file integrity check

- Warning in syslog

- Warning in /var/log/security.log

- Warning directly on tty

- rpm database checks

- Send the results of checks by mail even if they are empty to show that the checks were run.

 

- umask 077 ( user = read,write | group = | other = )

- Highly restricted file permission

- All system events additionally logged to /dev/tty12

- System security check every midnight ( crontab ).

- X server doesn't listen for tcp connections

- no autologin

- sulogin in single user

- no direct root login

- no list of users in kdm and gdm

- password aging at 30 days

- password history to 5

- shell history limited to 10

- shell timeout 900 seconds

- su to root only allowed to members of the wheel group (activated only if the wheel group isn't empty)

* - Services not contained in /etc/security/msec/server.5 are disabled during package installation ( considered as not really secure ) ( but the user can reenable it with chkconfig -add ).

- Connection to the system denyied for all (authorized services must be in /etc/hosts.allow).

- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ) .

 

- most sensible files and directories are restricted to the root account.

- home directories are not accesible by others and group members.

- X commands from /usr/X11R6/bin restricted to the members of the xgrp group.

- network commands (ssh, scp, rsh, ...) restricted to the members of the ntools group.

- compilation commands (gcc, g++, ...) restricted to the members of the ctools group.

- rpm command restricted to the members of the rpm group.

- forbid exporting X display when switching from root to another user

 

******************

 

This might be of further interest: http://mandriva.vmlinuz.ca/index.php/SysAd.../SecurityLevels

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...