Secure OS Software for Linux
cancel
Showing results for 
Search instead for 
Did you mean: 

Paranoid security, bypass resetting permissions

SOLVED
Go to solution
Raynald Boucher
Super Advisor

Paranoid security, bypass resetting permissions

Good Day all,

We have installed Linux (mandrake 9) with a security level of "paranoid". While this is good, it can get quite annoying. for example:
there is a cron job that appears to reset ownership of all subdirectories and files under /var to root with permisions 700 and 600 respectively.
A real pain because no other user can read anything from /var/log.

Is there a way to disable this functionality for /var/log or a subdirectory?

I suspect I could store my reports somewhere else under some /home/ to avoid this problem, but I'd rather know how to configure security properly.

Thanks &
Take care.
5 REPLIES
Kodjo Agbenu
Honored Contributor

Re: Paranoid security, bypass resetting permissions

I don't know how Mandrake implement this functionality, but I remember in an old SuSE version I used few years ago, there were a file in /etc for configuring that (something like /etc/perms).

Check in Mandrake documentation or simply grep in /etc to find the right config file.

Good luck.

Kodjo
Learn and explain...
Steven E. Protter
Exalted Contributor

Re: Paranoid security, bypass resetting permissions

crontab -e

Most likely there will be comments and you can find and modify the offending cron job.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Jean-Pierre Denis
Valued Contributor

Re: Paranoid security, bypass resetting permissions

Hi,

msec by default is making this happen...

Go look in :
/usr/share/msec

and take a look at the perm.5 file. (this is if you are running msec at level 5. I think "paranoid" which is the highest level is level5.)

you will see this for /var/log:
/var/log/ root.root 711
/var/log/* root.root 600
/var/log/*/* current 600
/var/log/*/*/* current 600
/var/log/*/. current 700

Simply replace the 600 or 700 with the permission you want to set.

Them run msec 5 again and all the permission will be applied to your system.

Thanks,
JP

Open your Mind and use Open Source software...
Jean-Pierre Denis
Valued Contributor
Solution

Re: Paranoid security, bypass resetting permissions

Hi again,

instead of changing the file in /usr/share/msec you can create the file /etc/security/msec/perm.local and set your local permission in there.

This will overwrite the change made by perm.5 and if you upgrade msec one of there days your "local" config will be kept.

Thank,
JP



Open your Mind and use Open Source software...
Raynald Boucher
Super Advisor

Re: Paranoid security, bypass resetting permissions

Merci Jean-Pierre.

I was getting close but got sidetracked by that Python code.

Thanks all.