LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 07-17-2004, 05:40 AM   #1
johngcarlsson
Member
 
Registered: Jul 2004
Posts: 58

Rep: Reputation: 15
Lose permissions mid-session


Hello,
I have Mandrake 10.0 running KDE on an emachines laptop w/ AMD 2500XP-M. So far everything is great except for this problem:
I have a 60GB hard disk with three partitions: one NTFS partition (contains Windows OS), one FAT32 partition (for sharing data between Windows and Linux, like mp3's, DivX and so forth), and one Linux partition. The FAT32 shows up as /mnt/win_d and it always shows up. I initially had to to go the configuration utility and enter the root password to give admin users write permissions on that drive, but that was fine. A couple of days ago, I started losing permissions to even ACCESS the drive /mnt/win_d, in the middle of my session! If I logout and login I still can't access it, but if I do a restart then I'm fine. Does anybody have any suggestions? I am a 1-week newbie. What could I be doing that makes this happen?
 
Old 07-17-2004, 06:16 AM   #2
RobertP
Member
 
Registered: Jan 2004
Location: Manitoba, Canada
Distribution: Debian
Posts: 451

Rep: Reputation: 32
msec is a process that runs in MDK to check security features. Perhaps it changes something it does not like. See your system log for msec messages:
#cat /var/log/messages|grep msec|less
 
Old 07-17-2004, 03:30 PM   #3
johngcarlsson
Member
 
Registered: Jul 2004
Posts: 58

Original Poster
Rep: Reputation: 15
I see the following lines:

Jul 16 22:01:01 localhost msec: changed mode of /mnt/win_d from 777
to 700
Jul 16 22:01:01 localhost msec: chown /mnt/win_d 3: [Errno 1] Operat
ion not permitted: '/mnt/win_d'
Jul 16 22:01:01 localhost msec: chgrp /mnt/win_d 4: [Errno 1] Operat
ion not permitted: '/mnt/win_d'

does that mean anything?
 
Old 07-17-2004, 03:54 PM   #4
RobertP
Member
 
Registered: Jan 2004
Location: Manitoba, Canada
Distribution: Debian
Posts: 451

Rep: Reputation: 32
Quote:
Originally posted by johngcarlsson
I see the following lines:

Jul 16 22:01:01 localhost msec: changed mode of /mnt/win_d from 777
to 700
Jul 16 22:01:01 localhost msec: chown /mnt/win_d 3: [Errno 1] Operat
ion not permitted: '/mnt/win_d'
Jul 16 22:01:01 localhost msec: chgrp /mnt/win_d 4: [Errno 1] Operat
ion not permitted: '/mnt/win_d'

does that mean anything?
Yes. msec is trying to change the ownership and permissions for /mnt/win_d .

ls -l /
ls -l /mnt
Will show the current ownership and group and permissions.
See man msec and msec levels .

The behaviour your system exhibits is consistent with "set_root_umask" for msec 5. Are you paranoid? Perhaps you set permissions for normal user access to /mnt/win_d and offended msec. You could try msec 4 if you are not paranoid...
 
Old 07-17-2004, 05:06 PM   #5
johngcarlsson
Member
 
Registered: Jul 2004
Posts: 58

Original Poster
Rep: Reputation: 15
Yes, I did in fact change permissions for/mnt/win_d. I did this through Mandrake Control Center > Security > Permissions. I reckon I did indeed "offend" msec. However I am rather paranoid. What is a good general level to leave msec at?

Also, I don't understand the relationship between msec and the programs accessed in Control Center > Security. The program Control Center > Security > Levels and Checks says that my security level is "Standard," but as you said my computer behaviour suggests that I am at msec level 5 (the highest, right?). Are these two programs totally disparate?
Thanks!
 
Old 07-17-2004, 08:11 PM   #6
RobertP
Member
 
Registered: Jan 2004
Location: Manitoba, Canada
Distribution: Debian
Posts: 451

Rep: Reputation: 32
I usually use "standard". You could investigate the relationship by adjusting with the gui and querying with msec from the comman line interface.

More info on the files that make up msec are here: http://www.geek-cave.com/tutorials/msec/files
 
Old 07-17-2004, 08:41 PM   #7
johngcarlsson
Member
 
Registered: Jul 2004
Posts: 58

Original Poster
Rep: Reputation: 15
Hi,
According to Control Center, my current security level is 2, and "Levels and Checks" in the Security Control center says that my security level is "Standard." If I login as root and type

#msec

then I get

msec: chown /mnt/win_d 3: [Errno 1] Operation not permitted: '/mnt/win_d'

So I guess this means that something doesn't like the fact that msec wants to change permissions. Is that right? What could that 'something' be?
Thanks!
 
Old 07-17-2004, 09:00 PM   #8
RobertP
Member
 
Registered: Jan 2004
Location: Manitoba, Canada
Distribution: Debian
Posts: 451

Rep: Reputation: 32
Is the filesystem that you want to mount on /mnt/win_d mounted? What is in /etc/fstab?
cat /etc/fstab
mount
ls -l /mnt
ls -l /mnt/win_d
FAT32 does not have the concept of ownership and permissions. Perhaps that is the problem. Are you getting any additional messages in /var/log/messages?
#less /var/log/messages will let you search through.
 
Old 07-17-2004, 09:26 PM   #9
johngcarlsson
Member
 
Registered: Jul 2004
Posts: 58

Original Poster
Rep: Reputation: 15
fstab has the following line in it:

/dev/hda5 /mnt/win_d vfat umask=0,iocharset=iso8859-1,codepage=850 0 0

should I put a 'user' in there somewhere? I had assumed that this line was sufficient to mount the drive. Is that incorrect?
Thanks for all your help!
 
Old 07-18-2004, 06:05 AM   #10
RobertP
Member
 
Registered: Jan 2004
Location: Manitoba, Canada
Distribution: Debian
Posts: 451

Rep: Reputation: 32
Quote:
Originally posted by johngcarlsson
fstab has the following line in it:

/dev/hda5 /mnt/win_d vfat umask=0,iocharset=iso8859-1,codepage=850 0 0

should I put a 'user' in there somewhere? I had assumed that this line was sufficient to mount the drive. Is that incorrect?
Thanks for all your help!
msec wants umask=022 according to http://www.geek-cave.com/tutorials/msec/levels which gives files and directories rwx r-x r-x permissions. Your msec seems to want umask-077 which is the paranoid-5 level. I wonder if there is something wrong with your msec configuration.

You might also add dmask=022 for directories and fmask for files.

umask=0 gives everyone rwx permissions which is dangerous. A malicious user/process could plant some malware, or delete something. That would freak out msec. You would have to customize msec if you really wanted that.
 
Old 07-18-2004, 06:18 PM   #11
johngcarlsson
Member
 
Registered: Jul 2004
Posts: 58

Original Poster
Rep: Reputation: 15
OK, I changed fstab to umask=022 in the aforementioned line, but it did not fix my problem. Should I post this to the Mandrake board maybe?
Thanks!
 
Old 07-19-2004, 10:00 AM   #12
RobertP
Member
 
Registered: Jan 2004
Location: Manitoba, Canada
Distribution: Debian
Posts: 451

Rep: Reputation: 32
I wouod check out
man msec
first. Then edit /etc/security/msec/security.conf

There must be something in there about your security level.
Also check out this advice:
http://archives.neohapsis.com/archiv...3-q1/0191.html

and

http://www.mandrakesecure.net/en/docs/msec.php

and

http://mandrake.vmlinuz.ca/bin/view/...ndrakeSecurity

After you have examined this stuff and still cannot get it to work, it would be time to report the problem up the foodchain.

There seems to be some variability about the security levels. I think the only way to know for sure what you have is to examine the .conf files for msec. The GUI operates by passing information to scripts. If there is an error in one of the scripts or the GUI, you are one level further away from understanding the problem.
 
Old 07-19-2004, 05:55 PM   #13
johngcarlsson
Member
 
Registered: Jul 2004
Posts: 58

Original Poster
Rep: Reputation: 15
Hi,
Thank you very kindly for all of your help. I read the man pages for msec and mseclib but it appears to me that these are functioning appropriately. My /var/lib/msec/security.conf looks correct, from what I have read:

CHECK_SHADOW=no
CHECK_SECURITY=yes
CHECK_UNOWNED=no
CHECK_SUID_MD5=yes
CHECK_PASSWD=no
SYSLOG_WARN=yes
CHECK_SUID_ROOT=yes
CHECK_PERMS=no
MAIL_EMPTY_CONTENT=no
CHECK_WRITABLE=yes
CHKROOTKIT_CHECK=no
CHECK_PROMISC=no
CHECK_SGID=yes
RPM_CHECK=no
TTY_WARN=no
MAIL_WARN=no
CHECK_OPEN_PORT=no

and /etc/security/msec/security.conf is an empty file. At first I thought "ah-hah! It must be that I should override /var/lib/msec/security.conf here by telling it to open up permissions to the windows drive!" But then after reading the man page for msec I see that the proper place for this is the file /etc/security/msec/perm.local, which does in fact contain the line

/mnt/win_d adm.adm 700

as desired. My /etc/security/msec/level.local is also empty. Would this be the correct place to put in a line that says


set_root_umask = 022


perhaps?
Thank you for all your help!
 
Old 07-19-2004, 06:45 PM   #14
RobertP
Member
 
Registered: Jan 2004
Location: Manitoba, Canada
Distribution: Debian
Posts: 451

Rep: Reputation: 32
Quote:
But then after reading the man page for msec I see that the proper place for this is the file /etc/security/msec/perm.local, which does in fact contain the line
/mnt/win_d adm.adm 700
The 700 means owner group other
rwx - - - - - -
This code is binary/octal with each digit formed from three bits for read write execute
If you want ordinary users (others) to be able to read the stuff use 744 for readonly or 766 for read/write and 777 for everyone to read/write/execute (shudder!)

It looks like you need to edit perm.local
 
Old 07-19-2004, 06:58 PM   #15
johngcarlsson
Member
 
Registered: Jul 2004
Posts: 58

Original Poster
Rep: Reputation: 15
Hello,
Actually, I think I have found the problem. It seems that a lot of Linux newbies have this problem, because FAT32 doesn't have the same permissions structure that Linux-formatted drives do, and that confuses dumb people like me. It sounds as though you have to change /etc/fstab (which you suggested before, and I didn't understand it as well as I thought I did, but now it makes more sense)

change

/dev/hda5 /mnt/win_d vfat umask=022,iocharset=iso8859-1,codepage=850 0 0

to

/dev/hda5 /mnt/win_d vfat uid=501,umask=000,iocharset=iso8859-1,codepage=850 0 0

is this safe (uid=501 corresponds to my username)? Do you think that this is an appropriate solution? Thank you very much for all of your help!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
lose telnet session (timeout ? - putty) alexia AIX 7 08-17-2005 07:47 AM
msec in MDK 10 makes me lose permissions mid-session johngcarlsson Mandriva 2 07-19-2004 07:00 PM
It's Closing in on Mid-May dtheorem Mandriva 1 05-10-2004 11:21 AM
x server refuses connections in mid-session mark9121 Linux - General 3 09-21-2003 09:30 PM
Switch groups in mid-session nxny Linux - General 4 10-23-2002 11:10 AM


All times are GMT -5. The time now is 04:00 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration