Lose permissions mid-session
Hello,
I have Mandrake 10.0 running KDE on an emachines laptop w/ AMD 2500XP-M. So far everything is great except for this problem: I have a 60GB hard disk with three partitions: one NTFS partition (contains Windows OS), one FAT32 partition (for sharing data between Windows and Linux, like mp3's, DivX and so forth), and one Linux partition. The FAT32 shows up as /mnt/win_d and it always shows up. I initially had to to go the configuration utility and enter the root password to give admin users write permissions on that drive, but that was fine. A couple of days ago, I started losing permissions to even ACCESS the drive /mnt/win_d, in the middle of my session! If I logout and login I still can't access it, but if I do a restart then I'm fine. Does anybody have any suggestions? I am a 1-week newbie. What could I be doing that makes this happen? |
msec is a process that runs in MDK to check security features. Perhaps it changes something it does not like. See your system log for msec messages:
#cat /var/log/messages|grep msec|less |
I see the following lines:
Jul 16 22:01:01 localhost msec: changed mode of /mnt/win_d from 777 to 700 Jul 16 22:01:01 localhost msec: chown /mnt/win_d 3: [Errno 1] Operat ion not permitted: '/mnt/win_d' Jul 16 22:01:01 localhost msec: chgrp /mnt/win_d 4: [Errno 1] Operat ion not permitted: '/mnt/win_d' does that mean anything? |
Quote:
ls -l / ls -l /mnt Will show the current ownership and group and permissions. See man msec and msec levels . The behaviour your system exhibits is consistent with "set_root_umask" for msec 5. Are you paranoid? Perhaps you set permissions for normal user access to /mnt/win_d and offended msec. You could try msec 4 if you are not paranoid...:cool: |
Yes, I did in fact change permissions for/mnt/win_d. I did this through Mandrake Control Center > Security > Permissions. I reckon I did indeed "offend" msec. However I am rather paranoid. What is a good general level to leave msec at?
Also, I don't understand the relationship between msec and the programs accessed in Control Center > Security. The program Control Center > Security > Levels and Checks says that my security level is "Standard," but as you said my computer behaviour suggests that I am at msec level 5 (the highest, right?). Are these two programs totally disparate? Thanks! |
I usually use "standard". You could investigate the relationship by adjusting with the gui and querying with msec from the comman line interface.
More info on the files that make up msec are here: http://www.geek-cave.com/tutorials/msec/files |
Hi,
According to Control Center, my current security level is 2, and "Levels and Checks" in the Security Control center says that my security level is "Standard." If I login as root and type #msec then I get msec: chown /mnt/win_d 3: [Errno 1] Operation not permitted: '/mnt/win_d' So I guess this means that something doesn't like the fact that msec wants to change permissions. Is that right? What could that 'something' be? Thanks! |
Is the filesystem that you want to mount on /mnt/win_d mounted? What is in /etc/fstab?
cat /etc/fstab mount ls -l /mnt ls -l /mnt/win_d FAT32 does not have the concept of ownership and permissions. Perhaps that is the problem. Are you getting any additional messages in /var/log/messages? #less /var/log/messages will let you search through. |
fstab has the following line in it:
/dev/hda5 /mnt/win_d vfat umask=0,iocharset=iso8859-1,codepage=850 0 0 should I put a 'user' in there somewhere? I had assumed that this line was sufficient to mount the drive. Is that incorrect? Thanks for all your help! |
Quote:
You might also add dmask=022 for directories and fmask for files. umask=0 gives everyone rwx permissions which is dangerous. A malicious user/process could plant some malware, or delete something. That would freak out msec. You would have to customize msec if you really wanted that. |
OK, I changed fstab to umask=022 in the aforementioned line, but it did not fix my problem. Should I post this to the Mandrake board maybe?
Thanks! |
I wouod check out
man msec first. Then edit /etc/security/msec/security.conf There must be something in there about your security level. Also check out this advice: http://archives.neohapsis.com/archiv...3-q1/0191.html and http://www.mandrakesecure.net/en/docs/msec.php and http://mandrake.vmlinuz.ca/bin/view/...ndrakeSecurity After you have examined this stuff and still cannot get it to work, it would be time to report the problem up the foodchain. There seems to be some variability about the security levels. I think the only way to know for sure what you have is to examine the .conf files for msec. The GUI operates by passing information to scripts. If there is an error in one of the scripts or the GUI, you are one level further away from understanding the problem. |
Hi,
Thank you very kindly for all of your help. I read the man pages for msec and mseclib but it appears to me that these are functioning appropriately. My /var/lib/msec/security.conf looks correct, from what I have read: CHECK_SHADOW=no CHECK_SECURITY=yes CHECK_UNOWNED=no CHECK_SUID_MD5=yes CHECK_PASSWD=no SYSLOG_WARN=yes CHECK_SUID_ROOT=yes CHECK_PERMS=no MAIL_EMPTY_CONTENT=no CHECK_WRITABLE=yes CHKROOTKIT_CHECK=no CHECK_PROMISC=no CHECK_SGID=yes RPM_CHECK=no TTY_WARN=no MAIL_WARN=no CHECK_OPEN_PORT=no and /etc/security/msec/security.conf is an empty file. At first I thought "ah-hah! It must be that I should override /var/lib/msec/security.conf here by telling it to open up permissions to the windows drive!" But then after reading the man page for msec I see that the proper place for this is the file /etc/security/msec/perm.local, which does in fact contain the line /mnt/win_d adm.adm 700 as desired. My /etc/security/msec/level.local is also empty. Would this be the correct place to put in a line that says set_root_umask = 022 perhaps? Thank you for all your help! |
Quote:
rwx - - - - - - This code is binary/octal with each digit formed from three bits for read write execute If you want ordinary users (others) to be able to read the stuff use 744 for readonly or 766 for read/write and 777 for everyone to read/write/execute (shudder!) It looks like you need to edit perm.local |
Hello,
Actually, I think I have found the problem. It seems that a lot of Linux newbies have this problem, because FAT32 doesn't have the same permissions structure that Linux-formatted drives do, and that confuses dumb people like me. It sounds as though you have to change /etc/fstab (which you suggested before, and I didn't understand it as well as I thought I did, but now it makes more sense) change /dev/hda5 /mnt/win_d vfat umask=022,iocharset=iso8859-1,codepage=850 0 0 to /dev/hda5 /mnt/win_d vfat uid=501,umask=000,iocharset=iso8859-1,codepage=850 0 0 is this safe (uid=501 corresponds to my username)? Do you think that this is an appropriate solution? Thank you very much for all of your help! |
All times are GMT -5. The time now is 08:45 PM. |