Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a box running Mandrake, acting as a server (running web, ftp firewall and stuff like that). I'm running it on security level 4, as suggested. No problem, the box works fine.
Now the problem I have is that there are other users using the box, and they can't run stuff like gcc, and make etc. Not even ping or w! Only root can do that, and I don't really want every user to be root, for obvious reasons.
How can I fix this? Do I have any options other than lowering the security level, which I don't want to do.
If anyone can lead me through this it will be greatly appreciated.
Now the problem I have is that there are other users using the box, and they can't run stuff like gcc, and make etc.
That's not a problem, that's rather good user policy :-]
First of all a server is not a development box. On a production server compilers and such should be uninstalled. If you still want to proceed, make a separate group for users that are explicitly allowed to use compilers and add them to those. Remember being able to compile stuff means ppl are able to compile system specific sploits.
Originally posted by unSpawn First of all a server is not a development box.
True true, but unfortunately this is the only box running Linux I have.
Quote:
Originally posted by unSpawn On a production server compilers and such should be uninstalled. If you still want to proceed, make a separate group for users that are explicitly allowed to use compilers and add them to those. Remember being able to compile stuff means ppl are able to compile system specific sploits.
So the solution would basically be to create a group for, well lets call them super users, that would be allowed to use compilers and any other stuff that would be suitable? What would be the best practice for that?
I'm by no means savvy in this department, I might add.
$ ls -l ./a.out
-rwxrwxr-x 1 fark fark 11059 Feb 16 12:24 ./a.out*
$ ./a.out
-bash: ./a.out: Permission denied
Does the mount command for this particular partition show a "noexec" flag?
You running a Grsecurity reinforced kernel?
Any other non-default security measures we should know of?
Does the mount command for this particular partition show a "noexec" flag?
Nope.
$ pwd
/home/fark/c
$ mount
...
/dev/hda7 on /home type ext3 (rw)
$
You running a Grsecurity reinforced kernel?
Nope.
Any other non-default security measures we should know of?
None that I can think of. It is a standard Mandrake, using security level 4. Nothing out of the ordinary.
Shame on me, but I ate a roast, downed a bottle of my favourite White Zinfandel, and am gettin slightly sloshed on 'ol Jameson. Is there any way you can ascertain this is due to Mandy's security level and not in-kernel restrictions? I mean, could you do something like boot to single user level (severs network connections etc), set a lower security level and try again?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.