Hi there,

I have a box running Mandrake, acting as a server (running web, ftp firewall and stuff like that). I'm running it on security level 4, as suggested. No problem, the box works fine.

Now the problem I have is that there are other users using the box, and they can't run stuff like gcc, and make etc. Not even ping or w! Only root can do that, and I don't really want every user to be root, for obvious reasons.

How can I fix this? Do I have any options other than lowering the security level, which I don't want to do.

If anyone can lead me through this it will be greatly appreciated.

Thanks.

Now the problem I have is that there are other users using the box, and they can't run stuff like gcc, and make etc.
That's not a problem, that's rather good user policy :-]

First of all a server is not a development box. On a production server compilers and such should be uninstalled. If you still want to proceed, make a separate group for users that are explicitly allowed to use compilers and add them to those. Remember being able to compile stuff means ppl are able to compile system specific sploits.

Thanks for your reply.

True true, but unfortunately this is the only box running Linux I have.

So the solution would basically be to create a group for, well lets call them super users, that would be allowed to use compilers and any other stuff that would be suitable? What would be the best practice for that?

I'm by no means savvy in this department, I might add.

Ah, the ctools group was just sitting there, right in front of me.

Ok, so now I have added my regular user to the ctools group in order to use gcc etc. But something else is fishy.

Check this out:

$ groups
fark ctools
$ cat helloworld.c
#include <stdio.h>
int main() {
return 0;
}
$ gcc helloworld.c
$ ls -l ./a.out
-rwxrwxr-x 1 fark fark 11059 Feb 16 12:24 ./a.out*
$ ./a.out
-bash: ./a.out: Permission denied
$

What gives? I'm not at all sure this question belongs in this group, so if it's not, point me in the right direction and I'll be off.

$ ls -l ./a.out
-rwxrwxr-x 1 fark fark 11059 Feb 16 12:24 ./a.out*
$ ./a.out
-bash: ./a.out: Permission denied

Does the mount command for this particular partition show a "noexec" flag?
You running a Grsecurity reinforced kernel?
Any other non-default security measures we should know of?

Does the mount command for this particular partition show a "noexec" flag?
Nope.

$ pwd
/home/fark/c
$ mount
...
/dev/hda7 on /home type ext3 (rw)
$

You running a Grsecurity reinforced kernel?
Nope.

Any other non-default security measures we should know of?
None that I can think of. It is a standard Mandrake, using security level 4. Nothing out of the ordinary.

This thing really puzzles me.

OK. Try running it as "strace -v ./a.out" and post the output?

OK. Try running it as "strace -v ./a.out" and post the output?

$ strace -v ./a.out
execve("./a.out", ["./a.out"], [/* 46 vars */]) = 0
strace: exec: Permission denied
$

Doesn't really mean anything to me, but maybe you know?

Thanks a lot for your help.

Shame on me, but I ate a roast, downed a bottle of my favourite White Zinfandel, and am gettin slightly sloshed on 'ol Jameson. Is there any way you can ascertain this is due to Mandy's security level and not in-kernel restrictions? I mean, could you do something like boot to single user level (severs network connections etc), set a lower security level and try again?