Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
I installed Gnome2.4 on my Mandrake9.1-system with Garnome. Everything went well, but every time I boot my computer something changes my self-made session script in /etc/X11/gdm/Sessions/ from an executable file into a non-executable, thus it is not showed on the gdm graphical sessionmenu. This happens during the boot-process, so if I want to start Garnome, I have to log in and chmod it into an executable, log out and log in into Garnome... Searching, I found these from syslogs:
gdmgreeter[1743]: Wrong permissions on /etc/X11/gdm/Sessions//Garnome. Should be readable/executable for all.
gconfd (abuser-2048): Resolved address "xml:readonly:/usr/share/garnome/etc/gconf/gconf.xml.mandatory" to a read-only config source at position 0
gconfd (abuser-2048): Resolved address "xml:readonly:/usr/share/garnome/etc/gconf/gconf.xml.defaults" to a read-only config source at position 2 !
What changes the permissions and how can I stop it??
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Since it's Mandrake, you're probably running into msec which is a security lock-down program for Mandrake. The settings are stored in /usr/share/msec (IIRC), but you should in theory be able to modify them through the Mandrake Control Panel.
Basically it's a set of file and resource permissions, and session settings that are checked at set intervals and "corrected" if they aren't what the database says they should be. msec is actually a very useful tool, but it can be very confusing if you don't realize it's running or how to configure it.
Thanks for the reply.
I found msec and altered the local config(I did it through terminal, but it's possible do it via the control panel, also).
After adding the rule for my Garnome-script, I ran msec 3 to test if it works, and it did!! Then I booted my pc and something still changed the script into a non-executable >( . I even tried to change the contents of my GNOME-script in the Sessions folder in order to make it boot Garnome, but when I booted something changed the contents back to the original....
What is it that keeps changing them back??
Or how could I start msec during boot, so that it would change the permissions again?
Yes, I am quite sure it is set on level 3(at least that's what the Control Panel tells me). But that shouldn't matter, because I understood from the man-pages that msec takes the user-defined filerules from a separate file(if I remember right the name of the file was /etc/security/msec/local.perm) and those rules overwrite all the other rules for the files mentioned. I checked the file and it did contain the files I defined, and by running msec, I saw that they worked.
I also tried changing msec into the lowest security level, but it didn't help..
msec is not in the services-to-be-started-during-boot -list. Could I add it there? If it was there I could change my permissions back to the right ones, before gdm fires up. It would be a lazy solution, though. Something would still be changing the file permissions against my will, msec would just be there to counter-spell it
Despite the custom settings i add (i.e., making usre my movie/audio players can access /dev/mixer-dsp-midi), msec just ignores them--and i'm on security level ONE! i'm tempted to just go to Security level 0...but not sure if that's a good idea...i need help!
when i try to access the file /usr/share/msec/perm.1 the terminal window freezes up...
There's got to be a better way without shutting msec down!
I'm happy now. msec is not troubling me anymore, because I switched to Gentoo . In Gentoo I ran into a same kind of problem that you have Quasaur. The solution was to change pam -policies. see man pam for more info.
Basically I just removed one line in the configuration file(console.perms, I don't remember where it was.. somewhere under /etc anyway) and chmodded the /dev/dir I needed(which was for the nvidia-card) into 0660
Thanks...i'm going to try your advice--but tell me: why do i need both pam AND msec? Are they doing the same job or taking care of different aspects of the security on my system? What would happen to msec if i uninstalled pam...or vice-versa?
what if i got rid of both of them?...or just msec?
Msec is useful to have around, I guess. It keeps your system a bit more safe, but also "cramps your style" if you don't know how to adjust it. IMHO and experience you shouldn't remove any components you haven't chosen as extra during install, or components you haven't installed yourself.
ok.. have you tried executing msec after you set the custom permissions? On my ex-mandrake I found out that by setting the permissions, and then running msec in the terminal window, I got the permissions right. BUT when I rebooted something changed my permissions into the wrong ones again.
IF your permissions change to the correct ones after you run msec, you can be quite sure that there is something else screwing with your permissions during boot time(so msec is probably not the one to blame). You also know that your msec-permissions-file is working.
IF it doesn't work then you should try to open the perm-file in text-mode and see if it has the needed customizations done with drakperm in it (I never trusted the mandrake-control-panel progs... e.g the hard-disk partitioner claims to be able to create ext3-filesystems, but in my case it only f*cked up my partitions. problem was solved by using good'ol commandline mke2fs )
This is a odd and irritating problem. I even sent a question to the mandrake support forum a month ago, and no reply...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.