Re: [suse-security] harden_suse & gdm

Actually what I remember is that on some systems gdm needs to be suid root in order to run. On Wed, 26 Jul 2000, Roman Drahtmueller wrote:

Date: Wed, 26 Jul 2000 15:26:36 +0200 (MEST) From: Roman Drahtmueller To: Stephen nyc Cc: suse-security Subject: Re: [suse-security] harden_suse & gdm

Stephen,

It would be useful to know if the system is accessible if you run xdm or kdm instead of gdm. Unfortunately, I can't reproduce your problem right now.

Most liklely, the origin of the failure comes out of one or two corners:

1) a permission problem. You would have to strace or ltrace the binary to get more details (maybe the process changes euid and runs into a closed device file). Insert `strace -f -o /strace.gdm� before the "startproc" in /sbin/init.d/xdm. (kill the process with an atjob or alike to regain control again!)

2) a locale problem, or a mixture with 1). Since the thing works with gdm ran as root, the profile settings in one or more of /etc/rc.status, /etc/rc.config, /etc/SuSEconfig/profile may be the culprit.

If nothing helps, comment out line 29 in /sbin/init.d/xdm (which reads like "export $var") and see what it does.

Thanks, Roman. -- - - | Roman Drahtm�ller "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | N�rnberg, Germany (Batman Costume warning label) | - -

...

Folks -

I ran the harden suse scripts today and have run into a little problem with gdm.

System is clean suse 6.4 install, clean helix-gnome 1.2 install. run level 3 booted to gdm login window.

Before running the harden script (options y y y y n n y n y y - modified workstation) on startup I would get the gdm login window. I could switch back to console 1, and log in either way.

Now I boot to the gdm login window - it accepts no keyboard inputs, making it impossible to login or change consoles.

Interestingly enough, now that it is disabled, I can run gdm fine from a root login and behavior is as expected.

This probably has something to do with some of the permission resets and that gdm can access the keyboard - can someone point me in the right direction for repairing this, or help me understand the benefit of this behavior.

Thanks.

- Steve

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Noah ksemat@eahd.or.ug