Hi Got a problem with an SuSE 8.1server which is runing in console mode. No X-windows. After running harden_suse I find that I cannot change the password and log back in again. I followed Roman Drahtmueller's advice which appeared on the SuSE security list back on the 9th of October last year....
Please "touch /etc/rc.config" to work around this. This is a bug - depending on the selection of packages on your system it can happen that said file does not exist any more. It slipped through last time.
This worked for me and I was able to run ./harden_suse. However, on re-booting I now find that I can't log back in again. The password is rejected and if I become a user and then try to do 'su root' I find that once again the root password is rejected. Looking in /var/log/messages I see that my login messages which tell me that someone has tried to login reveal this .... "cannot open login.defs [Permission denied]" Anyone suggest a way out of this ? Perhaps I need to remove harden_suse and start again ? -- Thanks Richard www.sheflug.co.uk
Hello, just an idea.... Try to use su like this: "su -" Maybe the harden_suse script has taken the suid bit of su, passwd and on? Christian Richard Ibbotson wrote:
Hi
Got a problem with an SuSE 8.1server which is runing in console mode. No X-windows. After running harden_suse I find that I cannot change the password and log back in again.
I followed Roman Drahtmueller's advice which appeared on the SuSE security list back on the 9th of October last year....
Please "touch /etc/rc.config" to work around this. This is a bug - depending on the selection of packages on your system it can happen that said file does not exist any more. It slipped through last time.
This worked for me and I was able to run ./harden_suse. However, on re-booting I now find that I can't log back in again. The password is rejected and if I become a user and then try to do 'su root' I find that once again the root password is rejected.
Looking in /var/log/messages I see that my login messages which tell me that someone has tried to login reveal this ....
"cannot open login.defs [Permission denied]"
Anyone suggest a way out of this ? Perhaps I need to remove harden_suse and start again ?
Hi
just an idea.... Try to use su like this: "su -"
Hmm.... no. Doesn't want to play. It seems that after installing harden_suse that permissions have been set as paranoid. Not something that I selected. At least.... if I look in YaST2 under permissions settings it says "paranoid". I've reset this to "secure" with YaST2 - probably something that I shouldn't do - and now I can log in once again. Very strange :) Of course, the problem now is ... having reset the permissions with YaST2 have I undone the work of harden_suse ? Can't work that one out :) -- Thanks Richard
Hi, I think you're right... You have undone the work of harden_suse.. ;-) If you launch the diff: #> diff -y permissions.paranoid permissions.secure | grep '/bin/su' you can see that the su binary looses the SUID bit. Without that, you will not be able to switch to another user, 'cause you can't run the su whith root rights. If you start su, it's running with the userrights of your account and you will not have access to the file /etc/login.defs. --> ls -lan /etc/login.defs tells me that only root has read and write access. All other will be denied. So if you need the /bin/su, I think you have to change the /bin/su entrie in the permissions.paranoid file to something like 4755. I would suggest to reset the permissions to paranoid and change the config file for this mode... Christian Richard Ibbotson wrote:
Hi
just an idea.... Try to use su like this: "su -"
Hmm.... no. Doesn't want to play.
It seems that after installing harden_suse that permissions have been set as paranoid. Not something that I selected. At least.... if I look in YaST2 under permissions settings it says "paranoid". I've reset this to "secure" with YaST2 - probably something that I shouldn't do - and now I can log in once again.
Very strange :)
Of course, the problem now is ... having reset the permissions with YaST2 have I undone the work of harden_suse ? Can't work that one out :)
* Richard Ibbotson wrote on Fri, Jan 31, 2003 at 18:50 +0000:
look in YaST2 under permissions settings it says "paranoid". I've reset this to "secure" with YaST2 - probably something that I shouldn't do - and now I can log in once again.
Of course, the problem now is ... having reset the permissions with YaST2 have I undone the work of harden_suse ?
One thing that harden_suse seems to do (I do not know, but surely you'll find it in the documentation :)), it to disable "su" by using the paranoid permission set. That step you reverted, which isn't that bad, since you need "su". Of course security vs. functionality has to be decided in some individual way, depending on your needs; harden_suse cannot know about it. All we do is risk management. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
It's not a good idea to edit /etc/permissions.paranoid, your changes will probably disappear next time you upgrade, and maybe even if you just install a patch. Much better to edit /etc/permissions.local, that's what it is there for. Bob On Fri, 31 Jan 2003, ce-em wrote:
So if you need the /bin/su, I think you have to change the /bin/su entrie in the permissions.paranoid file to something like 4755.
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
participants (4)
-
Bob Vickers -
ce-em -
Richard Ibbotson -
Steffen Dettmer