Re: libauth.so.1 - nkitb-2000.7.11-0.i386.rpm fuer Suse6.1 (fwd)
Hi, for all ppl, who have problems w/ libauth, try to download + install libauth from ftp://ftp.suse.com/pub/suse/i386/6.1/suse/a1/libauth.rpm first and then install nkitb. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
Hi, I try to mount my root-fs readonly. My fstab contains / ext2 (ro) and the msg during boot process say it mounted read-only, but in fact it's not; I can cp/mv/rm files and evertyhing. Strange thing is /boot ext2 (ro) works. Any suggestions ? regards Nikolai
On 18-Jul-00 Nikolai Dahlem wrote:
Hi,
I try to mount my root-fs readonly. My fstab contains / ext2 (ro) and the msg during boot process say it mounted read-only, but in fact it's not; I can cp/mv/rm files and evertyhing. Strange thing is /boot ext2 (ro) works. Any suggestions ?
/etc/fstab can only be read after / is mounted. To mount / read-only you have to use the `rdev' command (Try `rdev -h'). To mount the root-fs readonly you have to use `rdev -R <kernel> 1' (or `rdev -R <kernel> 0´ to mount it read/write). HPW
On 18-Jul-00 Nikolai Dahlem wrote:
Hi,
I try to mount my root-fs readonly. My fstab contains / ext2 (ro) and the msg during boot process say it mounted read-only, but in fact it's not; I can cp/mv/rm files and evertyhing. Strange thing is /boot ext2 (ro) works. Any suggestions ?
/etc/fstab can only be read after / is mounted. To mount / read-only you have to use the `rdev' command (Try `rdev -h'). To mount the root-fs readonly you have to use `rdev -R <kernel> 1' (or `rdev -R <kernel> 0´ to mount it read/write).
HPW
According to /proc/cmdline this should have been the case already. Having the kernel mount the root-filesystem read-only is necessary for the e2fsck to operate seamlessly. It's another problem: /sbin/init.d/boot (the first script to run after kernel boot) reads: mount -n -o remount,rw / This happens regardless of the fstab entry. You have to change this manually in order for the root-fs to become read-only. Read-only root-filesystems aren't very common in the Linux world, which is why it isn't generally considered a bug to not respect the fstab entry. Thanks, Roman Drahtmüller. -- - - | Roman Drahtmüller <draht@suse.de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -
* Roman Drahtmueller wrote on Tue, Jul 18, 2000 at 14:28 +0200:
On 18-Jul-00 Nikolai Dahlem wrote:
I try to mount my root-fs readonly.
Read-only root-filesystems aren't very common in the Linux world, which is why it isn't generally considered a bug to not respect the fstab entry.
Usually it's a better idea to use a r/w mounted ramdisk I think. One problem is, that i.e. /etc/mtab needs to be written, usually. IIRC you cannot use a simple symlink here. It would be nice if you could mail me about your results, and some experiences if you set up this in production! oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Usually it's a better idea to use a r/w mounted ramdisk I think. One problem is, that i.e. /etc/mtab needs to be written, usually.
Yep, also the kernel needs write access to everything under /var, otherwise you won't get log messages, lock files, etc. Furthermore, /tmp quite often requires write access. []s, Bráulio Gergull
Usually it's a better idea to use a r/w mounted ramdisk I think. One problem is, that i.e. /etc/mtab needs to be written, usually.
Yep, also the kernel needs write access to everything under /var, otherwise you won't get log messages, lock files, etc.
Furthermore, /tmp quite often requires write access.
Consider using LIDS. It's a lot easier to admin too. http://www.securityportal.com/lskb/articles/kben10000021.html Kurt Seifried SecurityPortal, your focal point for security on the net http://www.securityportal.com/
On Tue, 18 Jul 2000, Kurt Seifried wrote:
Furthermore, /tmp quite often requires write access. Consider using LIDS. It's a lot easier to admin too.
http://www.securityportal.com/lskb/articles/kben10000021.html
SuSE users may have a look at http://www.cn.is.fh-furtwangen.de/~link/security/LIDS-SuSE.php3. My How-To is a little bit outdated, but I hope I'll have the time to update it soon. People from Germany may use the official mirror www.de.lids.org instead of www.lids.org. Imho the biggest problem is, that with 0.9.x a lot of things have changed, but the documentation wasn't updated. So, I suggest to read the mailing list archives of LIDS and subscribe to it, too :-) best regards, Rainer Link -- Rainer Link, SuSE GmbH, eMail: link@suse.de, Web: www.suse.de Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/
* Bráulio Gergull wrote on Tue, Jul 18, 2000 at 14:23 -0300:
Usually it's a better idea to use a r/w mounted ramdisk I think. One problem is, that i.e. /etc/mtab needs to be written, usually.
Yep, also the kernel needs write access to everything under /var, otherwise [...] Furthermore, /tmp quite often requires write access.
I found, that I could use symlinks for that directories, I had such a config on a server running without problems. Sometimes /var has it's own partition, and so /tmp. Another way seems to put symlinks /tmp and /var pointing to a "own" (r/w of course) partition, which at least decreases problems at system crashes, what do you think? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
I found, that I could use symlinks for that directories, I had such a config on a server running without problems. Sometimes /var has it's own partition, and so /tmp. Another way seems to put symlinks /tmp and /var pointing to a "own" (r/w of course) partition, which at least decreases problems at system crashes, what do you think?
Certainly it is also a solution. In fact for production servers I always split the system into various filesystems, not only for security reasons, but also for integrity. It's a good idea to _always_ put at least the following directories on their own filesystem: /boot /home /var /tmp /usr /opt This way you can still bring your machine up if you have a corrupted filesystem. Also consider using LIDS, as Kurt already sugested. Regards, Bráulio Gergull
/etc/fstab can only be read after / is mounted. To mount / read-only you have to use the `rdev' command (Try `rdev -h'). To mount the root-fs readonly you have to use `rdev -R <kernel> 1' (or `rdev -R <kernel> 0´ to mount it read/write). you should also check, whether an parameter given to the kernel overwrites
Hi, that kernel-flag, for example a line like append = rw in the lilo.conf... --------------------------------------------------------------------- Jürgen Ellinger Siemensstraße 44 88250 Weingarten e-mail: ellinger@informatik.uni-tuebingen.de ellinger@student.uni-tuebingen.de ellinger@spohn.rv.bw.schule.de
Hi, usually the root-fs is mounted read-only by the kernel itself. The init-process reads fstab and mounts the filesystems according to it after checking them (see /sbin/init.d/boot for details). I don't think that you can perform any writes to an ro-mounted fs. I suppose instead that your root-fs is mounted rw. To test it use mount w/o any parameters. The output will look like this: /dev/hda1 on / type ext2 (rw) proc on /proc type proc (rw) /dev/hdc5 on /home type ext2 (rw,usrquota) devpts on /dev/pts type devpts (rw,gid=5,mode=0620) The last field in brackets shows the mounting options. I would expect your System showing / mounted rw. So you should seek for any calls to mount within the init-scripts, that remount / rw. The call should look like this: mount -no remount,rw / If you find the scripts beeing modified, you should check whether you have been hacked... hope that helps! Jürgen. Btw: It sounds stupid, bud stupid mistakes are often hard to find - is there another line below your entry "/ ext2 (ro)" that causes a second remount of your root-fs rw? Nikolai Dahlem wrote:
Hi,
I try to mount my root-fs readonly. My fstab contains / ext2 (ro) and the msg during boot process say it mounted read-only, but in fact it's not; I can cp/mv/rm files and evertyhing. Strange thing is /boot ext2 (ro) works. Any suggestions ?
--------------------------------------------------------------------- Jürgen Ellinger Siemensstraße 44 88250 Weingarten e-mail: ellinger@informatik.uni-tuebingen.de ellinger@student.uni-tuebingen.de ellinger@spohn.rv.bw.schule.de
On Tue, Jul 18, 2000 at 15:14 +0200, Juergen Ellinger wrote:
Btw: It sounds stupid, bud stupid mistakes are often hard to find - is there another line below your entry "/ ext2 (ro)" that causes a second remount of your root-fs rw?
Isn't there something like 'mount -o remount,rw /' in one of the boot scripts after fsck went through without problems? Try a 'grep mount /sbin/init.d/* /etc/rc*' or something alike. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Hello,
Hi, for all ppl, who have problems w/ libauth, try to download + install libauth from ftp://ftp.suse.com/pub/suse/i386/6.1/suse/a1/libauth.rpm first and then install nkitb.
Bye, Thomas
After installing libauth and updating nkitb the ftp server does not accept shadow passwords anymore (SuSE 6.1). Now _that's_ a secure ftp server! No logins allowed ... ;-) It works if I put my encrypted password in /etc/passwd, but is there anyone with
10 brain cells who really wants to do that?
Any ideas on getting ftp working with shadow passwords again? BTW we have no ftp account in passwd because we don't allow anonymous ftp. But ftp worked for normal users before, maybe that's the fault? Or do I have to do some weird LD_PRELOAD stuff? Unfortunately, libauth comes with zero documentation except that the rpm info states that libauth actually honours /etc/shadow. On the other hand, this is another argument to convince our users not to use ftp and switch to scp instead ... ;-) Regards, ML -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany Tel.: +49-251-83-33557 Fax: +49-251-83-39083 E-Mail (work): lewelin@uni-muenster.de
Hi,
for all ppl, who have problems w/ libauth, try to download + install libauth from ftp://ftp.suse.com/pub/suse/i386/6.1/suse/a1/libauth.rpm first and then install nkitb.
Bye, Thomas
After installing libauth and updating nkitb the ftp server does not accept shadow passwords anymore (SuSE 6.1). Now _that's_ a secure ftp server! No logins allowed ... ;-)
It works if I put my encrypted password in /etc/passwd, but is there anyone with
10 brain cells who really wants to do that?
Any ideas on getting ftp working with shadow passwords again?
I forward this to your maintainer. I hope he knows to solve the problem.
BTW we have no ftp account in passwd because we don't allow anonymous ftp. But ftp worked for normal users before, maybe that's the fault? Or do I have to do some weird LD_PRELOAD stuff? Unfortunately, libauth comes with zero documentation except that the rpm info states that libauth actually honours /etc/shadow.
Hm, did you execute ldconfig after installing the lib?
On the other hand, this is another argument to convince our users not to use ftp and switch to scp instead ... ;-)
;) Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
participants (11)
-
Br�ulio Gergull -
Gerhard Sittig -
Hans Peter Wiedau -
Juergen Ellinger -
Kurt Seifried -
Martin Leweling -
Nikolai Dahlem -
Rainer Link -
Roman Drahtmueller -
Steffen Dettmer -
Thomas Biege