Hello,

After solving numerous troubles I had ( former postings all problems solved
in one or another way, thank you all very much ) I found that I am able to
read and edit /etc/passwd as a normal user. Actually, all permissions seem
to be of the same security level as Windows, aka: Guest may format
everything.

On SuSE there is a tool to set permissions globally, which changes the
permissions according to several security levels ( changing SUID on many
files, setting some more read and / or write bits on numerous files ) , is
there a similar solution for Debian? I'm not looking forward checking 25k
files for their permissions!
--
Sincerely

Ruediger

[ Post a follow-up to this message ]

Ruediger writes:
> I found that I am able to read and edit /etc/passwd as a normal
> user. Actually, all permissions seem to be of the same security level as
> Windows, aka: Guest may format everything.

If I understand you correctly (I know little about Microsoft Windows) root
must have run 'chmod -R a+rw /'.

> On SuSE there is a tool to set permissions globally, which changes the
> permissions according to several security levels ( changing SUID on many
> files, setting some more read and / or write bits on numerous files ) ,
> is there a similar solution for Debian?

There are tools that check permissions on some sensitive files, but none
that I know of that fix everything.
--
John Hasler

[ Post a follow-up to this message ]

On Tuesday 01 March, Ruediger wrote in alt.os.linux.debian:

> Hello,

> After solving numerous troubles I had ( former postings all problems solve
d
> in one or another way, thank you all very much ) I found that I am able to
> read and edit /etc/passwd as a normal user.

You ought to be able to read it as a normal user but not modify it.

[~]$ ls -l /etc/passwd
-rw-r--r--  1 root root 1300 2005-02-17 22:55 /etc/passwd

> Actually, all permissions seem
> to be of the same security level as Windows, aka: Guest may format
> everything.

> On SuSE there is a tool to set permissions globally, which changes the
> permissions according to several security levels ( changing SUID on many
> files, setting some more read and / or write bits on numerous files ) , is
> there a similar solution for Debian? I'm not looking forward checking 25k
> files for their permissions!

You could try using a tool such as bastille, but it isn't guaranteed
to find every problem.

PJR :-)
--
alt.usenet.kooks award-winners and FAQ:
http://www.insurgent.org/~kook-faq/

[To reply by email, remove "NOSPAM".]

[ Post a follow-up to this message ]

On Tue, 01 Mar 2005 15:58:33 +0100, Ruediger wrote:

> Hello,
>
> After solving numerous troubles I had ( former postings all problems solve
d
> in one or another way, thank you all very much ) I found that I am able to
> read and edit /etc/passwd as a normal user.

Hello,

/etc/passwd readable by anyone is OK with me. Being writable by anyone is
a huge security hole, as anyone can understand.

I don't know how you got in this situation, but correct permissons for
/etc/passwd are:
-rw-r--r--  1 root root
so the best advice I can give you is: chown root:root/etc/passwd ; chmod
644 /etc/passwd .
BTW, you should also chec /etc/shadow: -rw-r-----  1 root shadow on sarge
( -rw------- would look right to me)


Best regards,
Schott

[ Post a follow-up to this message ]

On Tue, Mar 01 2005, Ruediger wrote:

> Hello,
>
> After solving numerous troubles I had ( former postings all problems
> solved in one or another way, thank you all very much ) I found that I
> am able to read and edit /etc/passwd as a normal user. Actually, all
> permissions seem to be of the same security level as Windows, aka:
> Guest may format everything.

Then you have a potential security nightmare.

> On SuSE there is a tool to set permissions globally, which changes the
> permissions according to several security levels ( changing SUID on
> many files, setting some more read and / or write bits on numerous
> files ) , is there a similar solution for Debian? I'm not looking
> forward checking 25k files for their permissions!

You can install tiger, which will perform a security audit of your
machine. I'm not aware of any tool which will reset perms on a global
basis.
--
Neil Woods <cnw+usenet@pobox.com>
/* The Unixverse ends on Tue, 19 Jan 2038 03:14:07 +0000 */

[ Post a follow-up to this message ]