ich habe bei mandrake auch immer vergeblich versucht dieses feature zu nutzen, aber irgendwie ist diese distribution an dieser stelle zusammen geschustert.
grundsätzlich lässt sich folgendes sagen:
wenn bestimmte dienste nur von root in anspruch genommen werden dürfen und die permissions einiger dateien auch dahingehend verändert werden, erhöht sich in gleichem masse die sicherheit, wie die einschränkungen zunehmen. die interpretation, was was wichtig und was nicht ist, dürfte nicht bei allen distributionen gleich sein. ich nutze zur zeit suse7.3 und poste dir mal die datei /etc/permissions.secure, aus der du ersehen kannst, welche dateien bei hoher sicherheit welche permissions haben. vergleiche mit deinen dienste und benutze das script zum ändern oder warte einen bugfix ab, obwohl ich da nicht guter hoffnung wäre, denn das hat bei madrake7.2 auch schon nicht richtig funktioniert. ich könnte dir die anderen sicherheitsstufen suse7.3 auch noch hier rein setzen, mit einem kleinen script liesse sich deine funktion lauffähig machen. müsstest nur die lokalitäten der files ändern.
# /etc/permissions.secure
#
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Roman Drahtmueller <
draht@suse.de>, 2001
#
#
# See /etc/permissions for general hints on how to use this file.
#
# /etc/permissions.secure is designed for the use in a multi-user and
# networked installation. Most privileged file modes are disabled here.
# Many programs that still have their suid- or sgid-modes have had their
# security problems in the past already.
# The primary target of this configuration is to make the basic things
# such as changing passwords, the basic networking programs as well as
# some of the all-day work programs properly function for the unprivileged
# user. The dial-out packages are executable for users belonging to the
# "dialout" group - therefore, these users are to be treated "privileged".
# Packages such as (remote-) batch queueing systems, games, programs for
# the linux text console, everything linked against OOP libraries and
# most other exotic utilities are turned into unprivileged binary files
# in order for them not to cause any security problems if one or more of
# the programs turn out to have buffer overruns or otherwise locally
# exploitable programming errors.
# This file is not designed to make your system as closed and as restrictive
# as at all possible. In many cases, restricted access to a configuration
# file is of no use since the data used can be obtained from the /proc file
# system or interface configuration as well. Also, system programs such as
# /sbin/ifconfig or /sbin/route are not changed because nosey users can
# bring their own. "Security by obscurity" will add any significant
# security-related advantage to the system. Keep in mind that curiosity
# is a major motivation for your users to try to see behind the curtain.
#
# If you need the functionality of a program that usually runs as a
# privileged user, then use it as root, or, if you are not root, ask your
# system administrator for advice. In many cases, adding a user to the
# "trusted" group gives her access to the resources that are not accessible
# any more if the admin chose to select "secure" as the permissions default.
#
# Please make use of the diff program to see the differences between the
# permissions.easy and permissions.secure files if things don't work as
# they should and you suspect a permission or privilege problem.
# The word "easy" is a reference for the /etc/permissions.easy file.
#
# As usual, these settings are "suggested". If you feel so inclined,
# please feel free to change the modes in this files, but keep a log
# of your changes for future reference.
# Please always keep in mind that your system listens on network sockets
# in the default configuration. Change this by disabling the services that
# you do not need or by restricting access to them using packet filters
# or tcp wrappers (see hosts_access(5)) to gain a higher level of security
# in your system.
#
# Directories
#
# closed:
/usr/postgres/data/base postgres.daemon 700
/usr/postgres/data/files postgres.daemon 750
/usr/lib/ircd irc.root 700
# No games:
/var/X11R6/scores root.root 0750
/var/catman man.root 755
/var/cron root.root 700
/var/spool/cron root.root 700
/var/cron/tabs root.root 700
/var/spool/cron/tabs root.root 700
/var/lib/gdm gdm.shadow 750
/var/lib/xdm/authdir root.root 700
/var/lib/xdm/authdir/authfiles root.root 700
/var/lock root.uucp 775
# closed; see "easy"
/var/man2html root.root 0755
# no lock files for emacs:
/var/state/emacs/lock root.trusted 1775
/var/state/xemacs/lock root.trusted 1775
/var/squid squid.root 755
/var/squid/cache squid.root 755
/var/squid/logs squid.root 755
/var/run/smpppd root.dialout 750
/var/lib/smpppd root.root 700
#
# /etc
#
/etc/crontab root.root 600
/etc/exports root.root 644
/etc/fstab root.root 644
/etc/ftpaccess root.root 644
/etc/ftpconversions root.root 644
/etc/ftpusers root.root 640
/etc/HOSTNAME root.root 644
/etc/hosts root.root 644
# Changing the hosts_access(5) files causes trouble with services
# that do not run as root!
/etc/hosts.allow root.root 644
/etc/hosts.deny root.root 644
/etc/hosts.equiv root.root 644
/etc/hosts.lpd root.root 644
/etc/inetd.conf root.root 644
/etc/inittab root.root 644
/etc/issue root.root 644
/etc/issue.net root.root 644
/etc/ld.so.conf root.root 644
/etc/ld.so.cache root.root 644
/etc/login.defs root.root 644
/etc/motd root.root 644
/etc/mtab root.root 644
/etc/rmtab root.root 644
/etc/opiekeys root.root 600
/etc/ppp root.dialout 750
/etc/ppp/chap-secrets root.root 600
/etc/ppp/pap-secrets root.root 600
/etc/pppoed.conf root.root 600
/etc/smpppd.conf root.root 600
/etc/smpppd-c.conf root.dialout 640
/etc/services root.root 644
# changing the global ssh client configuration makes it unreadable
# and therefore useless. Keep in mind that users can bring their own client!
/etc/ssh_config root.root 644
/etc/sshd_config root.root 640
/etc/ssh_host_key.pub root.root 644
/etc/ssh_host_key root.root 600
/etc/ssh_random_seed root.root 600
/etc/ssh_known_hosts root.root 644
/etc/ssh/ssh_host_key root.root 600
/etc/ssh/ssh_host_key.pub root.root 644
/etc/ssh/ssh_random_seed root.root 600
/etc/ssh/ssh_config root.root 644
/etc/ssh/sshd_config root.root 640
/etc/syslog.conf root.root 600
/etc/termcap root.root 644
#
# suid system programs that need the suid bit to work:
#
/bin/su root.root 4755
/usr/bin/su1 root.root 0711
# disable at and cron for users that do not belnong to the group "trusted"
/usr/bin/at root.trusted 4750
/usr/bin/crontab root.trusted 4750
/usr/bin/gpasswd root.trusted 4750
/usr/bin/newgrp root.root 4755
/usr/bin/passwd root.shadow 4755
/usr/bin/chfn root.shadow 4755
/usr/bin/chage root.shadow 4755
/usr/bin/chsh root.shadow 4755
/usr/bin/expiry root.shadow 4755
# opie password system
/bin/opiepasswd root.root 4755
/bin/opiesu root.root 4755
# NIS+: "trusted" only.
/usr/bin/chkey root.trusted 4750
# the default configuration of the sudo package in SuSE distribution is to
# intimidate users.
/usr/bin/sudo root.root 4755
/usr/sbin/suexec root.root 4755
# "user" entries in /etc/fstab make mount work for non-root users:
/usr/bin/ncpmount root.trusted 4750
/usr/bin/ncpumount root.trusted 4755
# mount/umount have had their problems already:
/bin/mount root.root 4755
/bin/umount root.root 4755
/usr/bin/ziptool root.trusted 4750
/bin/eject root.audio 4750
# sendmail calls the wrapper as daemon.daemon:
/usr/lib/majordomo/wrapper root.daemon 4750
/usr/lib/pt_chown root.root 4755
/sbin/pwdb_chkpwd root.shadow 2755
/sbin/unix_chkpwd root.shadow 2755
#
# log files that do not grow remarkably
#
/var/log/faillog root.root 600
/var/log/lastlog root.tty 644
#
# mixed section: most of it is disabled in this permissions.secure:
#
#########################################################################
# rpm subsystem:
/usr/src/packages/SOURCES root.root 755
/usr/src/packages/BUILD root.root 755
/usr/src/packages/RPMS root.root 755
/usr/src/packages/SPECS root.root 755
/usr/src/packages/SRPMS root.root 755
#
/opt/score/deploy/bin.linux-suse/scremote.exe root.root 4755
/opt/score/bin/bin.linux-suse/scrun.exe root.root 4755
# mostly from series beo:
# see customs(8), export(1) and pmake(1)
/usr/bin/pmake root.root 0755
/usr/bin/export root.root 0755
/usr/bin/make root.root 0755
# Portable Batch System (PBS) (beo)
/usr/sbin/pbs_rcp root.root 0755
/usr/sbin/pbs_iff root.root 0755
# queue (beo)
/usr/bin/queue root.root 0755
# clusterit (beo)
/usr/bin/dsh root.root 0755
# dqs:
/usr/bin/qmod root.root 0755
/usr/bin/dqs_options root.root 0755
/usr/bin/qconf root.root 0755
# wants root for realtime scheduling policy class
# we better let it complain - on an idle machine it has no effect anyway.
/opt/rtsynth/RTSynth root.root 0755
# same here: package muse
/usr/bin/muse root.root 0755
# AX.25, NETROM, ROSE and TCP node frontend
/usr/sbin/node root.root 0755
#########################################################################
# executor, Mac-simulator:
/opt/executor/bin/executor-demo-svga root.root 0755
# Amiga-emulator
/usr/bin/suae root.root 0755
# stonx: atari emulator, svgalib:
/usr/bin/sstonx root.root 0755
# atari800 emulator
/usr/bin/atari800 root.root 0755
# z81 emulator
/usr/bin/z81txt root.root 0511
# package adamem (Z80 based ColecoVision and ColecoADAM emulator)
/usr/X11R6/lib/adamem/cvem root.root 0755
/usr/X11R6/lib/adamem/adamem root.root 0755
/usr/X11R6/bin/v4l-conf root.video 0755
# vmware
/usr/bin/vmware.bin root.trusted 4750
/usr/bin/vmware-ping root.root 4750
# iBCS2 binary emulator
/shlib/protlib_s.emu root.root 755
/shlib/protlib_s.debug root.root 755
/shlib/libnsl_s.emu root.root 755
/shlib/libnsl_s.debug root.root 755
#########################################################################
# netatalk printer daemon:
/usr/sbin/papd root.lp 2755
# package cysched:
/opt/synchronize/linux/bin/synchrod root.root 0755
/opt/synchronize/linux/bin/websyncd root.root 0755
# scotty:
/usr/bin/ntping root.trusted 4750
/usr/bin/straps root.trusted 0755
/sbin/cardctl root.trusted 4750
# use it as root if you must:
/usr/X11R6/bin/dga root.root 0755
/usr/X11R6/bin/xlock root.shadow 2755
# don't link sgid shadow program against complex G/X libs.
# xlock must not crash. Disabled xlock-mesa.
/usr/X11R6/bin/xlock-mesa root.shadow 0755
/usr/X11R6/bin/xscreensaver root.shadow 2755
# This is not extensively tested.
/usr/bin/vlock root.shadow 0755
/usr/X11R6/bin/XFree86 root.root 4711
/usr/X11R6/bin/Xwrapper root.root 4755
/usr/X11R6/bin/xemacs root.root 0755
/usr/bin/emacs root.root 0755
/usr/bin/man root.root 4755
# turned off write and wall by disabling sgid tty:
/usr/bin/wall root.tty 0755
/usr/bin/write root.tty 0755
# linked against libncurses. Shouldn't be suid root.
# in this case: better suid root than sgid disk because
# gid disk privileges can't be dispensed without root.
/usr/X11R6/lib/X11/xmcd/bin-Linux-i386/cda root.root 0755
/usr/X11R6/lib/X11/xmcd/bin-Linux-i386/xmcd root.root 0755
# linked against svgalib. Make it suid root if you want users to be
# able to use xaos on the console or keep it safe as this:
/usr/bin/xaos root.root 0755
# needs suid root for console font switches:
/usr/bin/kon.bin root.trusted 4750
# thttpd: sgid + executeable only for group wwwadmin. Useless...
/usr/bin/makeweb root.wwwadmin 2750
# i4l package:
/usr/sbin/isdnbutton root.trusted 4750
/usr/bin/vboxbeep root.trusted 4750
# ham series, package wampes: Disabled suid root
/usr/bin/bbs root.root 0755
# ham series, package dpbox
/usr/bin/dpgate dpbox.localham 4755
# sane package: disabled suid root.
/usr/bin/as6edriver root.root 0755
# yaps, pager software, accesses /dev/ttyS? . Disabled sgid uucp.
/usr/bin/yaps root.uucp 0755
# ncpfs tool: trusted only
/usr/bin/nwsfind root.trusted 4750
# dvisvga package: disabled suid root (for libvga)
/usr/bin/dvisvga root.root 0755
# maildrop package: change the permissions to the default from the
# rpm package (6755) if you have to use it. Default to deliver mails
# on a SuSE system is procmail.
/usr/bin/maildrop root.mail 0755
/usr/bin/dotlock root.mail 0755
# video editor. package mainactr, series pay
/opt/MainActor/MainActor root.root 0755
/opt/MainActor/MainView root.root 0755
# override package modes: lpc does not need to be suid root
# for users:
/usr/bin/lpc root.root 755
# disabled by default in SuSE distributions: make it 4755 if you need it.
/usr/bin/suidperl root.root 0755
# also disabled (libforms, libX11) reenable it by setting it 4755:
/usr/X11R6/bin/cardinfo root.root 0755
# if smail is installed:
/usr/sbin/smail root.root 6555
# phoenix, commercial package
# The package won't work with these files closed.
/usr/lib/phoenix/License root.root 644
/usr/lib/phoenix/basic/address.txt root.root 644
#
# networking (need root for the privileged socket)
#
/bin/ping root.root 4755
/bin/ping6 root.root 4755
/usr/bin/bing root.trusted 4750
/usr/sbin/traceroute root.root 4755
/usr/sbin/traceroute6 root.root
), und habe