The general opinion was that there is no need for /usr to be
group-writable and many reasons which it should not be. Even the
sub-directories under /usr can have group-write permission turned off
without problems. This solved my problem with sendmail - the alternative
was to turn off the security check in sendmail with DontBlameSendmail or
to alter user home directories on various SGI machines where
/usr/people/xxx is the default.
The problem remains that permissions on /usr and other directories will
be turned back to the default group-writable if/when I install new
packages or patches. I need to get into the habit of checking these after
installs, or modifying the pkgmap files each time or, which seems to me
the best answer for various reasons, to run Casper Dik's fixmodes
script at regular intervals and after installs. This script is also part
of the general security package Titan from www.fish.com/security/titan.
Thanks to:
"Kruse, Jason K." <jason.kruse@teldta.com>
Timothy Lindgren <Timothy_Lindgren@enron.com>
Joseph Kwan <jkwan@ampersand.jpl.nasa.gov>
Bunny Pfau <bunny@hao.ucar.edu>
Kevin Hildebrand <kevin@Glue.umd.edu>
Original question below.
======================================================================
Richard H. Butler tel. +39-06-90091-265
Cell Biology Institute, C.N.R. +39-06-9003122
via Ramarini, 32 fax. +39-06-90091-260
Monterotondo Scalo (RM)
00016 Italy rbutler@ibc.rm.cnr.it
======================================================================
Dear all,
Ultra E450, Sol. 2.6 + recommended patches, sendmail 8.9.3
After upgrading sendmail several months ago, I apparently broke1
forwarding to a number of users. The reason is that, although the users
home directories are in /export/home and /export, /export/home,
/export/home/user1 etc are not group-writable, these particular users are
registered in my NIS database as home directories /usr/people (the NIS
master is an SGI and they have home directories for other uses on these
machines). To resolve this I had a link in /usr /usr/people->/export/home
and it all worked, but /usr was group writable by the sys group (default).
My quick solution was to change the permissions on /usr to:
root sys drwxr-xr-x (from drwxrwxr-x)
and this works, but I have doubts that a search in the Answerbook,
sunman archives etc has not resolved:
have I broken something else? ie. is there a good reason why /usr was
writable by the sys group?
if I install some new package or patch am I likely to have the /usr
permissions put back to drwxrwxr-w breaking forwarding again if I don't
notice and putting me back in the XXXXX (one of the damaged users was a
VIP!)?
The alternative is a lot of work on the NIS database and various
machines (where I don't always have root access) to change user
directories and/or put in links of the type /home/export -> /usr/people.
Thanks for your comments,
Richard
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:25 CDT