Newsgroups: gmane.linux.debian.user Date: Fri, 18 Mar 2005 00:54:30 -0800 (PST)
Newsgroups: gmane.linux.debian.user Date: Fri, 18 Mar 2005 00:54:30 -0800 (PST)
> Is there some problem I cannot foresee scrapping my /tmp filesystem and > symlinking /tmp to /var/tmp ?
/tmp is typically a partition … and chmod 1777
/var/tmp is not typically a partition and maybe susceptible to something that likes to count on that fact to exploit /tmp related problems
when /tmp gets full ..something (bad) could happen
Alvin Oga
IIRC, /tmp gets wiped on boot while /var/tmp doesn't. Since /tmp is symlinked to /var/tmp, /var/tmp will get wiped. So, if you're using /var/tmp for something a little less temporary than /tmp, you'll have issues. There was a rant a while ago about someone who did this and lost a butt load of data becuase it got wiped. Caveat Emptor!
Brooks R. Robinson
Newsgroups: gmane.linux.debian.user Date: Thu, 18 Aug 2005 08:04:52 -0700
> Is it possible to set up a directory so that a user can add a new > file, but once the file is there the same user cannot modify, rename, > or delete the file?
Sounds like you want a drop box. This is what we do at our work place for drop boxes.
# chmod 2773 /usr/local/share/dropbox
# ls -l drwxrws-wx 2 root staff 4096 Aug 18 07:48 dropbox
Then set your samba share to inherit permissions. This should allow a regular user to drop files or folders. If they drop a file, I don't think they will be to overwrite it. However, if they drop a folder with a file in it, and then do it again, they should be able to overwrite it. For most cases, we ask our users to drop folders, that way they can overwrite it if they made a mistake on a file and need to re-drop it in. Either way, only the orignal user who drops stuff in, and the owners/groups of the share have access.
You can do the same for a netatalk share too, but folder drops do not work quite right.
Mike
> > Is it possible to set up a directory so that a user can add a new > > file, but once the file is there the same user cannot modify, rename, > > or delete the file? > > > > The shared directory is a samba share, and will only be accessed > > through windows, so solving this problem through samba is just as > > good. > > How about setting "create mode 0000" and "directory mode 0000" for the > share in the smb.conf file. Or the modes to 0444 and 0555, if you want > the files to be readable. I have not specificly tested this method for > this purpose, but it should work.
Yes, this method worked the best for me. In samba I set directory mode to 0755, allowing users to add files and directories and set create mode to 0444 so that once a file was written it cannot be modified. So far, this is working well, with the only drawback that the only way to make any changes to the files is as root.
I found that samba 3.0.2 will have an "inherit owner" option which I will employ once released. Then I should ge able to set directory permissions to 775 and file permissions to 744. That should allow members of the group (regular users) to add files, but not move or modify, and a seperate owner account for making any changes when necessary.
Thanks for your help.
Chris Purves
July 17, 2006
Quite a serious situation for the Linux kernel: right after the exploit that was used to break into a Debian server was known to have been patched by major distro makers, another Day Zero kernel vulnerability had to be patched! It seems that the Linux kernel is having more and more local privilege escalation vulnerabilities lately (source). Click on to read more… After gluck.debian.org was compromised on July 12 using a local privilege escalation vulnerability in the Linux kernel (the intruder had access to the server using a compromised developer account), the security of the latest linux kernels was somehow questioned.
As it seems, the bug that was exploited is CVE-2006-2451. Vulnerable kernels:
2.6.17.x should upgrade to 2.6.17.4
2.6.16.x should upgrade to 2.6.16.24
This was fixed on July 7th in RHEL4, July 8th in CentOS4.3, July 10th in rPath, July 12th in Ubuntu, July 15th in Fedora.
Suggestions on how to avoid being vulnerable, even without updating your kernel: disable corefiles.
Temporarily:
echo 0 >/proc/sys/kernel/core_uses_pid echo /dev/null >/proc/sys/kernel/core_pattern
Permanently: add to /etc/sysctl.conf:
kernel/core_uses_pid=0 kernel/core_pattern=/dev/null
This is not funny: right after that, a new kernel vulnerability was discovered (CVE-2006-3626), involving the /proc filesystem.
2.6.17.x should upgrade to 2.6.17.5 or 2.6.17.6
2.6.16.x should upgrade to 2.6.16.25
It was announced that the kernel 2.6.17.5 fixes the /proc issue, but a little too harshly. Less than one day later, 2.6.17.6 fixed it properly.
Newsgroups: gmane.linux.debian.user Date: Thu, 15 Jul 2004 20:50:00 +0800
> my Debian (stable version) crashed and has corrupted my reiserfs > partion. Can't boot/mount it anymore :(. > > I started Knoppix from CD and > I tried reiserfsck /dev/hda2 and it tolds me: > "If the partition table has not been changed, and the partition is > valid and it really contains a reiserfs partition, then the > superblock is corrupted and you need to run this utility with > --rebuild-sb." > > Ok then I tried it with the --rebuild-sb switch and it ask me: > "what the version of ReiserFS do you use[1-4] > (1) 3.6.x > (2) >=3.5.9 (introduced in the middle of 1999) (if you use > linux 2.2, choose this one) > (3) < 3.5.9 converted to new format (don't choose if unsure) > (4) < 3.5.9 (this is very old format, don't choose if unsure) > (X) exit" > > Damn I don't know the version, I assume it depends on the reiserfs tools > of my stable Debian version. > Does someone know what version is the right with stable Debian?
If at all possible, copy the paritition to a file (on another computer for preference) using dd:
First, get your knoppix organised so you can do passwordless logins either from or to it. I'm assuming your doing it from the Knoppix box:
dd if=/dev/hda1 bs=4096 | buffer | ssh backup.example.com \| buffer \ \| dd bs=4096 of=/var/local/backup-reiser.img
or similar.
The use of buffer is optional. May buy something, might not. Also consider using gzip or bzip to compress/uncompress data as it crosses the LAN.
You can, of course, backup (more quickly) to a local device, and you can use, eg, nfs rather than dd & ssh.
You should read the docs on dd: I may have left something important or useful out.
John Summerfield