mparker@chip.UUCP (M. D. Parker) (10/27/88)
Greetings... In my zeal to properly protect files in my UNIX system, I seem to have caused /etc/rdump to stop working. Not only does it fail between systems, it fails to work when it is for the local system. The error message presented is: rcmd:socket: Permission denied A similar problem happens when I do /etc/ping to another site. A note here is that /etc/ping will work correctly when executed as ROOT. Question, what did I break and how do I fix it? And unfortunately, NO I do not have sources. Thanks for your help... Mike Parker Manager, Systems Administration chip!mparker@nosc.mil
guy@auspex.UUCP (Guy Harris) (10/28/88)
>In my zeal to properly protect files in my UNIX system, I seem to have caused >/etc/rdump to stop working. Not only does it fail between systems, it fails >to work when it is for the local system. The error message presented is: > > rcmd:socket: Permission denied Umm, turning off the set-UID bit on "/etc/rdump" (or any other program distributed with the system) does not count as "properly protecting files"; you didn't do that, did you? Programs that use "rcmd" require root privileges, since the "rcmd" service uses a "privileged port". >A similar problem happens when I do /etc/ping to another site. A note here >is that /etc/ping will work correctly when executed as ROOT. Sounds like the same problem.... If a system program has the set-UID or set-GID bit set, leave it set unless you *absolutely positively* know that it shouldn't be set.
wolfgang@mgm.mit.edu (Wolfgang Rupprecht) (10/28/88)
In article <211@chip.UUCP> mparker@chip.UUCP (M. D. Parker) writes: >In my zeal to properly protect files in my UNIX system, I seem to >have caused /etc/rdump to stop working. A similar problem happens >when I do /etc/ping to another site. A note here is that /etc/ping >will work correctly when executed as ROOT. Question, what did I >break and how do I fix it? How about a set-UID shell script to let users run these programs? ;-) -wolfgang PS. Serious hint: 22 -rwsr-xr-x 1 root staff 22528 Jan 2 1988 /etc/ping 49 -rwsr-sr-x 1 root staff 50176 Jan 2 1988 /etc/rdump --- Wolfgang Rupprecht ARPA: wolfgang@mgm.mit.edu (IP 18.82.0.114) TEL: (617) 267-4365 UUCP: mit-eddie!mgm.mit.edu!wolfgang
chris@mimsy.UUCP (Chris Torek) (10/28/88)
In article <7694@bloom-beacon.MIT.EDU> wolfgang@mgm.mit.edu (Wolfgang Rupprecht) writes: >PS. Serious hint: >-rwsr-sr-x 1 root staff 50176 Jan 2 1988 /etc/rdump [I removed the inode number.] Actually, this is much better: -rwsr-s--- 1 root operator 51200 Nov 18 1987 /etc/rdump along with -rwxr-s--- 1 bin operator 36864 Nov 18 1987 /etc/dump Others are possible, but be careful not to let anyone read the raw disk devices, lest your file protections not protect. -- In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163) Domain: chris@mimsy.umd.edu Path: uunet!mimsy!chris