[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [seul-edu] Students can access Principal's files!



On Wed, 1 May 2002, Robert Maynord wrote:

> Dear Seul Folks:
> 
> I have close to 70 machines running on our school network now - almost 
> all Linux.  Students log in with NIS, and load their HOME directories 
>  with NFS.  The server is running Mandrake 8.0. All works fine, except 
> for one problem:  the server won't let me change permissions on the HOME 
> directories, and they are set to 755.  This means that all the students 
> can access the principal's HOME directory for viewing.  They can also 
> view each other's directories.  When I try to change permissions on the 
> HOME directories to 700 (as root) they stay changed for about 15 
> minutes, and then change back!!!!
> 
> I have tried disabling msec and it made no difference.  I have also 
> disabled cron - but no luck.  Something is auto-changing the permissions.
> 
> I have been looking for 2 weeks, but no luck.  Does anyone have a clue 
> as to what might be auto-setting my HOME directory permissions?

Hi, this is a very weird situation indeed.

Are you running rsync (maybe for backup) ? This is a bit old, but who 
knows... :
http://www.linuxsecurity.com/advisories/caldera_advisory-18.html

Other than that, I'd follow the following script:

1) the permission problem occur on the server or only in the NFS-mounted 
   clients ? If only on clients, then check your exports file

2) if not, unplug the ethernet of the server, and follow:

write down this script

---8<--- cut here ---8<---
#!/usr/bin/perl

my $subject=$ARGV[0];
my (@x, $prev);

unless ($subject) {
    print "need filename\n";
    exit 0;
}

@x=stat $subject;
$prev=$x[2];
print  "watching $subject\n";
printf "initial mode/permissions: %o\n", $prev;

while(0<1) {
    @x=stat $subject;
    if ($x[2] != $prev) {
	$prev=$x[2];
	printf "mode changed to %o\n", $prev;
    }
    sleep 1;
}
---8<--- cut here ---8<----

write it down, say, to watch.pl, chmod 755 watch.pl and in one window / 
virtual terminal run

./watch.pl /home/principal

(being /home/principal one of the affected homedirs)

Then, in another window or virtual terminal, you (admin) interpret the 
script below:

   while ( there are services running ) {
     stop one service
     fix homedir permissions
     wait 20 minutes or until the output of watch.pl notices an 
                     unexpected mode change.
     if 20 minutes have passed and no mode change, you found your foe.

   }

(leave the NFS services as the last ones to stop)

Hope you find the issue.

.........................................................................
Felipe Paulo Guazzi Bergo - Computer Science MSc Student at Unicamp
bergo@seul.org - Campinas - SP - Brazil - Earth 
GPG/PGP mail welcome - GPG/PGP Key: EF8EE808 (keyserver pgp.mit.edu)

* Those who don't understand Unix are doomed to reinvent it, poorly.