   From: Greg Ercolano <erco@(email surpressed)>
Subject: Re: Login/Logout hook scripts on Linux
   Date: Wed, 20 Mar 2013 17:42:51 -0400

Msg# 2320
View Complete Thread (9 articles) | All Threads
Last Next

On 03/20/13 14:28, Greg Ercolano wrote:
> [posted to rush.general]
> 
> On 03/20/13 13:50, Mr. Daniel Browne wrote:
>> [posted to rush.general]
>>
>> ah ha; the error is rush: 'rush -offline': bing: can't open port lock =
>> file '/usr/local/rush/var/nextport': Permission denied
> 
>     Hmm, that would mean /usr/local/rush/bin/rush has lost its setuid permissions.
>     To fix that, run this as root on that machine:
> 
> chown 0.0 /usr/local/rush/bin/{rush,rushd}
> chmod 4755 /usr/local/rush/bin/{rush,rushd}

    I'm concerned if those perms were changed, others might be broken as well.

    Is it possible someone might have executed a runaway chown/chmod command
    that hit the entire /usr/local/rush directory?

    Under unix, many of the rush files and dirs need very specific permissions
    to operate securely, and a few /must/ be set to operate at all.

    To operate at all, the rush + rushd binaries /must/ be 4755 root/root
    or root/wheel:

$ ls -la /usr/local/rush/bin/{rush,rushd}
-rwsr-xr-x 1 root root 1234568 Feb  6 21:00 /usr/local/rush/bin/rush
-rwsr-xr-x 1 root root 1618864 Feb  6 21:00 /usr/local/rush/bin/rushd
^^^^^^^^^^   ^^^^^^^^^
  |           |
  |           Should root/root (linux) or root/wheel (mac)
  |
  The 's' is important

    For these setuid programs to be secure, the parent dirs should really
    be 755 and root/root as well, eg:

$ ls -lad /usr/local/rush /usr/local/rush/bin
drwxr-xr-x 11 root root 4096 Feb  6 21:00 /usr/local/rush
drwxr-xr-x  3 root root 4096 Feb  6 21:00 /usr/local/rush/bin
^^^^^^^^^^    ^^^^^^^^^

    For security, the entire rush/etc and rush/var directory hierarchy
    should be owned by root and either 755 (for scripts and the dir itself)
    or 644 (for non-executable files).

    Under normal circumstances, no files in rush/etc or rush/var
    should be writable to anyone other than root.

    When you extract the tar file with the 'p' flag, the perms should
    be correct, and the install script enforces the above perms on the
    rush binaries.


-- 
Greg Ercolano, erco@(email surpressed)
Seriss Corporation
Rush Render Queue, http://seriss.com/rush/

Tel: (Tel# suppressed)ext.23
Fax: (Tel# suppressed)
Cel: (Tel# suppressed)

Last Next