On 03/20/13 14:28, Greg Ercolano wrote:
> [posted to rush.general]
>
> On 03/20/13 13:50, Mr. Daniel Browne wrote:
>> [posted to rush.general]
>>
>> ah ha; the error is rush: 'rush -offline': bing: can't open port lock =
>> file '/usr/local/rush/var/nextport': Permission denied
>
> Hmm, that would mean /usr/local/rush/bin/rush has lost its setuid permissions.
> To fix that, run this as root on that machine:
>
> chown 0.0 /usr/local/rush/bin/{rush,rushd}
> chmod 4755 /usr/local/rush/bin/{rush,rushd}
I'm concerned if those perms were changed, others might be broken as well.
Is it possible someone might have executed a runaway chown/chmod command
that hit the entire /usr/local/rush directory?
Under unix, many of the rush files and dirs need very specific permissions
to operate securely, and a few /must/ be set to operate at all.
To operate at all, the rush + rushd binaries /must/ be 4755 root/root
or root/wheel:
$ ls -la /usr/local/rush/bin/{rush,rushd}
-rwsr-xr-x 1 root root 1234568 Feb 6 21:00 /usr/local/rush/bin/rush
-rwsr-xr-x 1 root root 1618864 Feb 6 21:00 /usr/local/rush/bin/rushd
^^^^^^^^^^ ^^^^^^^^^
| |
| Should root/root (linux) or root/wheel (mac)
|
The 's' is important
For these setuid programs to be secure, the parent dirs should really
be 755 and root/root as well, eg:
$ ls -lad /usr/local/rush /usr/local/rush/bin
drwxr-xr-x 11 root root 4096 Feb 6 21:00 /usr/local/rush
drwxr-xr-x 3 root root 4096 Feb 6 21:00 /usr/local/rush/bin
^^^^^^^^^^ ^^^^^^^^^
For security, the entire rush/etc and rush/var directory hierarchy
should be owned by root and either 755 (for scripts and the dir itself)
or 644 (for non-executable files).
Under normal circumstances, no files in rush/etc or rush/var
should be writable to anyone other than root.
When you extract the tar file with the 'p' flag, the perms should
be correct, and the install script enforces the above perms on the
rush binaries.
--
Greg Ercolano, erco@(email surpressed)
Seriss Corporation
Rush Render Queue, http://seriss.com/rush/
Tel: (Tel# suppressed)ext.23
Fax: (Tel# suppressed)
Cel: (Tel# suppressed)
|