how to tune msec's (intrusive) permission tweaking - Mandriva

This is a discussion on how to tune msec's (intrusive) permission tweaking - Mandriva ; How does one tune msec to be a little less intrusive and obnoxious in how it tweaks permission bits? Specifically, now that I'm using a separate dedicated account to run Firefox, and I tried to set /home/firefoxuser g+w to allow ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: how to tune msec's (intrusive) permission tweaking

  1. how to tune msec's (intrusive) permission tweaking

    How does one tune msec to be a little less intrusive and
    obnoxious in how it tweaks permission bits? Specifically,
    now that I'm using a separate dedicated account to run
    Firefox, and I tried to set /home/firefoxuser g+w to allow
    my main account to remove files saved into that directory,
    it appears msec insists on changing /home/* back to 755.
    (This is on Mandriva 2007.0 at the "standard" security
    level.)

    Google found a document,

    http://club.mandriva.com/xwiki/bin/KB/SecureSmsec

    that appears to offer a key, in the section about
    EXCLUDE_REGEXP to be put in
    /etc/security/msec/security.conf, but there is nothing about
    whether EXCLUDE_REGEXP should be created from scratch or
    appended to. There is also nothing explaining the curious
    syntax involving three backslashes and a vertical bar. I
    would guess the vertical bar would be used in a manner
    similar to egrep, but what are the backslashes for?

    Thanks.

    --
    Robert Riches
    spamtrap42@verizon.net
    (Yes, that is one of my email addresses.)

  2. Re: how to tune msec's (intrusive) permission tweaking

    On Wed, 16 Jan 2008 03:53:26 GMT, Robert M. Riches Jr. wrote:
    > How does one tune msec to be a little less intrusive and
    > obnoxious in how it tweaks permission bits?


    Set your private configuration file to change the perms to what you like.

    > Specifically, now that I'm using a separate dedicated account to
    > run Firefox, and I tried to set /home/firefoxuser g+w to allow my
    > main account to remove files saved into that directory,


    Why not add rob to firefoxuser group and set group perm on firefox
    sub-directories.. :-)

    > it appears msec insists on changing /home/* back to 755. (This is
    > on Mandriva 2007.0 at the "standard" security level.)


    > Google found a document,
    >
    > http://club.mandriva.com/xwiki/bin/KB/SecureSmsec
    >
    > that appears to offer a key, in the section about
    > EXCLUDE_REGEXP to be put in
    > /etc/security/msec/security.conf, but there is nothing about
    > whether EXCLUDE_REGEXP should be created from scratch or
    > appended to.


    Security.conf should not exist.
    You could copy /usr/share/msec/perm.$SECURE_LEVE
    to /etc/security/msec/security.conf and start hacking away.

    Or keep your own perm.local copy like I do and on clean install, do
    something like
    ln -s /local/bin/perm.local /etc/security/msec

    man msec
    /perm.local for more information

    Field separator is tab.

    perm.local snippet follows:
    /accounts/downloads/*exe bittwister.document 775
    /accounts/downloads/*htm* bittwister.document 664
    /local/spare/* bittwister.document 664
    /local/spare/wg_* bittwister.document 775
    /local/doc/score.txt bittwister.document 664

  3. Re: how to tune msec's (intrusive) permission tweaking

    On Wed, 16 Jan 2008 06:17:40 +0000 (UTC), Bit Twister wrote:
    Sorry cut/paste malfunction
    > You could copy /usr/share/msec/perm.$SECURE_LEVE

    You could copy /usr/share/msec/perm.$SECURE_LEVEL

  4. Re: how to tune msec's (intrusive) permission tweaking

    "Robert M. Riches Jr." writes:

    >How does one tune msec to be a little less intrusive and
    >obnoxious in how it tweaks permission bits? Specifically,


    Edit /usr/share/msec/perms.2 ( or .3 or whatever your security level is.)

    >now that I'm using a separate dedicated account to run
    >Firefox, and I tried to set /home/firefoxuser g+w to allow
    >my main account to remove files saved into that directory,
    >it appears msec insists on changing /home/* back to 755.


    Change /usr/share/msec/perm.2
    /home/ root.root 755
    /home/* current 755
    to
    /home/ root.root 755
    /home/* current 755
    /home/firefoxuser current 1777

    >(This is on Mandriva 2007.0 at the "standard" security
    >level.)


    >Google found a document,


    >http://club.mandriva.com/xwiki/bin/KB/SecureSmsec


    >that appears to offer a key, in the section about
    >EXCLUDE_REGEXP to be put in
    >/etc/security/msec/security.conf, but there is nothing about
    >whether EXCLUDE_REGEXP should be created from scratch or
    >appended to. There is also nothing explaining the curious
    >syntax involving three backslashes and a vertical bar. I
    >would guess the vertical bar would be used in a manner
    >similar to egrep, but what are the backslashes for?


    >Thanks.


    >--
    >Robert Riches
    >spamtrap42@verizon.net
    >(Yes, that is one of my email addresses.)


  5. Re: how to tune msec's (intrusive) permission tweaking

    On Wed, 16 Jan 2008 07:37:27 GMT, Unruh wrote:
    >
    > Edit /usr/share/msec/perms.2 ( or .3 or whatever your security level is.)


    Downside is update or dinking around in MCC may change/overwrite
    /usr/share/msec/perms.$SECURITY_LEVEL.

    Better to use the /etc/security/msec/security.conf
    or /etc/security/msec/perm.local
    or /etc/security/msec/level.local files

  6. Re: how to tune msec's (intrusive) permission tweaking

    On Tue, 15 Jan 2008 22:53:26 -0500, Robert M. Riches Jr. wrote:

    > How does one tune msec to be a little less intrusive and
    > obnoxious in how it tweaks permission bits? Specifically,


    As it's a Mandriva application, it's best to use Mandriva tools, to update
    the config files.

    In mcc, select security, then Tune permission..., (or run drakperm),
    add a rule for the firefox directory, and set the permissions accordingly.

    Regards, Dave Hodgins

    --
    Change nomail.afraid.org to ody.ca to reply by email.
    (nomail.afraid.org has been set up specifically for
    use in usenet. Feel free to use it yourself.)

  7. Re: how to tune msec's (intrusive) permission tweaking

    On 2008-01-16, Bit Twister wrote:
    > On Wed, 16 Jan 2008 03:53:26 GMT, Robert M. Riches Jr. wrote:
    >> How does one tune msec to be a little less intrusive and
    >> obnoxious in how it tweaks permission bits?

    >
    > Set your private configuration file to change the perms to what you like.
    >
    >> Specifically, now that I'm using a separate dedicated account to
    >> run Firefox, and I tried to set /home/firefoxuser g+w to allow my
    >> main account to remove files saved into that directory,

    >
    > Why not add rob to firefoxuser group and set group perm on firefox
    > sub-directories.. :-)


    Now, why didn't I think of that? :-) Actually, that's
    probably the easiest thing to do. Thanks for the other
    suggestions, though. The man pages and the "documentation"
    file they reference are rather poor at explaining how to
    tweak things.

    Thanks.

    --
    Robert Riches
    spamtrap42@verizon.net
    (Yes, that is one of my email addresses.)

  8. Re: how to tune msec's (intrusive) permission tweaking

    On 2008-01-16, David W. Hodgins wrote:
    > On Tue, 15 Jan 2008 22:53:26 -0500, Robert M. Riches Jr. wrote:
    >
    >> How does one tune msec to be a little less intrusive and
    >> obnoxious in how it tweaks permission bits? Specifically,

    >
    > As it's a Mandriva application, it's best to use Mandriva tools, to update
    > the config files.
    >
    > In mcc, select security, then Tune permission..., (or run drakperm),
    > add a rule for the firefox directory, and set the permissions accordingly.
    >
    > Regards, Dave Hodgins


    Thanks for the suggestion. I think I'm going to take the
    even easier method Bit Twister suggested of saving files
    into a sub-directory in the firefox user account.

    --
    Robert Riches
    spamtrap42@verizon.net
    (Yes, that is one of my email addresses.)

+ Reply to Thread