PROXY  WHOIS  RQUOTE  TEXTS  SOFT  FOREX  BBOARD
 Music  Philosophy  Code  Literature  Russian

= ROOT|Technical|LinuxGazette|issue108.txt =

page 5 of 66 



   that FC2 is secure as it wasn't ever before. Then just realized week later
   that they have forgotten root password. I did precisely what you have said
   with 'init=/bin/bash' (I beleive selinux=0 was a default, /etc/rc.d/rc was
   activativating and configuring SELinux before anything else - it has a flag
   in /etc/sysconfig) and after reboot no-one was able to login into system. 

   Everything worked Ok with disabled SELinux. 

   If any-one wants to make a correction to article, best of all is to warn
   users that some security systems a-la SELinux do store checksums on files,
   what can make file unaccessible if it was changes outside of given security
   system. To make file accessible again they will need to consult manuals on
   how to do that. 
                                  _______

     Hi, Thanks for emailing me with this info. I haven't yet tried SELinux so
     I  wasn't aware of this problem. Apparently whats happening is that
     changing the password file trips a checksum or something in SELinux
     stoping people from hacking the system.

     I think it would still be possible to get past it by disabling SELinux at
     statup, changing the password and then do a proper password reset and then
     activate  SELinux. We could also try edting the sudo file to give a
     particular user su rights and then use that login to change the root
     password.

   You would not do that on system, where you do care about security. Wouldn't
   you? 

     Would you mind if I posted your comments on my site as followup on the
     article? I will of-course credit you for it but I think that this info
     would be useful to others also. I would also like to post this to the LG
     TAG mailing list so that they know about this too and who knows this might
     show up in next months LG as reader feedback.

   Do what ever you like at your discretion. Spell checking is welcome ;-) 
                                  _______

     SELinux notes by "Ihar 'Philips' Filipau"

   On [37]http://linuxgazette.net/107/tomar.html you wrote: 

     * Boot into single-user mode (easiest, least risky) * Boot using a boot
     disk and edit the password file * Mount the drive on another computer and
     edit the password file

   On SELinux enabled system, all this methods will make system unusable. Have
   had negative experience with on one of the Fedoras - due to some kind of
   bug/feature, SELinux was refusing to accept foreignly modified /etc/passwd
   -  no-one  was able to read /etc/passwd. I believe that was one of the
   problems why Fedora removed SELinux from default installation. 

   I cannot be sure how to fix that, since I didn't manage to repair those
   Fedora.  Fedora's FAQ has command to repair file label (whatever it is
   called in SELinux, used to track file modifications) - but it was failing
   for me. Another option was to turn off SELinux, but I (mischieviously) used
   this problem as reason to /upgrade/ system to [38]SuSE And it worked ;-) 
            ____________________________________________________

Re: stunnel article in the Linux Gazette

   Sat, 23 Oct 2004 20:11:30 +0100
   Barry O'Donovan ([39]LG Article Author)
   Additional Info from Michal Trojnara (Michal.Trojnara from mirt.net)

   Hey guys,

   When ever I write an article on something I usually send an e-mail to the
   developers/maintainers/webmasters/etc of whatever I write about letting them
   know it's on the Gazette in case they wish to link to it. In the case of
   last months stunnel I e-mailed the author of stunnel (Michal Trojnara) to
   which he replied below (and gave his permission to have it reproduced in
   Mailbag if Heather so wishes).
                                  _______

   Michal Trojnara, Saturday 23 October 2004 19:31

   Barry, 

   Your article is just great. It's very clear and easy for beginners. 

   Some hints could possibly be added like: 

     - disabling the Nagle algorithm for improved performance 

     socket = l:TCP_NODELAY=3D1
     socket = r:TCP_NODELAY=3D1

     - creating special user/group just for stunnel instead of nobody 

   Best regards,
   Mike 

     [Barry] By the way: Nagle's algorithm is used to decrease the number of
     packets sent over a connection by buffering smaller messages so that only
     a single packet will be transmitted instead of one for each message.
     Although "nagling" addresses some network problems it can be undesirable
     in highly interactive environments.

     Thanks again for your comments Mike - and your permission to print.
=5=

1|2|3|4| < PREV = PAGE 5 = NEXT > |6|7|8|9|10|11|12|13|14.66

UP TO ROOT | UP TO DIR | TO FIRST PAGE

Google
 


E-mail Facebook Google Digg del.icio.us BlinkList Fark Furl Ma.gnolia Netscape NewsVine Reddit Slashdot Spurl StumbleUpon Technorati YahooMyWeb LiveJournal Blogmarks TwitThis Live News2.ru BobrDobr.ru Memori.ru MoeMesto.ru

0.0111718 wallclock secs ( 0.01 usr + 0.00 sys = 0.01 CPU)