OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: [suse-security] /tmp as homedirectory (update of package "aaa_base")
From: Peter Meijer (pmeijergmx.net)
Date: Mon Oct 02 2000 - 14:44:34 CDT

Hello SuSE experts,

on the second of May 2000 Marc Heuse from SuSE posted an *updated*
security announcement regarding the package "aaa_base":

>>[...]
3. Solution
1) Update the package from our FTP server.
2) The root user will receive a email with the accounts listed which
   have a homedirectory in /tmp. You have to fix this by hand, because
some
   installations might break if they rely on information saved in the
   (unsafe) /tmp homedirectory.
   The email will give more information what to do.
[...]<<

Of course I updated the package immediately. Unfortunately, however, I
never got an eMail with information on how to do part 3.2 (I wonder if
this
happens only to me :-(; I do not find this problem on the list). Currently
three users on my *server* system (SuSE 6.2 running httpd, ftpd, samba,
and
sendmail) have a homedirectory in /tmp:

-- games (I haven' t installed any games...)
-- wwwrun
-- firewall (not installed on _this_ server...)

Nobody's homedirectory is in /var/lib/nobody (nobody.nogroup). I changed
that some time ago, following the instructions given in another security
announcement by SuSE.

My questions: What do I have to do in order to secure my system *without*
breaking it up?! Should I delete the users 'games' and 'firewall'? Should
I
move the homedirectory of user 'wwwrun' to /var/lib/wwwrun
(wwwrun.nogroup)?

Thanks in advance!

Kind regards,

Peter 

-- 
Sent through GMX FreeMail - http://www.gmx.net

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com