Can a user's default file creation mode use a group they're not a member of? (chroot/rssh issue)

[Bob Goldberg]

running debian etch;

Here's the background -  I'm using chroot/rssh to restrict users to sftp
only.
my chroot jail is /home/chroot
all directory modes are 700 (except the users' directory), because I don't
want users to even see the names of other users' home directory's.
all users are in the chroot group; and their default umask is 066 - so user
created files are all mode 600.

I have an "SFTP manager" who all the users are exchanging files with.
This person is in the chadm group.
the /home/chroot/users directory's are all mode 770, and are in the chadm
group.

So here's my problem -
when users send a file, it's created as owner=user; group=chroot; and
mode=600

my "SFTP manager" does not have rights to the file.

is there a way to have my users' file creation default to  group=chadm -
WITHOUT having them IN the chadm group?

obviously, my manager should have full rights to all these home directory's,
but users's should have NO access to anything but their own directory/files.
TIA -
Bob

Is there a work-around for a umask bug in rssh/chroot ??

[Bob Goldberg]

running etch; rssh/chroot with users allowed sftp only

I have my umask=007 in my rssh.conf; I have setgid=true on all home dir's.

When a user uploads a file, that file does NOT have mode=660 as I would
expect - instead it's 640.

has anyone had this problem, and found a work-around?

TIA
Bob

Is there a "quick" how-to or "getting started" for exim?

[Bob Goldberg]

running etch in console (no X);

I just want to take inbound Email & forward to exchange server only
email w/ valid recipients.

isn't there a document that says how to do this in less than 400
pages???

TIA

Is there a "quick" how-to or "getting started" for exim?

[Bob Goldberg]

running etch in console (no X);

I just want to take inbound Email & forward to exchange server only
email w/ valid recipients.

isn't there a document that says how to do this in less than 400
pages???

TIA

LDAP - howto get linux to talk to exchange/AD

[Bob Goldberg]

at the end of the day, this is what I want: my debian(etch)/exim machine to
accept all internet Email to my domain, ignore all else, and relay on to my
exchange 5.5 server. This means I want exim to validate email recipients
thru ldap lookups.

seems like a simple enough task, even one that many people have probably
done. Can I find any examples of an exim config file that demonstrates this?
NO! doc's suck. So I have no idea if my router config is even close or not.
I don't think I need an acl, but i'm not sure. such a simple task, you'd
think there'd already be a sample config file out there somewhere

Having said that, I'm trying to figure out why my ldap lookup's aren't
working, so that leads me down a nasty diagnostic path.

1) can you do ldap queries using telnet? I seem to connect to my server
fine, but every query I insert, returns nothing.

2) i'm trying to do ldap lookups using ldapsearch, and I'm not having any
luck at all, and i'm getting useless error messages.

3) ldap is definitely running on exchange, because an ldap://server/query
entry in a browser, brings up a dialog box that will successfully search
using a custom ldap string, and it all works.

4) if I can't do a simply query using ldapsearch, how in the  am i ever
going to get exim setup correctly what does a valid ldapsearch command
look like anyway??

5) if I can't use telnet to try to diagnose what's going on - where should I
start?


TIA - Bob

LDAP - howto get linux to talk to exchange/AD

[Bob Goldberg]

at the end of the day, this is what I want: my debian(etch)/exim
machine to accept all internet Email to

my domain, ignore all else, and relay on to my exchange 5.5 server.
This means I want exim to validate

email recipients thru ldap lookups.

seems like a simple enough task, even one that many people have
probably done. Can I find any examples

of an exim config file that demonstrates this? NO! doc's suck. So I
have no idea if my router config is

even close or not. I don't think I need an acl, but i'm not sure. such
a simple task, you'd think

there'd already be a sample config file out there somewhere

Having said that, I'm trying to figure out why my ldap lookup's aren't
working, so that leads me down a nasty diagnostic path.

1) can you do ldap queries using telnet? I seem to connect to my
server fine, but every query I insert,

returns nothing.

2) i'm trying to do ldap lookups using ldapsearch, and I'm not having
any luck at all, and i'm getting "invalid credential" error messages.

3) ldap is definitely running on exchange, because an ldap://server/query
entry in a browser, brings up a dialog box that will successfully search
using a custom ldap string,
and it all works.

4) if I can't use telnet to try to diagnose what's going on - where should I
start?
TIA - Bob

LDAP - howto get linux to talk to exchange/AD

[Bob Goldberg]

Apologies for any duplicate posts I'm reading this thread on google
(groups), and I apparently can't reply/post from there

reply to s.:
hi s.

yes, I have...(google searches) but none of my searches has revealed any
information that actually works.

All I can get out of exim is "Unrouteable address". no matter what I've
tried.
The ppt presentation you referred to looked like it had potential, but not 1
single LDAP query in that ppt seemed to work correctly on my windows
browser. I figured if the information in there, which DID look fairly
straightforward, doesn't work right, then how can I trust anything that
follows.?

I certainly accept the notion that the problem is ME. But I can't seem to
find a place to start diagnosing what I'm doing wrong... I can't seem to get
even the simplest of things to work correctly when it comes to using exim w/
ldap.

I consider myself expert, when it comes to most things *nix. But working
with ldap has been the most frustrating experience i've had in a long time.

The closest thing to ANY success i've had is with ldapsearch as follows:
ldapsearch -h exchange.domain.com -D "CN=exim,CN=Users,DC=domain,DC=com" -x
-w "password" -b
"CN=Users,DC=domain,DC=com" "(memberOf=CN=Users,DC=domain,DC=com)"

this command at least seems to communicate w/ the exchange server, and tells
me "invalid credentials".
I can only ASSUME that means a problem w/ the user/password, but I KNOW that
info IS valid.

I don't have a clue how to start figuring out what's wrong with credentials
I KNOW are good.
is debian REALLY talking to my exchange server? have no clue...
it would help if I could telnet to my exchange server & submit a query & see
it work... but no one can
even tell me IF this can be done!?!?

LDAP - howto get linux to talk to exchange/AD

[Bob Goldberg]

OK;

I agree - problem is DEFINITELY ldap authentication; forget about exim

my exchange server is setup to accept clear text, and anonymous OK (even
though I'm not trying to be anon).

here's the thing - I have no idea what is going on between ldapsearch, and
my exchange server.

I've tried netcat'g the host:389  to see if I could evesdrop, but to no
avail.
I've tried telnet'g to the host:389, and DO connect, but have no idea what
the communication should look like, and I get no responses at all regardless
of what I try.

ldap is definitely running - I can run custom queries, and ldap://queries
thru my windows browser with success.

the problem IS debian authenticating w/ the exchange server.

Can someone tell me some way to diagnose just what is happening in this
communication between ldapsearch & ldap server ???
Or can someone point me / show me   how a structured communication to the
ldap server would look like, so I can try sending it thru telnet - just to
see if I can get it to work that way Then I can try & figure out what
ldapsearch is sending...



TIA - Bob

LDAP - howto get linux to talk to exchange/AD

[Bob Goldberg]

CR - TX for your reply, your script & data was very useful.

I've made some progress... I still don't know why I can't authenticate using
my admin account / password (and NOTHING I do seems to resolve this).
BUT - with my improved understanding of the structure of the ldapsearch
command (TX SK);
and a re-newed attempt to access the ldap server anonymously (CR ;_); it
appears that I can now connect to my exchange server.

now, my problem is I still can't run any queries, I only get:
# search result
search: 2
result: 2 Protocol error

After much googling on ldap protocol error 2, I'm again stuck.
I found hits that referenced a "-C" option to ldapsearch; which doesn't seem
to apply anymore, since I find no doc's on -C in the manpage.
I found another hit that might indicate that ldap V3 and exchange 5.5 might
produce a protocol error, but I've started using -P2 anyway, with no
different response.

although this error is returned from the exchange server, the problem has
GOT to be with ldapsearch / debian. I CAN do sucessful queries from windows
environment.

anyone got more ideas?

TIA! (again) - Bob

LDAP - howto get linux to talk to exchange/AD

[Bob Goldberg]

Clarence,

I'm most appreciative for your post.

although your perl script doesn't work for me as is... I was able to use it
to make one that DOES work.

what REALLY confuses me now, is that my perl script WILL access ldap, and
produce results -
but when I try the same thing using ldapsearch from bash, NO Go ! 

to be honest, at this point, if it works in perl, I don't care that it
doesn't from bash...

now I need to get exim working!

TX again!!

exim4 config - what EXACTLY is "final destination"

[Bob Goldberg]

running debian etch w/ exim 4.

I want to setup exim to receive internet email, and accept/relay ONLY emails
to a recipient listed in a text file, on to my exchange server. It will not
send any outbound email.

I've been having a heck of a time getting this to work. been trying to edit
config files, make my own router etc...
I'm thinking I shouldn't need to make my own router, just mod an existing
one, but not sure which to use for sure


Anyway - been having SO many problems getting this to work, I've decided to
start over again.
(1) i'm dpkg-reconfig 'g and I'm being asked "should this machine consider
itself the final destination".
I'm not even 100% sure how to answer this stupid question. What EXACTLY IS
the final destination?
is my debian box the final destination even though it will relay all email
to an exchange server, and have NO "localhost" email boxes???
I use localhost, because I don't even know what "local" means!!!
What exactly is a local delivery? is email to the debian box local? to my
exchange server - is that local (only 1 domain)?

(2) recipient domains, that this sys will relay for. i'm ASSUMING that I
enter my domain.com here because I want this box to relay everything to my
exchange server.  Then the screen says - "Do not mention local domains
here". BANG; now I have no idea what to put here. What exactly is a "local
domain" !?!?!?!?!  is debian.domain.com a local domain?  is
exchange.domain.com local ???
what if (it's NOT), but what if my mail server were on the internet
somewhere, and answers to mail.domain.com - is THAT local

(3) what exactly is a "smarthost"??   is a system that does nothing but
relay valid Email to an exchange server a smart host? From what I
understand, a smart host is something that collects outbound email, and
manages that. So my applications should not be a ssmart host ?  right
The question "machines to relay mail for", I can only ASSUME should be left
blank.

Since I have no idea what the implications are for answering these questions
1 way or another - I'm not sure how to answer!?!
My WHOLE initial setup is a freaking guess
So then, if I go to mod the exim.conf.template file - I have NO IDEA what to
do in here, because it references all kinds of variables I know nothing (or
next to) about!


>From everything I've read - exim is supposed to be much better than
sendmail. It's supposed to be more secure, and easier to setup.
Well - here's my take:
having a config file that uses arcane variables that they themselves use
more variables to control certain actions is INSANE! you have var's that
trigger something to happen somewhere, sometime and god only knows
where/when!!!
Give me a script file written in a language I've never seen before and I can
figure out what's going on 10 times faster.
In fact, give me a script file written in a [computer] language I've never
seen, written in a foreign [human] language, and I can figure out what's
happening 5 times faster. :O)

more secure - probably - I can't even run the dam setup (or more properly,
get exim itself running right) darn right it's more secure ;o)


So - while I'm on my rant - what email server do SMART people run on debian
(what should I be using)?

TIA - Bob

exim - what is it? (how does it run)

[Bob Goldberg]

i've spent DAYS trying to get exim to work to no avail.

so let me start at the beginning.

What exactly IS exim?

IOW: when I setup sendmail, I'm working with bash scripts.

when I setup an exim conf file - what exactly runs it? perl?

exim4 config - what EXACTLY is "final destination"

[Bob Goldberg]

On Dec 5, 9:50 pm, Andrew Sackville-West <[EMAIL PROTECTED]>
wrote:
> exchange_router:
> driver = manualroute # not manual!
> data = ${lookup{$local_part}lsearch{/path/to/recipient-file}}
> transport = exchange_smtp
>
> you don't need a 'fail' part (other thread) because since this router
> won't match, and the ACL above will deny it. I think.
>
> hth
>
> A
>

Andrew:
10TB TX!  your posts helped immensely!
Now the whole process is starting to make some sense to me nothing like
a good example to get you going!
I "think" I can now handle the specifics of what I need to do
programatically (in the conf file). I should at least know enuf to do some
decent testing...

I believe there have only been 2 people, you & someone else that made
reference to the the example conf file distributed with exim.  This file
makes more sense than the conf other files. I am at a complete loss as to
why more references to this file do not seem to exist - particularly in
doc's/faq's I've read on debian & exim sites.

I had actually started to go thru this file before, but I stopped,
because of 1 crucial thing.
Even IF I got the file perfect - I'm still not sure where it goes! LOL.

It certainly can't replace exim4.conf.template (I think) because none of the
expected var's are in there.
I don't think I can just place it in /var/lib/exim4/config.autogenerated
because, as the name implies, that file get's overwritten each time exim is
started.
I don't "think" it does anything to leave it in /etc/exim4/exim.conf
because I don't think that any automated process looks at that file...
although I've seen many references to this file, I believe they were all
related to exim ver. 3.
I don't think it can replace sa-exim.conf as that file pertains to spam
assassin.
I have to assume it should not go in /etc/exim.conf  as there IS an exim4
directory...
no man page for exim.conf

anyway... I had given up on exim.conf as a solution for all of the above
reasons...

exim - what is it? (how does it run)

[Bob Goldberg]

On Dec 5, 9:40 pm, Andrew Sackville-West <[EMAIL PROTECTED]>
wrote:
> On Wed, Dec 05, 2007 at 06:26:38PM -0800, [EMAIL PROTECTED] wrote:
> > ie: the command line [from my router] is:
> > data = [EMAIL PROTECTED]/etc/exim4/email-accept}
> > {:fail: User unknown }}
>
> > what interpreter can I execute this line of code in to see what the
> > heck it's doing?
>
> one of my lookups that has a fail in it has no colons (:) around
> it and the fail is not in its own set of braces. try it like this:
>
>  data =
>  [EMAIL PROTECTED]/etc/exim4/email-accept}fail}}
>
> taking out the User unknown part.
>
> Don't ask me why...
>
> A

interesting...
I did try it w/o enclosing fail in it's own braces...
but the expansion still shows "fail" when in fact, the lookup was
successful.

Does anyone know what language this is?
I can just go look at a language reference for the lookup/lsearch command(s)
if I knew what language this was

TX..
Bob

exim4 config - what EXACTLY is "final destination"

[Bob Goldberg]

On Dec 6, 12:50 pm, Andrew Sackville-West <[EMAIL PROTECTED]>
wrote:
>
> > I believe there have only been 2 people, you & someone else that made
> > reference to the the example conf file distributed with exim.  This file
>
> I think that was me too ;)

LOL

>
> > no man page for exim.conf
>
> /etc/exim4/exim4.conf
>
> it will override debconf's version.
>

Andrew,

I'll give that a try - again Many TX!
really appreciate it!

Bob

exim - what is it? (how does it run)

[Bob Goldberg]

On Dec 6, 12:50 pm, David Brodbeck <[EMAIL PROTECTED]> wrote:
> On Dec 5, 2007, at 5:29 PM, Bob Goldberg wrote:
>
> > when I setup an exim conf file - what exactly runs it? perl?
>
> Exim reads it in itself.  Just like Sendmail reads in sendmail.cf.
>
> Unless you're talking about Debian's Rube-Goldbergian system for
> building an Exim config file from pieces. I never really figured that
> out...I always ended up using one monolithic file, when I had to do
> manual configuration.
>

TX, David;

no - only monolithic for me the other sounds like too many things can go
wrong or get confused.

TX - Bob

back to basics: what's wrong with this exim condition statement?

[Bob Goldberg]

running debian etch (which is exim4);

I'm having problems with an ACL; so i've gone to absolute basics, and I
still have a problem :)

So here's what I have in my ACL:

  accept message = condition is false
condition = ${if eq{23}{123}{1}{0}}


next, I telnet in, and transact an email up to the rcpt to: command.
IF my condition uses 123 & 123 (IOW: it's true), my rcpt to: command is
accepted - just what I expected.
however, with the above condition, I would expect to get the message
"condition is false", and instead I get "unexpected failure".

I tried appending an "endpass", but that did nothing.

what's wrong with my accept / condition statements?

TIA - Bob

back to basics: what's wrong with this exim condition statement?

[Bob Goldberg]

nevermind - I finally figured it out...

exim - config & timing of the queue - a few Q's :)

[Bob Goldberg]

running debian etch, exim4; running exim as a relay to an internal email
server; no local [to debian] mail or users.
I know that I want a que, because if my internal email server is down, I
want exim to collect & hold Email for it. Otherwise, I want email sent to it
immediately.

Apparently, the que is not used for "local" delivery, and is only used to
send Email on to its final destination.
So, in my application, I expect that ALL deliverable Email is placed in the
que.

I read that there is immediate email delivery, and that some Email is
"queued", and delivered when the que processes it.
1) Is any mail sent to the que delivered "immediately"?   If not, then all
email is then dependent on que timing - yes?

There appear to be 2 variables responsible for when stuff leaves the que;
/etc/default/exim4 & the retry section of /etc/exim4/exim4.conf.

default/exim4:
2) does stuff leave the que ONLY when "it is 'run'  "?  if yes, then by
default, email will only leave the que every 30 minutes [minimum]
(QUEUEINTERVAL='30m' is the installed setting)
So  If this is correct, then I, personally, want Email leaving
'immediately'. So is there any reason I should NOT set queueinterval=1m ??

3) I can run a combined or separate daemon's for the que & smtp listening.
For MY application - would I be better off with separate daemons?

/etc/exim4/exim4.conf - retry section
4) by default, the retry section waits 15min before attempting to re-send
failed email. Is there any reason I should NOT set this to 1 min. ??
(unless my internal server is down altogether, this should only happen if my
internal server has too many connections - a problem that could resolve
itself in SECONDS, not minutes).


I hope that my questions are all clear... ;)
TIA - Bob

exim - config & timing of the queue - a few Q's :)

[Bob Goldberg]

David,

I'm very appreciative for your response...
TX much for the info.

Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??

[Bob Goldberg]

trying to determine best solution for an SFTP server.

   vsftpd appears to be my current best choice, mostly because it's
supported by the distribution; but i'm not sure it meets my needs.
   I know mysecureshell meets my needs; but it's a sourceforge project, and
not directly supported by the deb dist.

Here's where my needs cause problems - especially with chroot/openssh:
i have 2 classes of users accessing this sftp server.
"users" and "managers". The problem is that managers need group "rw"
rights, and normal chroot does not allow for ANY group "w" rights.

users must be chroot'ed to /home/chroot/home/.
   users belong to the chroot group.
   their home dir down, need all be group owned by chmgr.
   home dir down; should all be chmod 770(dir)/660(files). so  and
managers (chmgr group) all have rw access to files, and rwx /dirs; with
other having no rights at all.

managers ideally chroot'ed to /home/chroot/home.
   they can access all  folders, and transfer files in/out of
each.
   they belong to the chmgr group.


so - yes, i know i can chmod 750 the  dir, and then use sub-dir's
under that are chmod 770; but this is messy, and forces another layer of
dir's i'd prefer not to have.


so i guess my main question, simply is - can i do what i want with:
- vsftpd ?  (preferred as is dist. supported)
- other ?
- mysecureshell - i KNOW this will do what i want; but not dist. supported.

what do demanding admin's choose as their preferred sftp server ?
TIA - Bob

Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??

[Bob Goldberg]

ADDENDUM:
forget about vsftp - this package has NOTHING WHAT-SO-EVER to do with SFTP.
WTH were they thinking when they named that package!?

so my question now very simply becomes:
what do demanding admin's choose as a preferred SFTP server, that allows
chrooting WITH group "w" access 



On Fri, Jan 3, 2014 at 12:52 PM, Bob Goldberg  wrote:

> trying to determine best solution for an SFTP server.
>
>vsftpd appears to be my current best choice, mostly because it's
> supported by the distribution; but i'm not sure it meets my needs.
>I know mysecureshell meets my needs; but it's a sourceforge project,
> and not directly supported by the deb dist.
>
> Here's where my needs cause problems - especially with chroot/openssh:
> i have 2 classes of users accessing this sftp server.
> "users" and "managers". The problem is that managers need group "rw"
> rights, and normal chroot does not allow for ANY group "w" rights.
>
> users must be chroot'ed to /home/chroot/home/.
>users belong to the chroot group.
>their home dir down, need all be group owned by chmgr.
>home dir down; should all be chmod 770(dir)/660(files). so  and
> managers (chmgr group) all have rw access to files, and rwx /dirs; with
> other having no rights at all.
>
> managers ideally chroot'ed to /home/chroot/home.
>they can access all  folders, and transfer files in/out of
> each.
>they belong to the chmgr group.
>
>
> so - yes, i know i can chmod 750 the  dir, and then use
> sub-dir's under that are chmod 770; but this is messy, and forces another
> layer of dir's i'd prefer not to have.
>
>
> so i guess my main question, simply is - can i do what i want with:
> - vsftpd ?  (preferred as is dist. supported)
> - other ?
> - mysecureshell - i KNOW this will do what i want; but not dist. supported.
>
> what do demanding admin's choose as their preferred sftp server ?
> TIA - Bob
>
>
>

Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??

[Bob Goldberg]

On Sat, Jan 4, 2014 at 7:26 AM, Sven Hoexter  wrote:

> I'm not sure how the OpenSSH implementation handles ACLs, maybe that's
> an option but I did not test it.


my first problem is successfully logging in with sftp-only and chroot'ing
in place. AFAIK - ACL's would only come into play afterward.


> Then there is Proftpd which has a mod_sftp extension.
>
> And there are still the solutions which predate the chroot() and
> sftp-internal
> implementation possible with OpenSSH like
> - scponly
> - rssh
> - rush
>
> All of them have a somewhat mixed security record and have some cost in
> terms of chroot setup and mainting them properly.
>

Sven, TX much for your reply...

proftpd:
1) wheezy does not have an sftp module
2) proftpd appears to rely on openssh for sftp, so appears to add no value.
3) IF proftpd did provide working sftp - appears that it can not share port
22 w/ openssh (which i do still need for full-access users unrelated to
SFTP).

scponly:  does not appear to be provided in wheezy !?!? can't find out
why

rssh/rush:
1) not sure what is: diff rssh rush  (searches come up worthless to answer
this)
2) i haven't used rssh in a very long time - i guess i have to dig into it
again to see if it will allow chroot'ing with group "w" perms.
3) "mixed security record" is a big concern.

Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??

[Bob Goldberg]

Sven;

tx again, for your reply...

my only interest is sftp - so maybe scponly/rssh is worth looking at

i've ruled out proftpd on the port 22 issues alone. so failing rssh, i
guess i'll just have to deal with added directory layers, and "stock"
openssh; though still toying with idea of mysecureshell; have used it
previously with good results, but really wanted to try to stay true to the
dist. this time around

actually just had a thought - i didn't try doing a root:root chmod 750, and
then over-riding with a group-specific acl. wonder if chroot would behave
well in that "cross-circuit"... :-)

Re: debian-live-7.2 doesn´t start

[Bob Goldberg]

On Fri, Jan 10, 2014 at 1:50 PM, peter.gierschner  wrote:

> Am 10.01.2014 19:50, schrieb Lisi Reisz:
>
>  Putting this on list where OP might see it!  It came to me off-list.
>>
>>
>  acpi=off nolapic  fb=off nofb vga=normal (and maybe 1 more)
>> if you want more technical information about what's happening during
>> the
>> boot - append this in addition:
>> debug
>>
>> if you can't boot in console only mode - then something is really
>> wrong.
>> if the problem is video - that can be resolved.
>>
>> HTH - Bob
>>
>>
>>  I tried that. At first I was happy because it booted normally without
> error - but only one time, not reproducable. Seems to be a timíng problem.
>
> Shortly said: it didn´t work either  :-
>
> Now: what can be "really wrong"?
>
> I think the HW is ok, W7 and XP are running normally, the GParted and the
> TrinityResourceKit Distros - both based on Linux - work well, too.
>
>
> peter


curious...
in that case - I would definitely use the "debug" parameter, and see what
the console messages reveal:
- any useful error messages
- how far does it get in boot before freezing
- what sub-system is it attempting to load at the point it freezes?

additional thought:
- which kernel version is trying to boot? 2.6.x or 3.x ?
maybe one works, and the other doesn't.
- i suspect that the other lin dists that do work, are using 2.6x
if you can tell deb-live to use the older kernel, might have different
results.

- Bob

permissions: can you force ACL to be effective over unix perms?

[Bob Goldberg]

running wheezy.

I have a dir w/ unix perm = 750
IE:
root@wheezy:/home/chtest/home# ls -l
drwxr-s---  3 rootchadm 4096 Jan  9 14:12 ftptest

I added an acl g perm using: # setfacl -m g:chadm:rwx ftptest
this, unfortunately, changes unix perm to = 770
IE:  V
drwxrWs---+ 3 rootchadm 4096 Jan  9 14:12 ftptest

I then re-removed unix g w perm: # chmod g-w ftptest
IE:
drwxr-s---+ 3 rootchadm 4096 Jan  9 14:12 ftptest

This action causes unix perms to OVERRIDE acl perms - NOT what I want:
IE:
root@wheezy:/home/chtest/home# getfacl ftptest
# file: ftptest
# owner: root
# group: chadm
# flags: -s-
user::rwx
group::r-x
group:chadm:rWx #effective:r-x
mask::r-x 
other::---


So - Is there a way to force ACL perms to dictate the effective rights??

FWIW:
it APPEARS to me that the acl access check algorithm will not allow this.
however - since the entire acl sub-system was "meant to increase
granularity of permissions" - shouldn't acl ALWAYS override unix perms? is
this a bug in the ACL algorithm?

=== end of my question; begin additional info ===

because I KNOW someone will want to know why this is a problem - here's
why, and I hope you're not sorry you asked !! :-)

I'm using [openssh] internal-sftp to chroot users to their home dir.
internal-sftp's chroot DEMANDS that all dir's leading to home MUST be
root-owned, and NO g-w permissions !!

But my managers (members of group: chadm) must have full permissions in all
sftp users' home dir's.

So NEITHER my sftp user, NOR my managing group have write access to the
home directory !?!?
(yes, i know i can create another sub-dir they can get at, but i don't want
to - that's sloppy, and un-intuitive.)

This SEEMS like such a simple task. And it PAINS me to no end, that this
task would be relatively easy to implement under windoze - but seems
impossible to solve under linux !!???
...sup w/ dat !?!?

TIA - Bob

Re: Installing several OSes from a single flash drive

[Bob Goldberg]

On Fri, Jan 10, 2014 at 6:30 PM,  wrote:

>
> I've been tinkering with the idea of installing different operating
> systems, not necessarily Linux, from the same bootable flash drive.

-- 
> David Griffith
>

David;

when it comes to booting ANYTHING off a flash drive - for me - there's only
1 flash drive I need; I multi-boot my flash with yumi; and let it boot
EVERYTHING else, including win pe - if anyone would ever really want
that... :-)
http://www.pendrivelinux.com/yumi-multiboot-usb-creator/

Bob

Re: debian-live-7.2 doesn´t start

[Bob Goldberg]

many of the previous replies have touched on what i would have added.

FWIW: i live on live-boots (no pun intended :) for all kinds of diagnostic
work, and temp work env's.
  for this I use knoppix. it's one of the best (IMHO) live-boot linux dists
out there.

ironically, knoppix is debian based. so i'm not sure why deb-live would be
problematic, but maybe knoppix will serve your live-boot needs - if it
boots

Bob

Re: permissions: can you force ACL to be effective over unix perms?

[Bob Goldberg]

Joel;

i'm confused by your comments, which i'll address individually; with
apologies in advance to the group for length, and content:

On Fri, Jan 10, 2014 at 6:41 PM, Joel Rees  wrote:

> On Sat, Jan 11, 2014 at 8:50 AM, Bob Goldberg  wrote:
> >
> > So - Is there a way to force ACL perms to dictate the effective rights??
>
> It seems to me that I would want to understand the answer to this
> question before I try to use ACLs. Which means that, if I had to use
> ACLs for work, I would tell the boss I need a block of time to make a
> set of throw-away users and groups to test the results of things, to
> make sure that I understand the results I get.
>
> (Bosses who can't accept that kind of answer aren't fit to be bosses,
> but that observation only helps one to find a way to do the necessary
> job without taking the undeserved insults to heart. Or to tell the
> boss he can have his job if things get really, really bad.)
>
>
1) the REASON i'm asking the question above (which is explicitly about
ACLs) - IS BECAUSE I ALREADY HAVE SOME understanding of ACLs, but have a
question pertaining to specific functionality/behavior. I'm asking the
question because I'VE ALREADY GOT test users which i'm using as my test-lab
to attempt to answer my own questions.

2) I think you misunderstand my use of "managers" - these are NOT my bosses
- these are managers that work under me and on which, I WANT to impose
certain working behaviors.


> > FWIW:
> > it APPEARS to me that the acl access check algorithm will not allow this.
>
> I don't think you are understanding your results. (But I may be wrong.
> I don't use ACLs.)
>
>
i'm ALMOST speechless.
1) i think my question implicitly shows I DO UNDERSTAND my results. My
question relates directly to how ACLs are effecting my results. Further it
shows what I think the crux of my problem is - illustrating that I have
made an attempt to do considerable research on the problem.

2) "you don't use ACLs"  then why are you even responding, if you don't
understand the topic on which i'm querying 
You may question the sanity of my underlying premise, or goal - and that is
welcome - but CONSTRUCTIVE criticism is appreciated.


> > however - since the entire acl sub-system was "meant to increase
> granularity
> > of permissions" - shouldn't acl ALWAYS override unix perms?
>
> I may be wrong here, but how could ACLs override the native
> permissions system randomly without opening tons of new opportunities
> for discovering vulnerabilities?


ACLs DO OVERRIDE the native permissions - that's THE WHOLE POINT OF HAVING
THEM !! They DO NOT do so "randomly" - man setfacl, and see that, ACLs are
VERY explicit in how they override system perms.


> > is this a bug in
> > the ACL algorithm?
>
> 8-o
>
>
not sure what's surprising here.
I've laid out my understanding of ACLs, and by the stated intent of the ACL
sub-system (in the dpkg desc.), my results appear to demonstrate a
divergence in observed behavior, from my interpretation of the stated
intent.

The whole point of my email, is asking the community to either show me
where I'm wrong, or confirm that I may have found a bug; and/or to tell me
how to do this, assuming my understanding is correct.


> > === end of my question; begin additional info ===
> >
> > because I KNOW someone will want to know why this is a problem - here's
> why,
> > and I hope you're not sorry you asked !! :-)
> >
> > I'm using [openssh] internal-sftp to chroot users to their home dir.
> > internal-sftp's chroot DEMANDS that all dir's leading to home MUST be
> > root-owned, and NO g-w permissions !!
>
> Do you understand why?
>

do i understand WHY?

maybe i don't fully understand why. though to be blunt - i don't entirely
care why. My desire to work around this default behavior would seem to
already IMPLY i don't fully know why. I don't see my desires as being
detrimental to the security that openssh provides, because i'm enhancing
security with ACL - though i'm sure openssh doesn't know that. :)

PLUS: There's a difference between chroot'ing a user, which REQUIRES a
complete root environment; and internal-sftp's chroot'ing, which was added
to sftp to explicitly avoid the need for a complete root environment.

IF A USER IS INTERNAL-SFTP-chroot'ed TO HIS HOME DIR, NO, I don't see why
they shouldn't have write access to it.

if a managing group is not chroot'ed at all, NO, I do NOT see why that
group shouldn't be able to have write access [as a group] inside a
directory tree which chroot's other users whose group membership is
unrelat

Re: permissions: can you force ACL to be effective over unix perms?

[Bob Goldberg]

On Mon, Jan 13, 2014 at 5:40 PM, Scott Ferguson <
scott.ferguson.debian.u...@gmail.com> wrote:

> I've followed the posts in this thread, dealing with the various
> tangents it's taken won't help you, probably the reason why it's
> received little attention.
>
>
good point; noted, and TY.


> On 11/01/14 10:50, Bob Goldberg wrote:
> >
> > This action causes unix perms to OVERRIDE acl perms - NOT what I want
>
> Then you'll have to find another way to achieve what you want.
>
> *ACL should never override UNIX perms*. And they can't - if they did it
> 'would' be a bug.
>
> 
>
>
> > shouldn't acl ALWAYS override unix perms?
>
>
> NO.  I'm sorry about your confusion, probably due to differences between
> the Windows system and UNIX. File attributes are not the same as UNIX
> permissions.
>


Scott;

you're right about my confusion; tho it doesn't stem from windows. I only
used that ref. as an attempted comic comparison. (I actually learned *nix
before windows existed).

Here's examples of where my confusion comes from:
from: http://www.softpanorama.org/Commercial_linuxes/linux_acl.shtml
>>
*ACLs grant "higher-level" access rights that have priority over regular
file permissions.*
<<

from: http://users.suse.com/~agruen/acl/linux-acls/online/
(under: Access Check Algorithm)
>>
*A process can be a member in more than one group, so more than one group
entry can match. If any of these matching group entries contain the
requested permissions, one that contains the requested permissions is
picked*
<<

I've read numerous articles which indicate ACL's should have priority over
normal unix-permissions.

my experiences, and information relayed in this thread contradict this.

whenever I have a problem - I always assume I'M doing something wrong.
These articles made me think my understanding was accurate, and therefore I
must not be communicating the problem correctly.

So - i'm happy to be wrong about something - that's how I learn. But if i'm
wrong here - then it appears there is a bug in the ACL implementation. (or
i've SERIOUSLY misinterpreted statements like those above).

If i'm wrong - i would really like to understand how i got here.

TIA - Bob

Re: permissions: can you force ACL to be effective over unix perms?

[Bob Goldberg]

On Tue, Jan 14, 2014 at 7:13 AM, Joel Rees  wrote:

> Caveat. I don't have the patience to work with ACLs, mostly because I
> can't see how they could really work without bringing a system to its
> knees.
>
>
To be honest - ACL's were by far my first choice for solving my problem.
There is no doubt there's been misinterpretations; I'm sorry for that.

So let me drop back to square one, and explain what I want - at the highest
level. SIMPLY, this:

I have 2 classes of users - SFTP users (customers), and SFTP managers
(company users that manage customer data).

I want a highly secure and privacy safe SFTP server. But I also want it to
appear to users as simple and easy as possible. All users will access SFTP
only via an SFTP client.
so my wants are:
- sftp access only. (but not to exclude ssh access for linux users).
- sftp users chroot'ed to their home dir, without any added level's of
directory's [beneath home].
- so users should have "w" access to their home.
- sftp managers should have "w" access to all sftp-users' home dir's.

what would be the best way to accomplish this?
I don't care how complex the setup/config is - as long as it's as easy, and
idiot-proof for my users as possible.

TIA - Bob