Results 1 to 10 of 10

Thread: systemd bug or OpenSuSE 12.3 security patch problem?

  1. #1
    Join Date
    Jun 2013
    Location
    Northern Illinois
    Posts
    71

    Default systemd bug or OpenSuSE 12.3 security patch problem?

    Hello all,
    I started having some weird issues about a week ago, maybe more, right around the same time as apper installed a security patch. I don't know if they're related or not. The first thing I noticed was a window kept prompting me for roots password. It said "System policies prevent you from getting the brightness level. Action 'Get brightness' Vendor 'KDE' polkit.subject-pid ###, polkit.caller-pid #####"
    I searched the internet and found out how to satisfy the needs of the app so it wouldn't popup the darn window three or four times an hour!

    However, while trolling through my system logs, and trying to perform some other activities, I've come across some disturbing entries.
    This is from /var/log/messages. In particular, notice the first three lines:
    Code:
    2013-07-31T16:45:45.526204-05:00 starlock systemd[17009]: systemd 195 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ; suse)
    2013-07-31T16:45:45.563934-05:00 starlock systemd[17009]: Failed to set hostname to <starlock.silicon-penguin>: Operation not permitted
    2013-07-31T16:45:45.564009-05:00 starlock systemd[17009]: Failed to open /dev/tty0: Permission denied
    2013-07-31T16:45:45.565031-05:00 starlock systemd[17009]: Using cgroup controller name=systemd. File system hierarchy is at /sys/fs/cgroup/systemd/user/terryw/58/system.
    2013-07-31T16:45:45.596424-05:00 starlock systemd[17009]: Release agent already installed.
    2013-07-31T16:45:45.597175-05:00 starlock systemd[17009]: Created root group.
    2013-07-31T16:45:45.597723-05:00 starlock systemd[17009]: Using notification socket @/org/freedesktop/systemd1/notify/15384566010587921417
    2013-07-31T16:45:45.630877-05:00 starlock systemd[17009]: Spawned /usr/lib/systemd/system-generators/systemd-getty-generator as 17010
    2013-07-31T16:45:45.631528-05:00 starlock systemd[17009]: Spawned /usr/lib/systemd/system-generators/systemd-fstab-generator as 17011
    2013-07-31T16:45:45.632171-05:00 starlock systemd[17009]: Spawned /usr/lib/systemd/system-generators/systemd-cryptsetup-generator as 17012
    2013-07-31T16:45:45.632803-05:00 starlock systemd[17009]: Spawned /usr/lib/systemd/system-generators/systemd-system-update-generator as 17013
    2013-07-31T16:45:45.633349-05:00 starlock systemd[17009]: Spawned /usr/lib/systemd/system-generators/systemd-rc-local-generator as 17014
    2013-07-31T16:45:45.653121-05:00 starlock systemd[17009]: /usr/lib/systemd/system-generators/systemd-getty-generator exited successfully.
    2013-07-31T16:45:45.679248-05:00 starlock systemd[17009]: /usr/lib/systemd/system-generators/systemd-fstab-generator exited successfully.
    2013-07-31T16:45:45.680012-05:00 starlock systemd[17009]: /usr/lib/systemd/system-generators/systemd-cryptsetup-generator exited successfully.
    2013-07-31T16:45:45.680564-05:00 starlock systemd[17009]: /usr/lib/systemd/system-generators/systemd-system-update-generator exited successfully.
    2013-07-31T16:45:45.681106-05:00 starlock systemd[17009]: /usr/lib/systemd/system-generators/systemd-rc-local-generator exited successfully.
    2013-07-31T16:45:45.697708-05:00 starlock systemd[17009]: Looking for unit files in:
    2013-07-31T16:45:45.698816-05:00 starlock systemd[17009]: #011/etc/systemd/system
    2013-07-31T16:45:45.810416-05:00 starlock systemd[17009]: #011/tmp/systemd-generator.yikPXO
    2013-07-31T16:45:45.811039-05:00 starlock systemd[17009]: #011/usr/lib/systemd/system
    2013-07-31T16:45:45.811583-05:00 starlock systemd[17009]: #011/lib/systemd/system
    2013-07-31T16:45:45.812214-05:00 starlock systemd[17009]: Looking for SysV init scripts in:
    2013-07-31T16:45:45.812816-05:00 starlock systemd[17009]: #011/etc/init.d
    2013-07-31T16:45:45.813436-05:00 starlock systemd[17009]: Looking for SysV rcN.d links in:
    2013-07-31T16:45:45.813989-05:00 starlock systemd[17009]: #011/etc/init.d
    2013-07-31T16:45:46.200497-05:00 starlock systemd[17009]: Failed to load configuration for scsidev.service: No such file or directory
    2013-07-31T16:45:46.201399-05:00 starlock systemd[17009]: Failed to load configuration for multipath.service: No such file or directory
    2013-07-31T16:45:46.424106-05:00 starlock systemd[17009]: Failed to load configuration for krb5kdc.service: No such file or directory
    2013-07-31T16:45:46.475132-05:00 starlock systemd[17009]: Failed to load configuration for ypserv.service: No such file or directory
    2013-07-31T16:45:46.480495-05:00 starlock systemd[17009]: Failed to load configuration for basic.service: No such file or directory
    2013-07-31T16:45:46.488375-05:00 starlock systemd[17009]: Failed to load configuration for syslogd.service: No such file or directory
    2013-07-31T16:45:46.489197-05:00 starlock systemd[17009]: Failed to load configuration for syslog-ng.service: No such file or directory
    2013-07-31T16:45:46.604628-05:00 starlock systemd[17009]: Failed to load configuration for auditd.service: No such file or directory
    2013-07-31T16:45:46.889660-05:00 starlock systemd[17009]: Failed to load configuration for acpid.service: No such file or directory
    2013-07-31T16:45:46.890685-05:00 starlock systemd[17009]: Failed to load configuration for resmgr.service: No such file or directory
    2013-07-31T16:45:46.891397-05:00 starlock systemd[17009]: Failed to load configuration for firstboot.service: No such file or directory
    2013-07-31T16:45:46.912659-05:00 starlock systemd[17009]: Failed to load configuration for network-remotefs.service: No such file or directory
    2013-07-31T16:45:46.957964-05:00 starlock systemd[17009]: Failed to load configuration for openibd.service: No such file or directory
    2013-07-31T16:45:46.958765-05:00 starlock systemd[17009]: Failed to load configuration for isdn.service: No such file or directory
    2013-07-31T16:45:46.963554-05:00 starlock systemd[17009]: Failed to load configuration for ldap.service: No such file or directory
    2013-07-31T16:45:46.975038-05:00 starlock systemd[17009]: Failed to load configuration for local_fs.target: No such file or directory
    2013-07-31T16:45:47.000455-05:00 starlock systemd[17009]: Failed to load configuration for exim.service: No such file or directory
    2013-07-31T16:45:47.001078-05:00 starlock systemd[17009]: Failed to load configuration for sendmail.service: No such file or directory
    2013-07-31T16:45:47.013732-05:00 starlock systemd[17009]: Failed to load configuration for openslp.service: No such file or directory
    2013-07-31T16:45:47.037758-05:00 starlock systemd[17009]: Failed to load configuration for cyrus.service: No such file or directory
    2013-07-31T16:45:47.068684-05:00 starlock systemd[17009]: Failed to load configuration for amavis.service: No such file or directory
    2013-07-31T16:45:47.079786-05:00 starlock systemd[17009]: Failed to load configuration for ndsd.service: No such file or directory
    2013-07-31T16:45:47.147830-05:00 starlock systemd[17009]: Failed to load configuration for lwresd.service: No such file or directory
    2013-07-31T16:45:47.217187-05:00 starlock systemd[17009]: sys-kernel-debug.mount changed dead -> mounted
    While searching the net for an answer, I found a bug report here: https://bugzilla.redhat.com/show_bug...iple&id=982920
    If you'll note, the lines returned by the test are the same as my logfile. When I run the systemd test myself, I can reproduce the the lines from my log:
    Code:
    terryw@starlock:~> systemd --test --system --unit=multi-user.target >systemd.test.txt
    systemd 195 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ; suse)
    Failed to set hostname to <starlock.silicon-penguin>: Operation not permitted
    Failed to open /dev/tty0: Permission denied
    Loaded units and determined initial transaction in 66ms 390us.
    This machine runs(successfully) a DHCP server for the other machines on the network, however, I've got my BIND installation fairly well borked up. I think THATS also due to that security patch. Actually, I'm not sure any of it has anything to do with that security patch.
    I can't load SWAT. I can't run doomsday( it tries to connect to a port on 127.0.0.1). And very importantly, I can't run Oracle VM Virtual Box, which was running fine. I can however run Virtual Box as root, which I don't want to do!

    Information: OpenSuSE 12.3 "Vanilla" KDE What else do you want to know?
    Any ideas or help would be much appreciated! Thanks,
    Terry.

  2. #2
    Join Date
    Mar 2010
    Location
    Austin - Texas
    Posts
    10,140
    Blog Entries
    48

    Smile Re: systemd bug or OpenSuSE 12.3 security patch problem?

    Quote Originally Posted by silicon_penguin67 View Post
    Hello all,
    I started having some weird issues about a week ago, maybe more, right around the same time as apper installed a security patch. I don't know if they're related or not. The first thing I noticed was a window kept prompting me for roots password. It said "System policies prevent you from getting the brightness level. Action 'Get brightness' Vendor 'KDE' polkit.subject-pid ###, polkit.caller-pid #####"
    I searched the internet and found out how to satisfy the needs of the app so it wouldn't popup the darn window three or four times an hour!

    However, while trolling through my system logs, and trying to perform some other activities, I've come across some disturbing entries.
    This is from /var/log/messages. In particular, notice the first three lines:
    Code:
    2013-07-31T16:45:45.526204-05:00 starlock systemd[17009]: systemd 195 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ; suse)
    2013-07-31T16:45:45.563934-05:00 starlock systemd[17009]: Failed to set hostname to <starlock.silicon-penguin>: Operation not permitted
    2013-07-31T16:45:45.564009-05:00 starlock systemd[17009]: Failed to open /dev/tty0: Permission denied
    2013-07-31T16:45:45.565031-05:00 starlock systemd[17009]: Using cgroup controller name=systemd. File system hierarchy is at /sys/fs/cgroup/systemd/user/terryw/58/system.
    2013-07-31T16:45:45.596424-05:00 starlock systemd[17009]: Release agent already installed.
    2013-07-31T16:45:45.597175-05:00 starlock systemd[17009]: Created root group.
    2013-07-31T16:45:45.597723-05:00 starlock systemd[17009]: Using notification socket @/org/freedesktop/systemd1/notify/15384566010587921417
    2013-07-31T16:45:45.630877-05:00 starlock systemd[17009]: Spawned /usr/lib/systemd/system-generators/systemd-getty-generator as 17010
    2013-07-31T16:45:45.631528-05:00 starlock systemd[17009]: Spawned /usr/lib/systemd/system-generators/systemd-fstab-generator as 17011
    2013-07-31T16:45:45.632171-05:00 starlock systemd[17009]: Spawned /usr/lib/systemd/system-generators/systemd-cryptsetup-generator as 17012
    2013-07-31T16:45:45.632803-05:00 starlock systemd[17009]: Spawned /usr/lib/systemd/system-generators/systemd-system-update-generator as 17013
    2013-07-31T16:45:45.633349-05:00 starlock systemd[17009]: Spawned /usr/lib/systemd/system-generators/systemd-rc-local-generator as 17014
    2013-07-31T16:45:45.653121-05:00 starlock systemd[17009]: /usr/lib/systemd/system-generators/systemd-getty-generator exited successfully.
    2013-07-31T16:45:45.679248-05:00 starlock systemd[17009]: /usr/lib/systemd/system-generators/systemd-fstab-generator exited successfully.
    2013-07-31T16:45:45.680012-05:00 starlock systemd[17009]: /usr/lib/systemd/system-generators/systemd-cryptsetup-generator exited successfully.
    2013-07-31T16:45:45.680564-05:00 starlock systemd[17009]: /usr/lib/systemd/system-generators/systemd-system-update-generator exited successfully.
    2013-07-31T16:45:45.681106-05:00 starlock systemd[17009]: /usr/lib/systemd/system-generators/systemd-rc-local-generator exited successfully.
    2013-07-31T16:45:45.697708-05:00 starlock systemd[17009]: Looking for unit files in:
    2013-07-31T16:45:45.698816-05:00 starlock systemd[17009]: #011/etc/systemd/system
    2013-07-31T16:45:45.810416-05:00 starlock systemd[17009]: #011/tmp/systemd-generator.yikPXO
    2013-07-31T16:45:45.811039-05:00 starlock systemd[17009]: #011/usr/lib/systemd/system
    2013-07-31T16:45:45.811583-05:00 starlock systemd[17009]: #011/lib/systemd/system
    2013-07-31T16:45:45.812214-05:00 starlock systemd[17009]: Looking for SysV init scripts in:
    2013-07-31T16:45:45.812816-05:00 starlock systemd[17009]: #011/etc/init.d
    2013-07-31T16:45:45.813436-05:00 starlock systemd[17009]: Looking for SysV rcN.d links in:
    2013-07-31T16:45:45.813989-05:00 starlock systemd[17009]: #011/etc/init.d
    2013-07-31T16:45:46.200497-05:00 starlock systemd[17009]: Failed to load configuration for scsidev.service: No such file or directory
    2013-07-31T16:45:46.201399-05:00 starlock systemd[17009]: Failed to load configuration for multipath.service: No such file or directory
    2013-07-31T16:45:46.424106-05:00 starlock systemd[17009]: Failed to load configuration for krb5kdc.service: No such file or directory
    2013-07-31T16:45:46.475132-05:00 starlock systemd[17009]: Failed to load configuration for ypserv.service: No such file or directory
    2013-07-31T16:45:46.480495-05:00 starlock systemd[17009]: Failed to load configuration for basic.service: No such file or directory
    2013-07-31T16:45:46.488375-05:00 starlock systemd[17009]: Failed to load configuration for syslogd.service: No such file or directory
    2013-07-31T16:45:46.489197-05:00 starlock systemd[17009]: Failed to load configuration for syslog-ng.service: No such file or directory
    2013-07-31T16:45:46.604628-05:00 starlock systemd[17009]: Failed to load configuration for auditd.service: No such file or directory
    2013-07-31T16:45:46.889660-05:00 starlock systemd[17009]: Failed to load configuration for acpid.service: No such file or directory
    2013-07-31T16:45:46.890685-05:00 starlock systemd[17009]: Failed to load configuration for resmgr.service: No such file or directory
    2013-07-31T16:45:46.891397-05:00 starlock systemd[17009]: Failed to load configuration for firstboot.service: No such file or directory
    2013-07-31T16:45:46.912659-05:00 starlock systemd[17009]: Failed to load configuration for network-remotefs.service: No such file or directory
    2013-07-31T16:45:46.957964-05:00 starlock systemd[17009]: Failed to load configuration for openibd.service: No such file or directory
    2013-07-31T16:45:46.958765-05:00 starlock systemd[17009]: Failed to load configuration for isdn.service: No such file or directory
    2013-07-31T16:45:46.963554-05:00 starlock systemd[17009]: Failed to load configuration for ldap.service: No such file or directory
    2013-07-31T16:45:46.975038-05:00 starlock systemd[17009]: Failed to load configuration for local_fs.target: No such file or directory
    2013-07-31T16:45:47.000455-05:00 starlock systemd[17009]: Failed to load configuration for exim.service: No such file or directory
    2013-07-31T16:45:47.001078-05:00 starlock systemd[17009]: Failed to load configuration for sendmail.service: No such file or directory
    2013-07-31T16:45:47.013732-05:00 starlock systemd[17009]: Failed to load configuration for openslp.service: No such file or directory
    2013-07-31T16:45:47.037758-05:00 starlock systemd[17009]: Failed to load configuration for cyrus.service: No such file or directory
    2013-07-31T16:45:47.068684-05:00 starlock systemd[17009]: Failed to load configuration for amavis.service: No such file or directory
    2013-07-31T16:45:47.079786-05:00 starlock systemd[17009]: Failed to load configuration for ndsd.service: No such file or directory
    2013-07-31T16:45:47.147830-05:00 starlock systemd[17009]: Failed to load configuration for lwresd.service: No such file or directory
    2013-07-31T16:45:47.217187-05:00 starlock systemd[17009]: sys-kernel-debug.mount changed dead -> mounted
    While searching the net for an answer, I found a bug report here: https://bugzilla.redhat.com/show_bug...iple&id=982920
    If you'll note, the lines returned by the test are the same as my logfile. When I run the systemd test myself, I can reproduce the the lines from my log:
    Code:
    terryw@starlock:~> systemd --test --system --unit=multi-user.target >systemd.test.txt
    systemd 195 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ; suse)
    Failed to set hostname to <starlock.silicon-penguin>: Operation not permitted
    Failed to open /dev/tty0: Permission denied
    Loaded units and determined initial transaction in 66ms 390us.
    This machine runs(successfully) a DHCP server for the other machines on the network, however, I've got my BIND installation fairly well borked up. I think THATS also due to that security patch. Actually, I'm not sure any of it has anything to do with that security patch.
    I can't load SWAT. I can't run doomsday( it tries to connect to a port on 127.0.0.1). And very importantly, I can't run Oracle VM Virtual Box, which was running fine. I can however run Virtual Box as root, which I don't want to do!

    Information: OpenSuSE 12.3 "Vanilla" KDE What else do you want to know?
    Any ideas or help would be much appreciated! Thanks,
    Terry.
    As for systemd, I see the same error and I am not having any other troubles. You may wish to open your own bug report in Novell Bugzilla if you like: Welcome to Novell's Bugzilla

    As for using systemd, have a look at my bash script helper you can find here: SysdCmd - systemd Command Help/Config Editor - Blogs - openSUSE Forums

    As for SWAT, it no longer works in openSUSE 12.3 and is unrelated to any systemd problems. Have a look at my blog on Samba Here: S.A.C.T. - Samba Automated Configuration Tool - Version 1.06 - Blogs - openSUSE Forums

    As for VirtualBox, it runs fine in openSUSE 12.3 and I use the version from Oracle 4.2.16 I think it is. For VM issues, post your questions here: https://forums.opensuse.org/english/...irtualization/, we we would love to help.

    Thank You,
    My Blog: https://forums.opensuse.org/blogs/jdmcdaniel3/

    Software efficiency halves every 18 months, thus compensating for Moore's Law

    Its James again from Austin, Texas

  3. #3
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: systemd bug or OpenSuSE 12.3 security patch problem?

    On 2013-08-01 02:06, silicon penguin67 wrote:
    >
    > Hello all,
    > I started having some weird issues about a week ago, maybe more, right
    > around the same time as apper installed a security patch.


    Do you know what was that update?

    If you don't, you can list all updates sorted by dates with something
    like this:

    Code:
    rpm -q -a --queryformat "%{INSTALLTIME}\t%{INSTALLTIME:day} \
    %{BUILDTIME:day} %-30{NAME}\t%15{VERSION}-%-7{RELEASE}\t%{arch} \
    %25{VENDOR}%25{PACKAGER} == %{DISTRIBUTION} %{DISTTAG}\n" \
    | sort | cut --fields="2-" | tee rpmlist | less -S
    Try to find out what did you install.

    Another thing. What is the output of this:

    Code:
    grep PERMISSION_SECURITY /etc/sysconfig/security
    If it is not "easy local", that may be the problem.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  4. #4
    Join Date
    Jun 2013
    Location
    Northern Illinois
    Posts
    71

    Wink Re: systemd bug or OpenSuSE 12.3 security patch problem?

    Thanks for responding. I ran the rpm script and it returned a very large amount of data. I looked through it and there was nothing marked as a "security patch", however, there were some kde-base and sudo bugfixes.

    The result of the other command:
    Code:
    starlock:/var/log # grep PERMISSION_SECURITY /etc/sysconfig/security
    PERMISSION_SECURITY="easy local"
    I set that by hand yesterday, it was "secure local".

    I've got to go check out james' suggestions... btw, james has a great log file script called "Suse Logfile Automated Viewer Engine" or some such... Works great, thanks james!

    Virtual Box was running great, until all of this started to happen. Now when I try to run it, I get this:


    All the errors I've been getting are related to permissions being changed on files and directories, or certain files being "bumped up" in security levels. I mean things like /etc/sysconfig/security being set at "secure local". Or, in some cases, file ownership being changed from XXX to root. The named working directories were made root's. How did that happen? Changed them back to named and cleared up a ton of named error messages. Thats why I thought it might have been an OpenSuSE security patch. That and I remember all this starting around the same time as I installed one. Any other ideas?
    I'll go read up on what james sent in the mean time. Thanks again !!
    Cheers,
    Terry.

  5. #5

    Default Re: systemd bug or OpenSuSE 12.3 security patch problem?

    Quote Originally Posted by silicon_penguin67 View Post
    Thanks for responding. I ran the rpm script and it returned a very large amount of data. I looked through it and there was nothing marked as a "security patch", however, there were some kde-base and sudo bugfixes.

    The result of the other command:
    Code:
    starlock:/var/log # grep PERMISSION_SECURITY /etc/sysconfig/security
    PERMISSION_SECURITY="easy local"
    I set that by hand yesterday, it was "secure local".
    You need to run "set_polkit_default_privs" and "chkstat --system" as root for that to have effect.

    All the errors I've been getting are related to permissions being changed on files and directories, or certain files being "bumped up" in security levels. I mean things like /etc/sysconfig/security being set at "secure local". Or, in some cases, file ownership being changed from XXX to root. The named working directories were made root's. How did that happen? Changed them back to named and cleared up a ton of named error messages. Thats why I thought it might have been an OpenSuSE security patch. That and I remember all this starting around the same time as I installed one. Any other ideas?
    I don't think so. A security patch shouldn't change your settings.
    Maybe you played around with YaST->"Security and Users"->"Security Center and Hardening"?

    Is your problem with those Authorization requests fixed now?
    If not, this could be caused by a missing pam_systemd.
    Please post the output of "loginctl" as user.

  6. #6
    Join Date
    Jun 2013
    Location
    Northern Illinois
    Posts
    71

    Default Re: systemd bug or OpenSuSE 12.3 security patch problem?

    Code:
    starlock:/var/log # set_polkit_default_privs
    starlock:/var/log # chkstat --system
    Checking permissions and ownerships - using the permissions files
            /etc/permissions
            /etc/permissions.easy
            /etc/permissions.d/gweled
            /etc/permissions.d/mail-server
            /etc/permissions.d/postfix
            /etc/permissions.d/texlive
            /etc/permissions.local
    setting /var/lib/named/dev/null to root:root 0666. (wrong owner/group named:named)
    /var/lib/named/dev/null: don't know what to do with that type of file
    setting /var/lib/named/dev/random to root:root 0666. (wrong owner/group named:named)
    /var/lib/named/dev/random: don't know what to do with that type of file
    setting /etc/crontab to root:root 0644. (wrong permissions 0600)
    setting /usr/bin/at to root:trusted 4755. (wrong permissions 4750)
    setting /usr/bin/crontab to root:trusted 4755. (wrong permissions 4750)
    setting /sbin/mount.nfs to root:root 4755. (wrong permissions 0755)
    setting /usr/bin/eject to root:audio 4755. (wrong permissions 4750)
    setting /usr/bin/fusermount to root:trusted 4755. (wrong permissions 4750)
    setting /usr/bin/v4l-conf to root:video 4755. (wrong permissions 4750)
    setting /usr/bin/wall to root:tty 2755. (wrong permissions 0755)
    setting /usr/bin/write to root:tty 2755. (wrong permissions 0755)
    setting /usr/sbin/mtr to root:dialout 4750. (wrong permissions 0755)
    setting /usr/lib/mc/cons.saver to root:root 4755. (wrong permissions 0755)
    setting /opt/kde3/bin/kpac_dhcp_helper to root:root 4755. (wrong permissions 0755)
    setting /usr/bin/fileshareset to root:root 4755. (wrong permissions 0755)
    setting /usr/lib/virtualbox/VirtualBox to root:vboxusers 4750. (wrong permissions 0755)
    setting /usr/lib/virtualbox/VBoxBFE to root:vboxusers 4750. (wrong permissions 0755)
    setting /usr/lib/virtualbox/VBoxHeadless to root:vboxusers 4750. (wrong permissions 0755)
    setting /usr/lib/virtualbox/VBoxSDL to root:vboxusers 4750. (wrong permissions 0755)
    setting /usr/lib/virtualbox/VBoxNetAdpCtl to root:vboxusers 4750. (wrong permissions 0755)
    setting /usr/lib/virtualbox/VBoxNetDHCP to root:vboxusers 4750. (wrong permissions 0755)
    setting /usr/bin/vmware-user-suid-wrapper to root:root 4755. (wrong permissions 0755)
    setting /usr/lib/chrome_sandbox to root:root 4755. (wrong permissions 0755)
    ERROR: not all operations were successful.

    Code:
    terryw@starlock:~> loginctl
       SESSION        UID USER             SEAT            
    
            c1          0 root                             
            58       1000 terryw           seat0           
    
    2 sessions listed.
    I may have gone and
    Maybe you played around with YaST->"Security and Users"->"Security Center and Hardening"?
    , but not until after things started going haywire...
    Now around the same time, I had been trying to setup BIND... not sure what that would have to do with all this, but is was around the same time?

    Thanks and cheers,
    Terry.

  7. #7
    Join Date
    Jun 2013
    Location
    Northern Illinois
    Posts
    71

    Default Re: systemd bug or OpenSuSE 12.3 security patch problem?

    Now I can run VirtualBox! Excellent! Thank You!
    Code:
    2013-08-01T00:09:33.478174-05:00 starlock polkitd[4892]: Reloading rules
    2013-08-01T00:09:33.478688-05:00 starlock polkitd[4892]: Collecting garbage unconditionally...
    2013-08-01T00:09:34.007885-05:00 starlock polkitd[4892]: Loading rules from directory /etc/polkit-1/rules.d
    2013-08-01T00:09:34.008908-05:00 starlock polkitd[4892]: Loading rules from directory /usr/share/polkit-1/rules.d
    2013-08-01T00:09:34.064524-05:00 starlock polkitd[4892]: Finished loading, compiling and executing 2 rules
    2013-08-01T00:09:34.066640-05:00 starlock polkitd[4892]: Reloading rules
    2013-08-01T00:09:34.068740-05:00 starlock polkitd[4892]: Collecting garbage unconditionally...
    2013-08-01T00:09:34.068775-05:00 starlock polkitd[4892]: Loading rules from directory /etc/polkit-1/rules.d
    2013-08-01T00:09:34.068783-05:00 starlock polkitd[4892]: Loading rules from directory /usr/share/polkit-1/rules.d
    2013-08-01T00:09:34.069929-05:00 starlock polkitd[4892]: Finished loading, compiling and executing 2 rules
    2013-08-01T00:09:43.873538-05:00 starlock systemd[1]: Starting Cleanup of Temporary Directories...
    2013-08-01T00:09:45.763360-05:00 starlock systemd[1]: Started Cleanup of Temporary Directories.
    2013-08-01T00:15:01.351649-05:00 starlock /usr/sbin/cron[25047]: pam_unix(crond:session): session opened for user root by (uid=0)
    2013-08-01T00:15:01.552895-05:00 starlock run-crons[25049]: suse.de-snapper: OK
    2013-08-01T00:15:01.568467-05:00 starlock /USR/SBIN/CRON[25047]: pam_unix(crond:session): session closed for user root
    2013-08-01T00:18:04.530899-05:00 starlock named[3289]: success resolving './NS' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
    2013-08-01T00:21:38.694391-05:00 starlock kernel: [88015.008143] warning: `VirtualBox' uses 32-bit capabilities (legacy support in use)
    2013-08-01T00:21:52.901822-05:00 starlock named[3289]: success resolving './NS' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
    2013-08-01T00:28:05.532961-05:00 starlock named[3289]: error (network unreachable) resolving './NS/IN': 2001:dc3::35#53
    2013-08-01T00:28:05.654478-05:00 starlock named[3289]: success resolving './NS' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
    2013-08-01T00:30:02.266195-05:00 starlock /usr/sbin/cron[25291]: pam_unix(crond:session): session opened for user root by (uid=0)
    2013-08-01T00:30:03.999484-05:00 starlock /USR/SBIN/CRON[25291]: pam_unix(crond:session): session closed for user root
    2013-08-01T00:31:36.729057-05:00 starlock dhcpd: Wrote 6 leases to leases file.
    2013-08-01T00:31:36.842792-05:00 starlock dhcpd: DHCPREQUEST for 192.168.0.25 from 00:0d:c5:da:25:28 (Hopper_ETH0) via eth1
    2013-08-01T00:31:36.858112-05:00 starlock dhcpd: DHCPACK on 192.168.0.25 to 00:0d:c5:da:25:28 (Hopper_ETH0) via eth1
    I don't know about any other problems just yet... Next thing is to figure out if I can fix these:
    Code:
    2013-08-01T00:21:52.901822-05:00 starlock named[3289]: success resolving  './NS' (in '.'?) after reducing the advertised EDNS UDP packet size to  512 octets
    2013-08-01T00:28:05.532961-05:00 starlock named[3289]: error (network unreachable) resolving './NS/IN': 2001:dc3::35#53
    2013-08-01T00:28:05.654478-05:00  starlock named[3289]: success resolving './NS' (in '.'?) after reducing  the advertised EDNS UDP packet size to 512 octets
    But, that'll be tomorrow's task!
    Goodnight, Cheers,
    Terry.

  8. #8
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: systemd bug or OpenSuSE 12.3 security patch problem?

    On 2013-08-01 04:16, silicon penguin67 wrote:
    >
    > Thanks for responding. I ran the rpm script and it returned a very
    > large amount of data. I looked through it and there was nothing marked
    > as a "security patch", however, there were some kde-base and sudo
    > bugfixes.


    No, there would be no such mark. After the patch is applied, what
    remains is the name of the package as installed and its date. You browse
    to the date of the updates, and everything below was changed.

    >
    > The result of the other command:
    >
    > Code:
    > --------------------
    > starlock:/var/log # grep PERMISSION_SECURITY /etc/sysconfig/security
    > PERMISSION_SECURITY="easy local"
    >
    > --------------------
    >
    > I set that by hand yesterday, it was "secure local".


    That was your problem. Previously, you would run "SuSEconfig" to apply
    the changes, now you do what wolfi323 told you.

    > All the errors I've been getting are related to permissions being
    > changed on files and directories, or certain files being "bumped up" in
    > security levels. I mean things like /etc/sysconfig/security being set
    > at "secure local". Or, in some cases, file ownership being changed from
    > XXX to root. The named working directories were made root's. How did
    > that happen?


    Because "secure local" does that. Well, I think you need to reboot or do
    it from YaST to be applied.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  9. #9
    Join Date
    Jun 2013
    Location
    Northern Illinois
    Posts
    71

    Thumbs up Re: systemd bug or OpenSuSE 12.3 security patch problem?

    The problem is, I didn't change it to secure local. I changed it to easy local on 2013-07-30 because it was changed to secure local. Somehow.
    /etc/sysconfig/security of course had a date like 2013-07-22 or 2013-07-24, but when I modified it, the date changed to 2013-07-30.

    After reading:
    /etc/permissions.easy
    /etc/permissions.secure
    /etc/permissions.local

    It absolutely seems like that was the problem. At least as far as VirtualBox and a few other things go.

    Here are a couple of days from the rpm query that I "think" were made when things started getting weird. One weird thing is I don't think I had the reiser file system installed, so why the update?
    Code:
    ****SNIP****
    Mon Jul 22 2013 Mon Jul 15 2013 gettext-runtime                        0.18.1.1-21.4.1  i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Mon Jul 15 2013 libplotter2                                 2.6-17.4.1  i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Mon Jul 15 2013 libxmi0                                     2.6-17.4.1  i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Tue Jul 16 2013 libpython2_7-1_0                          2.7.3-10.4.1  i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Mon Jul 15 2013 sudo                                    1.8.6p3-3.13.1  i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Mon Jul 15 2013 xorg-x11-server                      7.6_1.13.2-1.13.1  i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Mon Jul 15 2013 xorg-x11-server-extra                7.6_1.13.2-1.13.1  i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Tue Jul 16 2013 python-doc                                  2.7-10.4.1  noarch                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Tue Jul 16 2013 python-doc-pdf                              2.7-10.4.1  noarch                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Mon Jul 15 2013 gettext-tools                          0.18.1.1-21.4.1  i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Tue Jul 16 2013 python-base                               2.7.3-10.4.1  i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Tue Jul 16 2013 python-xml                                2.7.3-10.4.1  i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Tue Jul 16 2013 python-gdbm                               2.7.3-10.4.1  i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Tue Jul 16 2013 python-tk                                 2.7.3-10.4.1  i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Tue Jul 16 2013 python-devel                              2.7.3-10.4.1  i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Tue Jul 16 2013 python-curses                             2.7.3-10.4.1  i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Tue Jul 16 2013 python                                    2.7.3-10.4.1  i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Mon Jul 22 2013 python-keyring                              1.6-14.1    noarch obs://build.opensuse.org/devel:languages:python                   (none) == devel:languages:python / openSUSE_12.3 (none)
    Mon Jul 22 2013 Mon Jul 15 2013 isomaster-lang                            1.3.9-1.16    noarch http://packman.links2linux.de   packman@links2linux.de == Multimedia / openSUSE_12.3 (none)
    Mon Jul 22 2013 Wed Mar 27 2013 bind-chrootenv                          9.9.2P2-2.3.1   i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Wed Mar 27 2013 bind                                    9.9.2P2-2.3.1   i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Mon Jul 22 2013 reiserfs                                 3.6.23-32.2    i586 obs://build.opensuse.org/filesystems                   (none) == filesystems / openSUSE_12.3 (none)
    Mon Jul 22 2013 Mon Jul 22 2013 xfsprogs                                 3.1.11-36.2    i586 obs://build.opensuse.org/filesystems                   (none) == filesystems / openSUSE_12.3 (none)
    Mon Jul 22 2013 Fri Feb 01 2013 yast2-dns-server                         2.23.4-2.1.2   noarch                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Fri Feb 01 2013 yast2-dhcp-server                        2.22.0-4.1.2   noarch                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Mon Jul 22 2013 Wed Mar 27 2013 dhcp-server                            4.2.5.P1-0.2.4.1 i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    ****SNIP****
    Thu Jul 25 2013 Wed Jul 17 2013 kde4-kgreeter-plugins                    4.10.5-1.111.1 i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Thu Jul 25 2013 Fri Jul 12 2013 libply-boot-client2             0.8.8_git201211022126-4.10.1    i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Thu Jul 25 2013 Wed Jul 17 2013 python-kdebase4                          4.10.5-1.111.1 i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Thu Jul 25 2013 Wed Jul 17 2013 kdebase4-workspace-liboxygenstyle                4.10.5-1.111.1 i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Thu Jul 25 2013 Fri Jul 12 2013 libply2                         0.8.8_git201211022126-4.10.1    i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Thu Jul 25 2013 Wed Jul 17 2013 kdebase4-workspace-ksysguardd            4.10.5-1.111.1 i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Thu Jul 25 2013 Fri Jul 12 2013 libply-splash-core2             0.8.8_git201211022126-4.10.1    i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Thu Jul 25 2013 Wed Jul 17 2013 kwin                                     4.10.5-1.111.1 i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Thu Jul 25 2013 Fri Jul 12 2013 plymouth-scripts                0.8.8_git201211022126-4.10.1    i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Thu Jul 25 2013 Fri Jul 12 2013 libply-splash-graphics2         0.8.8_git201211022126-4.10.1    i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Thu Jul 25 2013 Fri Jul 12 2013 plymouth-plugin-label           0.8.8_git201211022126-4.10.1    i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Thu Jul 25 2013 Wed Jul 17 2013 kdebase4-workspace                       4.10.5-1.111.1 i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Thu Jul 25 2013 Fri Jul 12 2013 plymouth                        0.8.8_git201211022126-4.10.1    i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Thu Jul 25 2013 Fri Jul 12 2013 plymouth-plugin-script          0.8.8_git201211022126-4.10.1    i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Thu Jul 25 2013 Wed Jul 17 2013 kdebase4-workspace-plasma-calendar               4.10.5-1.111.1 i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Thu Jul 25 2013 Wed Jul 17 2013 kdebase4-workspace-devel                 4.10.5-1.111.1 i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    Thu Jul 25 2013 Wed Jul 17 2013 kdm                                      4.10.5-1.111.1 i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none)
    ****SNIP****
    Mon Jul 29 2013 Fri Jul 19 2013 wireless-tools                          30.pre9-28.5.1  i586                  openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none) <-- Why this?????????
    That last entry with the wireless-tools? I don't have bluetooth, or wireless on this mach. I wouldn't install this by choice. Maybe another package installed it as a dep?

    I wonder if when I installed DHCP & BIND, yast or myself somehow bork the security settings? Well, thanks to the good people at opensuse forums, most of the problems have been cleared up.

    Thank you all!
    Cheers,
    Terry.

  10. #10
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: systemd bug or OpenSuSE 12.3 security patch problem?

    On 2013-08-01 17:46, silicon penguin67 wrote:

    > /etc/sysconfig/security of course had a date like 2013-07-22 or
    > 2013-07-24, but when I modified it, the date changed to 2013-07-30.


    It is unfortunately impossible to know what or who changed these things.


    > Here are a couple of days from the rpm query that I "think" were made
    > when things started getting weird. One weird thing is I don't think I
    > had the reiser file system installed, so why the update?


    It is part of the default system. You also have the xfs tools, the btrfs
    tools - I have not looked for them, I don't know the name, but surely
    you have them.

    >
    > Code:
    > --------------------
    >
    > ****SNIP****


    > Mon Jul 29 2013 Fri Jul 19 2013 wireless-tools 30.pre9-28.5.1 i586 openSUSE http://bugs.opensuse.org == openSUSE 12.3 (none) <-- Why this?????????
    >
    > --------------------
    >
    >
    > That last entry with the wireless-tools? I don't have bluetooth, or
    > wireless on this mach. I wouldn't install this by choice. Maybe
    > another package installed it as a dep?


    Part of defaults. The desktops, KDE, Gnome, both have gadgets to wokr
    with bluetooth; so the entire toolchain up to the kernel gets installed.

    Similarly with wi-fi. You probably have network manager installed (kde
    or gnome version), and this probably requires the wireless-tools.

    You can try to remove those things with yast; if there is a dependency
    it will tell you and refuse. If you decide to go ahead and remove
    things, have a look at the summary tab first - people have destroyed
    their systems previously because they simply clicked "enter" or "accept" :-)

    >
    > I wonder if when I installed DHCP & BIND, yast or myself somehow bork
    > the security settings? Well, thanks to the good people at opensuse
    > forums, most of the problems have been cleared up.


    Perhaps... Dunno.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •