I havent tried comparing yet but ive verified that disabling various combinations on the cent machine does not produce the same results.
I understand that this is not a perfect method and will take a look as soon as i get home at the very latest by tomorrow JST, and then report back
On 08/19/15 00:10, Patrick O'Callaghan wrote:
On Wed, 2015-08-19 at 00:13 +0900, Scott Mattan wrote:
I havent tried comparing yet but ive verified that disabling various combinations on the cent machine does not produce the same results.
Same results as what? Is this part of some other thread?
Yes, the OP sent a new message with the same subject in response to an answer that I gave.
On Wed, 2015-08-19 at 04:05 +0800, Ed Greshko wrote:
On 08/19/15 00:10, Patrick O'Callaghan wrote:
On Wed, 2015-08-19 at 00:13 +0900, Scott Mattan wrote:
I havent tried comparing yet but ive verified that disabling various combinations on the cent machine does not produce the same results.
Same results as what? Is this part of some other thread?
Yes, the OP sent a new message with the same subject in response to an answer that I gave.
And without quoting any context.
poc
Sorry about the other post, this one may not come in correctly either...
In anycase, I will explain this after the main issue...
I have the following differences in my /etc/pam.d/su file:
Fedora22: #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth substack system-auth auth include postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session include postlogin session optional pam_xauth.so
CentOS6.6:
#%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optional pam_xauth.so
When I try to mimic the settings for Fedora 22 in CentOS6.6 to test if this is the cause I become unable to open sockets.
[ root@localhost ~ ]# su user could not open session
So while this may be the issue, I have to believe that it is not the sole issue and there must be another cause. I hadn't tested the su-l file for differences yet, but it is primarily for login-shells... which admittedly my CenOS6.6 connection is through a login-shell as it is through ssh, whereas the Fedora22 is through a non-login-shell from the GUI.
Luckily this CentOS6.6 system is also has a GUI so I will try to replicate from a non-login-shell and get back to you with more information.
Now for my lack of understanding of the mailing list.
On the computer, I don't understand how to reply without having to copy information from multiple sources. The entire list comes in a single post (very difficult to read) and replying to one means replying to all.
Additionally, operating on my phone doesn't even permit me to view the posts, and I must manually go to the archives to read any of the new additions.
Is there a better way of viewing this list without having to copy paste titles and contents?
I just tried the non-login-shell with those settings, and it didn't offer any change from the previous response.
(I primarily work with CentOS6.6 at work but am testing Fedora at home and would like to implement similar security settings)
[ user@localhost ~]$ su - <<EOF
password echo "" id EOF
standard in must be a tty
I'm going to look into PAM to check for related files, please let me know if you have more advice on this issue as technically this allows for scripted access to root (good for initial setup of production environments provided you lock it down afterwords, however it could also be exploited by intelligent malware).
Thanks, and I look forward to hearing from you.
On Wed, Aug 19, 2015 at 9:55 AM, Scott Mattan s-mattan@niscom.co.jp wrote:
Sorry about the other post, this one may not come in correctly either...
In anycase, I will explain this after the main issue...
I have the following differences in my /etc/pam.d/su file:
Fedora22: #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth substack system-auth auth include postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session include postlogin session optional pam_xauth.so
CentOS6.6:
#%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optional pam_xauth.so
When I try to mimic the settings for Fedora 22 in CentOS6.6 to test if this is the cause I become unable to open sockets.
[ root@localhost ~ ]# su user could not open session
So while this may be the issue, I have to believe that it is not the sole issue and there must be another cause. I hadn't tested the su-l file for differences yet, but it is primarily for login-shells... which admittedly my CenOS6.6 connection is through a login-shell as it is through ssh, whereas the Fedora22 is through a non-login-shell from the GUI.
Luckily this CentOS6.6 system is also has a GUI so I will try to replicate from a non-login-shell and get back to you with more information.
Now for my lack of understanding of the mailing list.
On the computer, I don't understand how to reply without having to copy information from multiple sources. The entire list comes in a single post (very difficult to read) and replying to one means replying to all.
Additionally, operating on my phone doesn't even permit me to view the posts, and I must manually go to the archives to read any of the new additions.
Is there a better way of viewing this list without having to copy paste titles and contents?
On 08/19/15 08:55, Scott Mattan wrote:
Sorry about the other post, this one may not come in correctly either...
In anycase, I will explain this after the main issue...
I have the following differences in my /etc/pam.d/su file:
Fedora22: #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth substack system-auth auth include postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session include postlogin session optional pam_xauth.so
CentOS6.6:
#%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optional pam_xauth.so
When I try to mimic the settings for Fedora 22 in CentOS6.6 to test if this is the cause I become unable to open sockets.
[ root@localhost ~ ]# su user could not open session
Use the original file in pam.d for su and try adding this after the pam_rootok.so line...
auth required pam_securetty.so
Now for my lack of understanding of the mailing list.
On the computer, I don't understand how to reply without having to copy information from multiple sources. The entire list comes in a single post (very difficult to read) and replying to one means replying to all.
Sounds like you've picked "digest" for the list messages and your mailer doesn't quite know how to handle them.
Additionally, operating on my phone doesn't even permit me to view the posts, and I must manually go to the archives to read any of the new additions.
Is there a better way of viewing this list without having to copy paste titles and contents?
Modify your settings to not get a digest.
I have changed my settings from digest.
I will additionally try to add the pam_securetty.so to my su file when I get home tonight (JST)
Thanks
On Wed, Aug 19, 2015 at 11:04 AM, Ed Greshko ed.greshko@greshko.com wrote:
On 08/19/15 08:55, Scott Mattan wrote:
Sorry about the other post, this one may not come in correctly either...
In anycase, I will explain this after the main issue...
I have the following differences in my /etc/pam.d/su file:
Fedora22: #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel"
group.
#auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel"
group.
#auth required pam_wheel.so use_uid auth substack system-auth auth include postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session include postlogin session optional pam_xauth.so
CentOS6.6:
#%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel"
group.
#auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel"
group.
#auth required pam_wheel.so use_uid auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optional pam_xauth.so
When I try to mimic the settings for Fedora 22 in CentOS6.6 to test if
this is the cause I become unable to open sockets.
[ root@localhost ~ ]# su user could not open session
Use the original file in pam.d for su and try adding this after the pam_rootok.so line...
auth required pam_securetty.so
Now for my lack of understanding of the mailing list.
On the computer, I don't understand how to reply without having to copy
information from multiple sources. The entire list comes in a single post (very difficult to read) and replying to one means replying to all.
Sounds like you've picked "digest" for the list messages and your mailer doesn't quite know how to handle them.
Additionally, operating on my phone doesn't even permit me to view the
posts, and I must manually go to the archives to read any of the new additions.
Is there a better way of viewing this list without having to copy paste
titles and contents?
Modify your settings to not get a digest.
-- It seems most people that say they are "done talking about it" never really are until given the last word.
On Wed, 2015-08-19 at 09:55 +0900, Scott Mattan wrote:
Is there a better way of viewing this list without having to copy paste titles and contents?
Don't use digests (they are a waste of time in this day and age), or if you do then use a mailer that supports direct replying to a digest message (not to the digest itself). Evolution can do this and I think Thunderbird also. Cutting and pasting subject lines does not preserve proper threading and should be avoided.
poc
On Wed, Aug 19, 2015 at 12:31:19PM +0100, Patrick O'Callaghan wrote:
On Wed, 2015-08-19 at 09:55 +0900, Scott Mattan wrote:
Is there a better way of viewing this list without having to copy paste titles and contents?
Don't use digests (they are a waste of time in this day and age), or if you do then use a mailer that supports direct replying to a digest message (not to the digest itself). Evolution can do this and I think Thunderbird also. Cutting and pasting subject lines does not preserve proper threading and should be avoided.
Actually, afaiU, there is one more step involved. Replying in thread works only with MIME digests, not plain text. It is a separate option in the mailman settings page.
Set Digest Mode
If you turn digest mode on, you'll get posts bundled together (usually one per day but possibly more on busy lists), instead of singly when they're sent. If digest mode is changed from on to off, you may receive one last digest.
Get MIME or Plain Text Digests?
Your mail reader may or may not support MIME digests. In general MIME digests are preferred, but if you have a problem reading them, select plain text digests. )
Cheers,
On Wed, 2015-08-19 at 15:04 +0200, Suvayu Ali wrote:
Don't use digests (they are a waste of time in this day and age),
or if
you do then use a mailer that supports direct replying to a digest message (not to the digest itself). Evolution can do this and I
think
Thunderbird also. Cutting and pasting subject lines does not
preserve
proper threading and should be avoided.
Actually, afaiU, there is one more step involved. Replying in thread works only with MIME digests, not plain text. It is a separate option in the mailman settings page.
This is true, however I'm assuming this list's digests are MIME -formatted.
poc
On 08/19/2015 09:02 AM, Patrick O'Callaghan wrote:
On Wed, 2015-08-19 at 15:04 +0200, Suvayu Ali wrote:
Don't use digests (they are a waste of time in this day and age),
or if
you do then use a mailer that supports direct replying to a digest message (not to the digest itself). Evolution can do this and I
think
Thunderbird also. Cutting and pasting subject lines does not
preserve
proper threading and should be avoided.
Actually, afaiU, there is one more step involved. Replying in thread works only with MIME digests, not plain text. It is a separate option in the mailman settings page.
This is true, however I'm assuming this list's digests are MIME -formatted.
Only if you request them as MIME-formatted. The list can send plaintext digests as well. Not sure what the default is (if there is a default... I don't use digests :-p ). ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - "The Schizophrenic: An Unauthorized Autobiography" - ----------------------------------------------------------------------
-
Ed Greshko -
Patrick O'Callaghan -
Rick Stevens -
Scott Mattan -
Suvayu Ali