[goMac]

Okay, it looks like from the terminal that a lot more then sudo is borken (as if the privileges for all of etc were really messed up), but I'm don't really know how to set priviledges from the terminal. If someone could give me the needed command to set things right, that would be great.

[localhost:~] sysadmin% sudo ls
> sudo: /etc/sudoers is mode 0755, should be 0440
> [localhost:~] sysadmin% /etc/mail/sendmail.cf: line 81: fileclass: cannot
> open /etc/mail/local-host-names: Group writable directory
> /etc/mail/sendmail.cf: line 81: fileclass: cannot open
> /etc/mail/local-host-names: Group writable directory

If you flame me for not knowing how to set privileliges from the command line, I will track you down and throw my cat at you. Seriously. Be helpful. Maybe you could give me a site that explains it in clear english (because clear english is always better then geek english).

[MickS]

Originally posted by goMac:
[localhost:~] sysadmin% sudo ls
> sudo: /etc/sudoers is mode 0755, should be 0440
> [localhost:~] sysadmin% /etc/mail/sendmail.cf: line 81: fileclass: cannot
> open /etc/mail/local-host-names: Group writable directory
> /etc/mail/sendmail.cf: line 81: fileclass: cannot open
[/QB]

The problem is that these errors point to there being a lot of permissions problems on you Mac. You may be able to correct individual files using the 'chmod' command ( chmod mode file ) but there is no guarantee that you will find all of the files. This could lead to more problems later on.

The other thing is that in order to apply permissions changes to files not owned by yourself you need to use sudo or become the root user. If you haven't already enabled the root account the only way to do this is by booting into the single-user mode.

My advice whenever dealing with massive messed up permissions problems on Unix systems is to either a) restore from backup, or b) backup data/application areas then reinstall.

It may be that there is a program to re-apply the permissions to files as described in the package bill of materials files in the /Library/Receipts directory. Once you fixed sudo this would be a possibility.

[snerdini]

can you su to root?

[Millennium]

I wonder if there's a way to write a tool that would look in the system's .BOM files and restore all the permissions on the drive to their original settings. It'd be a heck of a lot easier than trying to come up with a table of the permissions for every single file in the OS.

This problem is far too common, with people who don't know what the heck they're doing deciding that they know better than Apple about how their computer works, and therefore altering the permissions on the whole drive, often with disastrous consequences like this.

OK. Enough ranting.

You're going to need to be able to use su to do this, since you have to fix sudo. To start, you cen fix sudo with this:

chmod 0440 /etc/sudoers

...and the sendmail can be at least sort of fixed with:

sudo chmod g-w /etc/mail/local-host-names

(you must fix sudo first)

I can't remember the exact commands for fixing Classic, but you should do it; in all likelihood it's messed up too.

And next time, don't go messing with the privileges on your drive! They're set the way they are for a wide variety of very good reasons.

[mattcunnane]

Originally posted by Millennium:
<STRONG>...and the sendmail can be at least sort of fixed with:

sudo chmod g-w /etc/mail/local-host-names

(you must fix sudo first)
</STRONG>

It's worth noting that the permissions will be reset to group writable every time you install an apple update. If you prefer, you can leave the permissions as they are and tell sendmail not to complain about them.

Look for the following in /etc/mail/sendmail.cf:

<BLOCKQUOTE><font size="1"face="Geneva, Verdana, Arial">code:</font><HR><pre><font size=1 face=courier>
# override file safeties - setting this option compromises system security,
# addressing the actual file configuration problem is preferred
# need to set this before any file actions are encountered in the cf file
#O DontBlameSendmail=safe
</font>[/code]

Replace the last line with:

<BLOCKQUOTE><font size="1"face="Geneva, Verdana, Arial">code:</font><HR><pre><font size=1 face=courier>O DontBlameSendmail=GroupWritableDirPathSafe
</font>[/code]

Sendmail will no longer complain about group writable directories. As the comments state, this compromises security, so do it at your own risk.

Matt

[ 04-11-2002: Message edited by: mattcunnane ]

[goMac]

Originally posted by Millennium:
<STRONG>
And next time, don't go messing with the privileges on your drive! They're set the way they are for a wide variety of very good reasons.</STRONG>

Wasn't me thankfully.

[MickS]

Originally posted by Millennium:
<STRONG>I wonder if there's a way to write a tool that would look in the system's .BOM files and restore all the permissions on the drive to their original settings. It'd be a heck of a lot easier than trying to come up with a table of the permissions for every single file in the OS.
</STRONG>

I've been looking at this. It should be possible to come up with a script that uses lsbom to list the permissions in the BOM files. It could then use these to process correct the permissions.

I'll probably look at this over the course of next week.

The problem I can see is the order to examine the BOM files. The order in which the packages are dumped into /Library/Receipts would seem to make sense.