Description of problem: root@localhost:~# sectool --hint --level 3 --run openssh --debug openssh -> Info: Checking default openssh-server configuration Warning: Wrong permissions on directory: "/var/empty/sshd" (directory used by sshd during privilege separation in the pre-authentication phase, required permissions are 711) openssh: WARNING root@localhost:~# chmod 711 /var/empty/sshd root@localhost:~# sectool --hint --level 3 --run openssh --debug openssh -> Info: Checking default openssh-server configuration openssh: PASS root@localhost:~# sectool --hint --level 5 --run openssh --debug openssh -> Info: Checking default openssh-server configuration Warning: Wrong permissions on directory: "/var/empty/sshd" (directory used by sshd during privilege separation in the pre-authentication phase, required permissions are 700) openssh: WARNING
This doesn't seem like a bug... From the manpage: LEVELS sectool has a concept of levels that define how strict the checks should be. The levels range from 1 (low security) to 5 (paranoid). The default level is 3 (a typical computer connected directly to the Internet). The levels could be either specified by integer or the level name. The name for different levels are as follows: level name ----- ----- 1 Naive 2 Desktop 3 Network 4 Server 5 Paranoid ... So, when you pass --level 3, it requires permissions of 711 on /var/empty/sshd, but when you pass --level 5, it requires permissions of 700 (dropping the read permission). This indeed would be a fair description of the difference between "Networked" security and "Paranoid" security. My guess is that you didn't notice that the permissions were different between the check levels... Lifting F10Blocker. I'll let the maintainer decide whether there is a bug here or not and reapply the blocker as needed.
Fixed in git: - print an info message if the permissions are stricter than required
sectool-0.9.2-1 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/sectool-0.9.2-1
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
sectool-0.9.2-1 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update sectool'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/f10/FEDORA-2008-10272
This problematic with the proposed update: root@localhost:~# chmod 700 /var/empty/sshd root@localhost:~# sectool --hint --level 3 --run openssh --debug openssh -> Info: Checking default openssh-server configuration Warning: Wrong permissions on directory "/var/empty/sshd": 700 (directory used by sshd during privilege separation in the pre-authentication phase, required permissions are 711) openssh: WARNING root@localhost:~#
sectool-0.9.2-2 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/sectool-0.9.2-2
sectool-0.9.2-2 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update sectool'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2008-10649
There is still WARNING, perhaps INFO would be better as there's is no harm to have these stricter permissions?
sectool-0.9.2-2 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.