topic Re: any user can modify files owned by root!!! in Operating System - Linux

any user can modify files owned by root!!!

Masaki Birchmier — Wed, 20 Jul 2005 13:45:40 GMT

I adopted a linux system where any user can read/modify/remove files with permission
-rw-r--r-- root root
(but not files owned by other users). It's a huge security issue and I need help resolving this ASAP.

In /etc/group I have nothing out of the ordinary:
root:x:0:root
sys:x:3:root,bin.adm
adm:x:4:root,adm,daemon

There is nothing in /etc/sudoers that would allow this...

I've browsed at some of the pam files, comparing it with another system and didn't see anything, (but I'm not an expert in this area and could of missed something)

If anyone has any suggestions what might be causing this I would greatly appreciate it.

masaki

Re: any user can modify files owned by root!!!

Ivan Ferreira — Wed, 20 Jul 2005 15:52:03 GMT

I'm pretty sure that users cannot modify the contents of the file listed, but they can delete because the deletion permission is dictated by the directory that contains the file. So, if the directory has write permissions for the user/group/others, then user/group/other can delete files in the directory, even when they are not owners of has no permissions on the file.

Re: any user can modify files owned by root!!!

Stuart Browne — Wed, 20 Jul 2005 22:11:36 GMT

Read and remove, sure.

You've got global +r, so anybody can read it.

And Ivan's post covered the removal.

But I highly doubt you can 'modify' the contents of one of these files.

Re: any user can modify files owned by root!!!

Guru Dutta — Thu, 21 Jul 2005 01:27:39 GMT

By looking @ the perms bits it seems that all have read access and only root or the file creator has write perms which implies that he is the person who can delete/remove it.

Re: any user can modify files owned by root!!!

Vibhor Kumar Agarwal — Thu, 21 Jul 2005 03:13:13 GMT

I'll go the other way round.

Change your root password.

Re: any user can modify files owned by root!!!

Masaki Birchmier — Thu, 21 Jul 2005 07:04:17 GMT

The symptom is that normal users take on the permissions of root user.
I assure you they can modify any file as long as root owns the file and has write permissions like /etc/passwd !

Re: any user can modify files owned by root!!!

Ivan Ferreira — Thu, 21 Jul 2005 12:18:12 GMT

The only way that this could happen is that other users, besides root, have UID 0 in /etc/passwd (if its local authentication). Verify that no other user except root has UID 0 (3rd value).

Re: any user can modify files owned by root!!!

Rick Garland — Thu, 21 Jul 2005 12:42:48 GMT

Check the UID values of the users.

There should only be 1 UID=0 and that is root.

Here is a script that can help. Modify as needed since original inception was in NIS environment.

Re: any user can modify files owned by root!!!

Masaki Birchmier — Thu, 21 Jul 2005 12:43:15 GMT

Yup, I already checked for uid=0 in /etc/passwd.

One additional info is that although normal users can modify root owned files, they can not run root commands. It doesn't seem to matter what the group ownership/permissions are set to.

Re: any user can modify files owned by root!!!

Masaki Birchmier — Thu, 21 Jul 2005 12:49:21 GMT

Only root has uid=0
There are several groupid=0,
sync, shutdown, halt, opertor. I think these are OK.

Re: any user can modify files owned by root!!!

Ivan Ferreira — Thu, 21 Jul 2005 13:07:58 GMT

Do you know the specific commands that users use to modify the files?

Maybe, the commands, like vi, have the set user id bit enabled (SUID). You will see an "s" in the permissions:

-rwsr-xr-x 5 root root 331552 Jun 16 2004 /bin/vi

Re: any user can modify files owned by root!!!

Rick Garland — Thu, 21 Jul 2005 13:08:11 GMT

Are the passwds secured?
Is sudo in play? How about PowerBroker?

Do the visudo command. This will display the sudoers file. Any clues?

Check the sudoers log file - if you have the sudo.conf file setup.

Re: any user can modify files owned by root!!!

Ivan Ferreira — Thu, 21 Jul 2005 13:10:24 GMT

You can use the following command to find suid files:

find / -user root -perm -4000 -ls

Re: any user can modify files owned by root!!!

Masaki Birchmier — Thu, 21 Jul 2005 13:43:00 GMT

Thanks for your input, here are the results.

Checked SUID on vi, not there.

some examples of what non root users can do
$ cd /root
permission=750 root root /root

$ cat /etc/shadow
permission=600 root root /etc/shadow

$ vi /etc/passwd
permission=644 root root /etc/passwd

sudo is not involved. If I try to use it, it promps me for root password.(sudo vi /etc/passwd)

powerbroker is not installed.

Re: any user can modify files owned by root!!!

Ivan Ferreira — Thu, 21 Jul 2005 14:12:33 GMT

Verify the acl's, use

getfacl /etc/passwd

Re: any user can modify files owned by root!!!

Ivan Ferreira — Thu, 21 Jul 2005 14:18:10 GMT

Verify the acl's (if exists), use

getfacl /etc/passwd

Verify that you don't have installed a rootkit. Use the rpm -V command to check the integrity of the commands in the system, and if they changed.

Re: any user can modify files owned by root!!!

Ivan Ferreira — Thu, 21 Jul 2005 14:23:24 GMT

You should download and install chkrootkit

http://www.chkrootkit.org/

Re: any user can modify files owned by root!!!

Stuart Browne — Thu, 21 Jul 2005 14:49:00 GMT

what was the output of 'id' when running those commands earlier?

Also, what terminal were you on? the console? ssh'd in?

Re: any user can modify files owned by root!!!

Masaki Birchmier — Mon, 25 Jul 2005 12:20:17 GMT

It's not an ACL issue, specifically checked a few items and there are no ACL's involved.

chkrootkit, interesting tool, ran it but did not detect anything.

The userid can be any number, and all root files are available to them.

I've verified that the symptom exists when connected with ssh, and telnet.

Masaki

Re: any user can modify files owned by root!!!

Florian Heigl (new acc) — Mon, 25 Jul 2005 12:55:28 GMT

maybe check Your /etc/shadow or /etc/passwd.master.

try to enable kernel auditing (SELinux extensions) and create an audit trail of the file accesses.