HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: /etc/passwd permissions changed
Operating System - HP-UX
1834089
Members
2312
Online
110063
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2005 12:15 AM
03-29-2005 12:15 AM
/etc/passwd permissions changed
Hello,
We are having problems with the permissions on the /etc/passwd file on an N Class HPUX server, using OS version 11.11. The problem is that twice over the last week the permissions have changed from what they should be (r--r--r--) to r-------- , when this happens users cannot log on!
I have checked things like rogue cron and at jobs. root is only in use by administrators (no one else should have the authority to change permissions) , and there is no root activity at the time when these incidents have occurred,
has anyone else seen a similar problem?
Thanks in advance
We are having problems with the permissions on the /etc/passwd file on an N Class HPUX server, using OS version 11.11. The problem is that twice over the last week the permissions have changed from what they should be (r--r--r--) to r-------- , when this happens users cannot log on!
I have checked things like rogue cron and at jobs. root is only in use by administrators (no one else should have the authority to change permissions) , and there is no root activity at the time when these incidents have occurred,
has anyone else seen a similar problem?
Thanks in advance
5 REPLIES 5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2005 12:17 AM
03-29-2005 12:17 AM
Re: /etc/passwd permissions changed
Only three things come to mind:
1) An Admin who thinks this is a good idea.
2) Someone else who has root (when was the last time the root password was changed)
3) What is the umask for root set to ? This could cause a problem.
1) An Admin who thinks this is a good idea.
2) Someone else who has root (when was the last time the root password was changed)
3) What is the umask for root set to ? This could cause a problem.
"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2005 01:19 AM
03-29-2005 01:19 AM
Re: /etc/passwd permissions changed
There is nothing in the system that will change these permissions except a root user that types the chmod command, or a script run by cron or at, or a remsh or rexec from another machine. The first step is to change the root password immediately. REMOVE .rhosts in root's HOME directory. REMOVE /etc/hosts.equiv if it exists. (all of these are serious security, and it your case, stability risks). You may want to scan the entire /home directory for .rhosts files and get rid of them by changing to ssh and disabling finger, login, shell and exec in /etfc/inetd.conf. Then start checking for a hacker:
logins -d
lastb -R -500
This command shows duplicate user ID's. If you see UID 0 assigned to something other than root, disable the rogue account and assume you have an intrusion. Of course, if you have 'safety' root accounts, you'll have to ignore these for the time being. However, good sysadmin technique forbids duplicate root IDs. Instead, you install and use sudo for *all* of your sysadmins and no one logs in as root except at the 'real' console. grep through all the shell history files for the word passwd:
grep passwd $HOME/.sh_history
grep passwd /home/*/.sh_history
($HOME above assumes you are logged in as root).
Now create a cron job that monitors the permissions of the passwd file. Do nothing until the permissions change, then when it does change, use logger to add an entry to syslog, and send email to all the admins (assuming email has been enabled). Example logger:
logger -t "/etc/passwd checker" -p local1.alert "/etc/passwd not 444!"
In your script, once logger has been run, run these commands and send them to a file (and email):
who -R
finger
last -R root -500
lastb -R -500
head -100 /var/adm/sulog
All the above listings will provide a timestamp of potential root users. Look for anyone logged in during the time that the file changed.
Bill Hassell, sysadmin
logins -d
lastb -R -500
This command shows duplicate user ID's. If you see UID 0 assigned to something other than root, disable the rogue account and assume you have an intrusion. Of course, if you have 'safety' root accounts, you'll have to ignore these for the time being. However, good sysadmin technique forbids duplicate root IDs. Instead, you install and use sudo for *all* of your sysadmins and no one logs in as root except at the 'real' console. grep through all the shell history files for the word passwd:
grep passwd $HOME/.sh_history
grep passwd /home/*/.sh_history
($HOME above assumes you are logged in as root).
Now create a cron job that monitors the permissions of the passwd file. Do nothing until the permissions change, then when it does change, use logger to add an entry to syslog, and send email to all the admins (assuming email has been enabled). Example logger:
logger -t "/etc/passwd checker" -p local1.alert "/etc/passwd not 444!"
In your script, once logger has been run, run these commands and send them to a file (and email):
who -R
finger
last -R root -500
lastb -R -500
head -100 /var/adm/sulog
All the above listings will provide a timestamp of potential root users. Look for anyone logged in during the time that the file changed.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2005 01:29 AM
03-29-2005 01:29 AM
Re: /etc/passwd permissions changed
It could be because of some script/tool running from cron. We have a security hardening tool which do similer things and it run daily. Now we run this is in audit mode so it just give report. Please check all the job in cron of root and adm users.
Sunil
Sunil
*** Dream as if you'll live forever. Live as if you'll die today ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2005 02:36 AM
03-29-2005 02:36 AM
Re: /etc/passwd permissions changed
There are various tools available to help pinpoint when the file was changed. Example, Tripwire can tell you when the file was changed. This used to be a free product for HP but is now commercial. Search recent posts for a free tool that functions like Tripwire and runs on HPUX. (I forgot the name of that newer tool. It is in a recent post though)
One possibility is that the root passwd may be compromised as mentioned. Change the root passwd and setup the /etc/default/security file to have SU_ROOT_GROUP=<>. Only the members of this specific group have the ability to become root. Doesn't matter if they know the root passwd, if they are not in this group they won't become root.
Allow root login only on the console - /etc/securetty has CONSOLE as its contents.
One possibility is that the root passwd may be compromised as mentioned. Change the root passwd and setup the /etc/default/security file to have SU_ROOT_GROUP=<>. Only the members of this specific group have the ability to become root. Doesn't matter if they know the root passwd, if they are not in this group they won't become root.
Allow root login only on the console - /etc/securetty has CONSOLE as its contents.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2005 06:40 PM
03-29-2005 06:40 PM
Re: /etc/passwd permissions changed
Thanks for the ideas - I'll get right on to this
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP