Re: Permission issue

Helen French · ‎02-06-2002

Hi,

I have a local (normal) username called 'user1', which I use for doing ftp. Today I saw some of the files in /usr/sbin, /usr/conf, /etc are changed it's owner to 'user1'. I didn't do this and nobody else can do that. I am wondering how it has changed !

Any idea ?

Thanks!
Shiju

Life is a promise, fulfill it!

Sanjay_6 · ‎02-06-2002

Hi shiju,

What are the file names for which the permission were modified. Until the user copies those files to those directories, i don't think the permission should have got modified.

Hope this helps.

regds

Patrick Wallek · ‎02-06-2002

Are the UIDs of your user1 and the previous owner of the files the same? Do you have a UID conflict (two users with the same UID) in /etc/passwd?

Run 'pwck' and see if it reports any problems with /etc/passwd file.

Helen French · ‎02-06-2002

Hi Sanjay,

some of them:
/usr/sbin/diskinfo
/usr/sbin/backup
/usr/sbin/fbackup
/usr/sbin/fuser
/usr/sbin/ifconfig
/usr/sbin/ifconfig
/usr/sbin/inetd
/usr/sbin/lanconfig
/usr/sbin/lvcreate
/usr/sbin/lvchange
/usr/sbin/vgdisplay ...etc and lot more which is system/root commands !

Does an NFS export make any difference ? Recently I have NFS exported a directory which was owned by 'user1'. I was logged in as root when i have done this. Do u think this will make any changes ?

Thanks!
Shiju

Life is a promise, fulfill it!

Sanjay_6 · ‎02-06-2002

Hi Shiju,

I don't see any reason how export of a user owned directory can change the file ownership in /usr/sbin.

The only possibility is if someone logged in as root and changed the permission of these files to see if these files can be executed by the new user "user1".

The other possibility is that the uid for "user1" is 0 and it appears first in the list in /etc/passwd before root. Is it like that ?.

Hope this helps.

regds

Helen French · ‎02-06-2002

Hi Patrick, Sanjay:

The first possibility is NO. Nobody has changed the permission to 'user1' to test something.

Secondly, my other sys-admin has a root equivalent user in the server ( which was created just by editing /etc/passwd and copying the root user and editing only the username ). So the /etc/passwd has two login names with the same UID ( uid 0) - root and admin. Does this make any logic ?

Also the 'user1' is a normal user and don't have any UID conflict with anything.

Thanks for the help ... points to follow !

Shiju

Life is a promise, fulfill it!

Patrick Wallek · ‎02-06-2002

Can you post the entries for root, admin and user1 from your passwd file?

Sanjay_6 · ‎02-06-2002

Hi Shiju,

I don't see a connection. IF the user id "admin" has uid 0 other than root, then don't see any cause how user1 can become the owner of files in /usr/sbin.

Hope this helps.

Regds

Helen French · ‎02-06-2002

This how the entries are:

root:swfdwER:0:3::/:/sbin/sh
admin:reRfRE:0:3::/:/sbin/sh
user1:asda3G:101:20:FTP user:/tmp/user1:/usr/bin/sh

Thanks!
Shiju

Life is a promise, fulfill it!

Duncan Galbraith · ‎02-06-2002

Hi,
Are you using your local /etc/passwd file ?
ie Are you running NIS or anything similar ?
Duncan

Helen French · ‎02-06-2002

Hi,

Another thing I notified now:

The user 'admin' was a user with UID 101 ( current UID of 'user1') before. Recently he reomoved it and made root equivalent.

But I still don't have the conclusion !

Shiju

Life is a promise, fulfill it!

Sanjay_6 · ‎02-06-2002

Hi,

If these files were owned by admin earlier and then the id was admin uid changed from "101" to "0", the system will change the owner to "user1" if a new user id is created with uid "101". A change of admin uid will not result in the change is the ownership of the files owned by that user. The ownership of a file is associated with the uid and not with the actual user name.

Hope this helps.

Regds

Helen French · ‎02-06-2002

Sanjay,

I understand that. But I don't think those files were owned by 'admin' !

Also when I run a 'find / -user' command, I could see one of the other exprted file system ( NFS) has changed it's files ownership to 'user1' ! Also the file /etc/exports ownership changed to 'user1'

No idea why this happened !

Shiju

Life is a promise, fulfill it!

Kevin Wright · ‎02-06-2002

I would start checking .sh_history files for a chown commands, this didn't happen by itself, either like was already stated, a uid changed, or a command went awry. I had this happen before, a dba used a find command incorrectly and chown'ed files.

Deepak Extross · ‎02-06-2002

O'boy!! I love playing detective!

Maybe this 'user1' has/had root access (a vulnerable password, a root shell or access to the console, perhaps) and he did a chown on these files?

Steven Sim Kok Leong · ‎02-06-2002

Hi,

Just a word of caution. I can see that you are not using any shadowed passwords. This is dangerous because any user could have copied /etc/passwd and run crack on it.

I would suggest that you enable your system to be a trusted system with shadowed passwords.

If the root and admin passwords are weak (part of it is a dictionary word), there is a likelihood that your superuser passwords might have already been compromised.

As mentioned above, check all the ~/.sh_history history files for anomalies such as:
1) attempts to read or copy /etc/passwd
2) attempts to chown

Check also your /etc/group for anomalies.

Hope this helps. Regards.

Steven Sim Kok Leong

Michael Tully · ‎02-06-2002

One other thing: If you have possibly had your system compromised, suggest you change your 'root' password(s) immediately on all of your systems. In doing so create the passwords that shouldn't be discovered by crack.

Anyone for a Mutiny ?

Peter Kloetgen · ‎02-07-2002

Hi Shiju,

when you have two users with the same UID in your system they are hadled as ONE user after logging in. The only point of time user names are of any interest for OS is when getty processes do the login process and recieve their information out of /etc/passwd or shadow files. After this users and permissions are internally controlled only via UIDs. If you have / had two users with the same UID in your system, you can try the following:

user1 is owner of a file/directory and has UID 101
user2 has the same UID
user2 uses chmod for the file, but doesn't change permissions
after this, the new owner in a long listing will be user2 !!!

Could this be the answer to your questions?

Allways stay on the bright side of life!

Peter

I'm learning here as well as helping

Helen French · ‎02-07-2002

Hi All,

Thanks for all ya help so far !

I think there is a littlebit of confusion, my root password is not compromised. The /etc/passwd which I listed is just typed by me and is not the exact copy of the file ( i mean about the password entry, Steven ).

And the 'user1' is just a normal user created by me and nobody else can use that. Nobody else can play with either root or 'user1'. I have checked the sh_history file and couldn't find out anything wrong there too.

However, I have re-arranged all ownerships. Any more valuable inputs are welcome.

Thanks!
Shiju

Life is a promise, fulfill it!

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Permission issue

Permission issue