HPE Community
Operating System - HP-UX
1833792 Members
1852 Online
110063 Solutions
New Discussion

Permission issue

 
Helen French
Honored Contributor

‎02-06-2002 11:13 AM

‎02-06-2002 11:13 AM

Permission issue

Hi,

I have a local (normal) username called 'user1', which I use for doing ftp. Today I saw some of the files in /usr/sbin, /usr/conf, /etc are changed it's owner to 'user1'. I didn't do this and nobody else can do that. I am wondering how it has changed !

Any idea ?

Thanks!
Shiju
Life is a promise, fulfill it!
0 Kudos
Reply
18 REPLIES 18
Sanjay_6
Honored Contributor

‎02-06-2002 11:21 AM

‎02-06-2002 11:21 AM

Re: Permission issue

Hi shiju,

What are the file names for which the permission were modified. Until the user copies those files to those directories, i don't think the permission should have got modified.

Hope this helps.

regds
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎02-06-2002 11:31 AM

‎02-06-2002 11:31 AM

Re: Permission issue

Are the UIDs of your user1 and the previous owner of the files the same? Do you have a UID conflict (two users with the same UID) in /etc/passwd?

Run 'pwck' and see if it reports any problems with /etc/passwd file.
0 Kudos
Reply
Helen French
Honored Contributor

‎02-06-2002 11:32 AM

‎02-06-2002 11:32 AM

Re: Permission issue

Hi Sanjay,

some of them:
/usr/sbin/diskinfo
/usr/sbin/backup
/usr/sbin/fbackup
/usr/sbin/fuser
/usr/sbin/ifconfig
/usr/sbin/ifconfig
/usr/sbin/inetd
/usr/sbin/lanconfig
/usr/sbin/lvcreate
/usr/sbin/lvchange
/usr/sbin/vgdisplay ...etc and lot more which is system/root commands !

Does an NFS export make any difference ? Recently I have NFS exported a directory which was owned by 'user1'. I was logged in as root when i have done this. Do u think this will make any changes ?

Thanks!
Shiju
Life is a promise, fulfill it!
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎02-06-2002 11:45 AM

‎02-06-2002 11:45 AM

Re: Permission issue

Hi Shiju,

I don't see any reason how export of a user owned directory can change the file ownership in /usr/sbin.

The only possibility is if someone logged in as root and changed the permission of these files to see if these files can be executed by the new user "user1".

The other possibility is that the uid for "user1" is 0 and it appears first in the list in /etc/passwd before root. Is it like that ?.

Hope this helps.

regds
0 Kudos
Reply
Helen French
Honored Contributor

‎02-06-2002 11:52 AM

‎02-06-2002 11:52 AM

Re: Permission issue

Hi Patrick, Sanjay:

The first possibility is NO. Nobody has changed the permission to 'user1' to test something.

Secondly, my other sys-admin has a root equivalent user in the server ( which was created just by editing /etc/passwd and copying the root user and editing only the username ). So the /etc/passwd has two login names with the same UID ( uid 0) - root and admin. Does this make any logic ?

Also the 'user1' is a normal user and don't have any UID conflict with anything.

Thanks for the help ... points to follow !

Shiju
Life is a promise, fulfill it!
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎02-06-2002 12:01 PM

‎02-06-2002 12:01 PM

Re: Permission issue

Can you post the entries for root, admin and user1 from your passwd file?
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎02-06-2002 12:06 PM

‎02-06-2002 12:06 PM

Re: Permission issue

Hi Shiju,

I don't see a connection. IF the user id "admin" has uid 0 other than root, then don't see any cause how user1 can become the owner of files in /usr/sbin.

Hope this helps.

Regds
0 Kudos
Reply
Helen French
Honored Contributor

‎02-06-2002 12:06 PM

‎02-06-2002 12:06 PM

Re: Permission issue

This how the entries are:

root:swfdwER:0:3::/:/sbin/sh
admin:reRfRE:0:3::/:/sbin/sh
user1:asda3G:101:20:FTP user:/tmp/user1:/usr/bin/sh

Thanks!
Shiju
Life is a promise, fulfill it!
0 Kudos
Reply
Duncan Galbraith
Frequent Advisor

‎02-06-2002 12:22 PM

‎02-06-2002 12:22 PM

Re: Permission issue

Hi,
Are you using your local /etc/passwd file ?
ie Are you running NIS or anything similar ?
Duncan
0 Kudos
Reply
Helen French
Honored Contributor

‎02-06-2002 12:24 PM

‎02-06-2002 12:24 PM

Re: Permission issue

Hi,

Another thing I notified now:

The user 'admin' was a user with UID 101 ( current UID of 'user1') before. Recently he reomoved it and made root equivalent.

But I still don't have the conclusion !

Shiju
Life is a promise, fulfill it!
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎02-06-2002 12:31 PM

‎02-06-2002 12:31 PM

Re: Permission issue

Hi,

If these files were owned by admin earlier and then the id was admin uid changed from "101" to "0", the system will change the owner to "user1" if a new user id is created with uid "101". A change of admin uid will not result in the change is the ownership of the files owned by that user. The ownership of a file is associated with the uid and not with the actual user name.

Hope this helps.

Regds
0 Kudos
Reply
Helen French
Honored Contributor

‎02-06-2002 01:01 PM

‎02-06-2002 01:01 PM

Re: Permission issue

Sanjay,

I understand that. But I don't think those files were owned by 'admin' !

Also when I run a 'find / -user' command, I could see one of the other exprted file system ( NFS) has changed it's files ownership to 'user1' ! Also the file /etc/exports ownership changed to 'user1'

No idea why this happened !

Shiju

Life is a promise, fulfill it!
0 Kudos
Reply
Kevin Wright
Honored Contributor

‎02-06-2002 02:18 PM

‎02-06-2002 02:18 PM

Re: Permission issue

I would start checking .sh_history files for a chown commands, this didn't happen by itself, either like was already stated, a uid changed, or a command went awry. I had this happen before, a dba used a find command incorrectly and chown'ed files.
0 Kudos
Reply
Deepak Extross
Honored Contributor

‎02-06-2002 08:18 PM

‎02-06-2002 08:18 PM

Re: Permission issue

O'boy!! I love playing detective!

Maybe this 'user1' has/had root access (a vulnerable password, a root shell or access to the console, perhaps) and he did a chown on these files?
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎02-06-2002 08:58 PM

‎02-06-2002 08:58 PM

Re: Permission issue

Hi,

Just a word of caution. I can see that you are not using any shadowed passwords. This is dangerous because any user could have copied /etc/passwd and run crack on it.

I would suggest that you enable your system to be a trusted system with shadowed passwords.

If the root and admin passwords are weak (part of it is a dictionary word), there is a likelihood that your superuser passwords might have already been compromised.

As mentioned above, check all the ~/.sh_history history files for anomalies such as:
1) attempts to read or copy /etc/passwd
2) attempts to chown

Check also your /etc/group for anomalies.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Michael Tully
Honored Contributor

‎02-06-2002 09:24 PM

‎02-06-2002 09:24 PM

Re: Permission issue

One other thing: If you have possibly had your system compromised, suggest you change your 'root' password(s) immediately on all of your systems. In doing so create the passwords that shouldn't be discovered by crack.
Anyone for a Mutiny ?
0 Kudos
Reply
Peter Kloetgen
Esteemed Contributor

‎02-07-2002 02:06 AM

‎02-07-2002 02:06 AM

Re: Permission issue

Hi Shiju,

when you have two users with the same UID in your system they are hadled as ONE user after logging in. The only point of time user names are of any interest for OS is when getty processes do the login process and recieve their information out of /etc/passwd or shadow files. After this users and permissions are internally controlled only via UIDs. If you have / had two users with the same UID in your system, you can try the following:

user1 is owner of a file/directory and has UID 101
user2 has the same UID
user2 uses chmod for the file, but doesn't change permissions
after this, the new owner in a long listing will be user2 !!!

Could this be the answer to your questions?

Allways stay on the bright side of life!

Peter
I'm learning here as well as helping
0 Kudos
Reply
Helen French
Honored Contributor

‎02-07-2002 07:11 AM

‎02-07-2002 07:11 AM

Re: Permission issue

Hi All,

Thanks for all ya help so far !

I think there is a littlebit of confusion, my root password is not compromised. The /etc/passwd which I listed is just typed by me and is not the exact copy of the file ( i mean about the password entry, Steven ).

And the 'user1' is just a normal user created by me and nobody else can use that. Nobody else can play with either root or 'user1'. I have checked the sh_history file and couldn't find out anything wrong there too.

However, I have re-arranged all ownerships. Any more valuable inputs are welcome.

Thanks!
Shiju
Life is a promise, fulfill it!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.