HPE Community
Operating System - Linux
1829103 Members
2252 Online
109986 Solutions
New Discussion

Re: any user can modify files owned by root!!!

 
Masaki Birchmier
Frequent Advisor

‎07-20-2005 06:45 AM

‎07-20-2005 06:45 AM

any user can modify files owned by root!!!

I adopted a linux system where any user can read/modify/remove files with permission
-rw-r--r-- root root
(but not files owned by other users). It's a huge security issue and I need help resolving this ASAP.

In /etc/group I have nothing out of the ordinary:
root:x:0:root
sys:x:3:root,bin.adm
adm:x:4:root,adm,daemon

There is nothing in /etc/sudoers that would allow this...

I've browsed at some of the pam files, comparing it with another system and didn't see anything, (but I'm not an expert in this area and could of missed something)

If anyone has any suggestions what might be causing this I would greatly appreciate it.

masaki

0 Kudos
Reply
20 REPLIES 20
Ivan Ferreira
Honored Contributor

‎07-20-2005 08:52 AM

‎07-20-2005 08:52 AM

Re: any user can modify files owned by root!!!

I'm pretty sure that users cannot modify the contents of the file listed, but they can delete because the deletion permission is dictated by the directory that contains the file. So, if the directory has write permissions for the user/group/others, then user/group/other can delete files in the directory, even when they are not owners of has no permissions on the file.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎07-20-2005 03:11 PM

‎07-20-2005 03:11 PM

Re: any user can modify files owned by root!!!

Read and remove, sure.

You've got global +r, so anybody can read it.

And Ivan's post covered the removal.

But I highly doubt you can 'modify' the contents of one of these files.
One long-haired git at your service...
0 Kudos
Reply
Guru Dutta
Frequent Advisor

‎07-20-2005 06:27 PM

‎07-20-2005 06:27 PM

Re: any user can modify files owned by root!!!

By looking @ the perms bits it seems that all have read access and only root or the file creator has write perms which implies that he is the person who can delete/remove it.
0 Kudos
Reply
Vibhor Kumar Agarwal
Esteemed Contributor

‎07-20-2005 08:13 PM

‎07-20-2005 08:13 PM

Re: any user can modify files owned by root!!!

I'll go the other way round.

Change your root password.
Vibhor Kumar Agarwal
0 Kudos
Reply
Masaki Birchmier
Frequent Advisor

‎07-21-2005 12:04 AM

‎07-21-2005 12:04 AM

Re: any user can modify files owned by root!!!

The symptom is that normal users take on the permissions of root user.
I assure you they can modify any file as long as root owns the file and has write permissions like /etc/passwd !
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎07-21-2005 05:18 AM

‎07-21-2005 05:18 AM

Re: any user can modify files owned by root!!!

The only way that this could happen is that other users, besides root, have UID 0 in /etc/passwd (if its local authentication). Verify that no other user except root has UID 0 (3rd value).
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Rick Garland
Honored Contributor

‎07-21-2005 05:42 AM

‎07-21-2005 05:42 AM

Re: any user can modify files owned by root!!!

Check the UID values of the users.

There should only be 1 UID=0 and that is root.

Here is a script that can help. Modify as needed since original inception was in NIS environment.

0 Kudos
Reply
Masaki Birchmier
Frequent Advisor

‎07-21-2005 05:43 AM

‎07-21-2005 05:43 AM

Re: any user can modify files owned by root!!!

Yup, I already checked for uid=0 in /etc/passwd.

One additional info is that although normal users can modify root owned files, they can not run root commands. It doesn't seem to matter what the group ownership/permissions are set to.
0 Kudos
Reply
Masaki Birchmier
Frequent Advisor

‎07-21-2005 05:49 AM

‎07-21-2005 05:49 AM

Re: any user can modify files owned by root!!!

Only root has uid=0
There are several groupid=0,
sync, shutdown, halt, opertor. I think these are OK.


0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎07-21-2005 06:07 AM

‎07-21-2005 06:07 AM

Re: any user can modify files owned by root!!!

Do you know the specific commands that users use to modify the files?

Maybe, the commands, like vi, have the set user id bit enabled (SUID). You will see an "s" in the permissions:

-rwsr-xr-x 5 root root 331552 Jun 16 2004 /bin/vi
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Rick Garland
Honored Contributor

‎07-21-2005 06:08 AM

‎07-21-2005 06:08 AM

Re: any user can modify files owned by root!!!

Are the passwds secured?
Is sudo in play? How about PowerBroker?

Do the visudo command. This will display the sudoers file. Any clues?

Check the sudoers log file - if you have the sudo.conf file setup.


0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎07-21-2005 06:10 AM

‎07-21-2005 06:10 AM

Re: any user can modify files owned by root!!!

You can use the following command to find suid files:

find / -user root -perm -4000 -ls

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Masaki Birchmier
Frequent Advisor

‎07-21-2005 06:43 AM

‎07-21-2005 06:43 AM

Re: any user can modify files owned by root!!!

Thanks for your input, here are the results.

Checked SUID on vi, not there.

some examples of what non root users can do
$ cd /root
permission=750 root root /root

$ cat /etc/shadow
permission=600 root root /etc/shadow

$ vi /etc/passwd
permission=644 root root /etc/passwd

sudo is not involved. If I try to use it, it promps me for root password.(sudo vi /etc/passwd)

powerbroker is not installed.
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎07-21-2005 07:12 AM

‎07-21-2005 07:12 AM

Re: any user can modify files owned by root!!!

Verify the acl's, use

getfacl /etc/passwd
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎07-21-2005 07:18 AM

‎07-21-2005 07:18 AM

Re: any user can modify files owned by root!!!

Verify the acl's (if exists), use

getfacl /etc/passwd

Verify that you don't have installed a rootkit. Use the rpm -V command to check the integrity of the commands in the system, and if they changed.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎07-21-2005 07:23 AM

‎07-21-2005 07:23 AM

Re: any user can modify files owned by root!!!

You should download and install chkrootkit

http://www.chkrootkit.org/
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎07-21-2005 07:49 AM

‎07-21-2005 07:49 AM

Re: any user can modify files owned by root!!!

what was the output of 'id' when running those commands earlier?

Also, what terminal were you on? the console? ssh'd in?
One long-haired git at your service...
0 Kudos
Reply
Masaki Birchmier
Frequent Advisor

‎07-25-2005 05:20 AM

‎07-25-2005 05:20 AM

Re: any user can modify files owned by root!!!

It's not an ACL issue, specifically checked a few items and there are no ACL's involved.

chkrootkit, interesting tool, ran it but did not detect anything.

The userid can be any number, and all root files are available to them.

I've verified that the symptom exists when connected with ssh, and telnet.

Masaki
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

‎07-25-2005 05:55 AM

‎07-25-2005 05:55 AM

Re: any user can modify files owned by root!!!

maybe check Your /etc/shadow or /etc/passwd.master.

try to enable kernel auditing (SELinux extensions) and create an audit trail of the file accesses.
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Reply
Andrew Bruce
Valued Contributor

‎07-25-2005 06:30 AM

‎07-25-2005 06:30 AM

Re: any user can modify files owned by root!!!

If you are concerned about the security of the system (as opposed to just being curious), I would suggest at this point that you back up the user data and reinstall the server.

It sounds like you have a seriously nobbled system, and, unless you want to dissect it to find out what is happening, as opposed to just fixing the problem, reinstalling would lead back to a secure, base-lined system.

After all, you did 'adopt' it in the first place. Might as well make it truly yours!

Regards,

Andy
I Love it when a plan comes together!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.