[nSLUG] lost user access in most distros

Bill Davidson billdavidson at eastlink.ca
Wed Sep 20 11:08:41 ADT 2006


Hi:

If you deleted the user account "jeanre", how is it possible that the output of "ls" show the file owner as "jeanre"?  That name shouldn't even be in /etc/passwd.  Further, if "jeanre" was just a temporary account you set up to test with, how is it even remotely possible that that account would be the owner of /bin/su???  As Rich pointed out, /bin/su should be setuid root, that is it should be owned by user "root" and should have the setuid flag set.  How did you change the permissions and ownership of that file?  And how did you change the ownership to an account that doesn't exist?

Either your machine has been compromised (rootkit), or you have not been accurately reporting what you have done.
  ----- Original Message ----- 
  From: rejean chamberland 
  To: Nova Scotia Linux User Group 
  Sent: Wednesday, September 20, 2006 10:22 AM
  Subject: Re: [nSLUG] lost user access in most distros


  Here is an update;
  1. jeanre [b]was[/b] my temporary user. 
  2. I recreated rejean and "userdel" jeanre.
  3. Now when I am as rejean I try;
  [rejean at localhost ~]$ su
  Password:
  su: incorrect password
  4. so following some advice I booted into runlevel 1 and retyped my password.
  5. It was accepted but upon rebooting in runlevel 5 I still get the same problem. Part of it must be;
  [rejean at localhost ~]$ ls -l /bin/su*
  -rwxr-xr-x  1 jeanre root 20308 Aug 18  2005 /bin/su*
  [rejean at localhost ~]$

  6. So I/ll try switching user to root and see what "chmod u+s /bin/su* can do. 
  Will keep you posted.
  Thanks again rich

  Rich <budman85 at eastlink.ca> wrote:
    On Tue, 2006-09-19 at 23:56 -0400, rejean chamberland wrote:
    > Hi Rich!
    > 

    > when I tried it in mandriva I got:
    > 
    > [jeanre at localhost ~]$ su
    > Password:
    > su: cannot set groups: Operation not permitted
    > [jeanre at localhost ~]$
    > 

    Ok, I saw this long time ago, did a search on google to get a reminder.

    Could be a few things:

    1) run the 'groups' command to see what groups your id belongs to
    old versions used to use 'wheel' group for su access
    I think its no longer used.

    2) check the permissions on the su command
    ls -l /bin/su*
    hopefully, the SUID bit is set 
    if not then run "chmod u+s /bin/su" as root
    should be something like:
    -rws--x--x 1 root bin 37655 2006-03-24 15:39 "/bin/su"

    Was anything recently installed or upgraded on your system?

    What happened with the temp userid ?


    Regards,
    Rich





------------------------------------------------------------------------------
  All new Yahoo! Mail 
------------------------------------------------------------------------------
  Get news delivered. Enjoy RSS feeds right on your Mail page.  


------------------------------------------------------------------------------


  _______________________________________________
  nSLUG mailing list
  nSLUG at nslug.ns.ca
  http://nslug.ns.ca/cgi-bin/mailman/listinfo/nslug


  !DSPAM:451140b112951243619524!



------------------------------------------------------------------------------


  No virus found in this incoming message.
  Checked by AVG Free Edition.
  Version: 7.1.405 / Virus Database: 268.12.5/451 - Release Date: 9/19/2006


!DSPAM:45114b7117421674712006!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/mailman/private/nslug/attachments/20060920/99bb91df/attachment-0002.html>


More information about the nSLUG mailing list