[nSLUG] lost user access in most distros

rejean chamberland laudire2you at yahoo.ca
Wed Sep 20 13:38:49 ADT 2006


Hi Bill!
 Most of your questions are similar to the ones I was asking myself. I did assume that "userdel jeanre" had worked since it was followed by a clean prompt ( meaning no messages ).
 So I switch back to root again and "userdel jeanre". I switched back into rejean and now I get:
 [code]
 [rejean at localhost ~]$ su
 Password:
 su: cannot set groups: Operation not permitted
 [rejean at localhost ~]$ ls -l /bin/su*
 -rwsr-xr-x  1 501 root 20308 Aug 18  2005 /bin/su*
 [rejean at localhost ~]$
 
 [/code]
I'm definitely gonna check for rootkit because I don't want to spend 2 days or a week fixing the other 7 corrupted distros to have the problem reoccuring again.
 If anyone else as a suggestion just shoot. I'm desperate here.
Bill Davidson <billdavidson at eastlink.ca> wrote:       Hi:
  
 If you deleted the user account "jeanre", how is it  possible that the output of "ls" show the file owner as "jeanre"?  That  name shouldn't even be in /etc/passwd.  Further, if "jeanre" was just a  temporary account you set up to test with, how is it even remotely possible that  that account would be the owner of /bin/su???  As Rich pointed out, /bin/su  should be setuid root, that is it should be owned by user "root" and should have  the setuid flag set.  How did you change the permissions and ownership of  that file?  And how did you change the ownership to an account that doesn't  exist?
  
 Either your machine has been compromised (rootkit),  or you have not been accurately reporting what you have done.
    ----- Original Message ----- 
   From:    rejean    chamberland 
   To: Nova Scotia Linux User Group 
   Sent: Wednesday, September 20, 2006 10:22    AM
   Subject: Re: [nSLUG] lost user access in    most distros
   

Here is an update;
1. jeanre [b]was[/b] my temporary user.    
2. I recreated rejean and "userdel" jeanre.
3. Now when I am as rejean    I try;
[rejean at localhost ~]$ su
Password:
su: incorrect    password
4. so following some advice I booted into runlevel 1 and retyped    my password.
5. It was accepted but upon rebooting in runlevel 5 I still    get the same problem. Part of it must be;
[rejean at localhost ~]$ ls -l    /bin/su*
-rwxr-xr-x  1 jeanre root 20308 Aug 18  2005    /bin/su*
[rejean at localhost ~]$

6. So I/ll try switching user to root    and see what "chmod u+s /bin/su* can do. 
Will keep you posted.
Thanks    again rich

Rich <budman85 at eastlink.ca> wrote:   On      Tue, 2006-09-19 at 23:56 -0400, rejean chamberland wrote:
> Hi      Rich!
> 

> when I tried it in mandriva I got:
>      
> [jeanre at localhost ~]$ su
> Password:
> su: cannot set      groups: Operation not permitted
> [jeanre at localhost ~]$
>      

Ok, I saw this long time ago, did a search on google to get a      reminder.

Could be a few things:

1) run the 'groups' command      to see what groups your id belongs to
old versions used to use 'wheel'      group for su access
I think its no longer used.

2) check the      permissions on the su command
ls -l /bin/su*
hopefully, the SUID bit      is set 
if not then run "chmod u+s /bin/su" as root
should be      something like:
-rws--x--x 1 root bin 37655 2006-03-24 15:39      "/bin/su"

Was anything recently installed or upgraded on your      system?

What happened with the temp userid      ?


Regards,
Rich

      

---------------------------------
   All    new Yahoo! Mail    
---------------------------------
   Get news delivered. Enjoy RSS feeds right on your Mail page.           

---------------------------------
    
_______________________________________________
nSLUG mailing    list
nSLUG at nslug.ns.ca
http://nslug.ns.ca/cgi-bin/mailman/listinfo/nslug



      

---------------------------------
    
No virus found in this incoming message.
Checked by AVG Free    Edition.
Version: 7.1.405 / Virus Database: 268.12.5/451 - Release Date:    9/19/2006
    !DSPAM:45114b7617559412391893!  _______________________________________________
nSLUG mailing list
nSLUG at nslug.ns.ca
http://nslug.ns.ca/cgi-bin/mailman/listinfo/nslug


!DSPAM:45114b7617559412391893!


 		
---------------------------------
All new Yahoo! Mail  
---------------------------------
Get news delivered. Enjoy RSS feeds right on your Mail page.

!DSPAM:45116e9b26528588297151!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/mailman/private/nslug/attachments/20060920/48eddfea/attachment.html>


More information about the nSLUG mailing list