From: dominic christopher (dominicfree@yahoo.com)
Date: Tue Feb 04 2003 - 08:19:28 EST
Dear Managers ,
I sincerely thank :
Joerg Bruehe, Ann Majeske, Werner Rost,Gideon
Wheeler,& Richard Mollel.
The Problem :
The users directory on one of our As200 servers
> running 4.0f patch kit 1 , shows the owner as
> 183 , now this owner does not exist on the
system
> nor is it the uid of any existing owner .
>
> A ls -l of the /usr directory is given below.
>
> drwxr-xr-x 3 root system 6656
Nov
> 30
> 1999 sbin
> drwxr-xr-x 9 root system 512 Nov 30
> 1999
> share
> drwxr-xr-x 8 root system 2560 Jan 27
> 13:51
> shlib
> drwxr-xr-x 3 root system 512 Nov 30
> 1999
> skel
> lrwxr-xr-x 1 root system 12 Dec 5
> 1999
> spool -> ../var/spool
> drwxr-xr-x 19 root system 512 Jan 27
> 13:15
> sys
> drwxr-xr-x 3 root system 512 Nov 30
> 1999
> tcb
> lrwxr-xr-x 1 root system 10 Dec 5
> 1999
> tmp -> ../var/tmp
> lrwxr-xr-x 1 root system 5 Dec 5
> 1999
> ucb -> ./bin
> drwxrwxr-x 9 183 system 512 Nov 25
> drwxrwxr-x 26 root system 512 Dec 3
> 1999
> var
> niv-stn> pwd
> /usr
The Solution
-----------------------------
Ann Majeske :
The fverify command (see man fverify) might be
useful in
determining if any other system
files or directories were
changed and what they should be
changed back to.
As to why or how the owner on the
directory got changed,
I really don't know. Only root can
change the owner of
a file, so it had to be a person or
program with root
permissions. The chown command
allows you to set the
owner to any uid (whether there is
an associated user or
not), so it would have been fairly
easy to do. Whether
it was accidental or malicious I
can't tell.
If you had been running the Audit
subsystem when the
problem first occured, you'd have
much more information
on who did it and how. You might
want to consider enabling
audit so you can track down what
happens if it happens
again. There's information on
enabling and running audit
in the Security manual.
Ann
It depends on whether you deleted the user
properly or not. If you just
edited the
/etc/passwd database directly with
your
favorite editor and deleted the
line for
that user, the /etc/passwd file
would
be updated, but the hashed database
(/etc/passwd.dir and
/etc/passwd.pag) would
not get updated. In this case,
since the
hashed database still has the
information
on the "deleted" user you would
still see
the user's name listed by ls -l.
If you
are running Enhanced Security, the
user's
name would still be listed in the
prpasswd
database as well.
If you delete the user properly you
shouldn't
see the user's name still listed by
ls -l.
There are several ways to delete
users including
vipw (if you are running base
security),
the dxaccounts gui, or the userdel
command.
To simply update the hashed
password database
you can use the /usr/sbin/mkpasswd
command.
Ann
Werner Rost :
This is no bug but normal behaviour.
You may do following test:
1. create a ne user say BillGates
2. logon as BillGates
create some files
look at the properites of that
files "ls -l"
logoff
3. delete this user BillGates
4. look again at the properties of
the above files
What do you see?
> Mit freundlichen Grüßen / regards
> Werner Rost
>
Joerg Bruehe:
That does not matter:
- A Unix file system does not store the
owner's or group's name
for a file, it stores only the numeric
ID.
- "ls -l" will always show the number (not
the name) if it does
not find that number (and the
corresponding name) in
"/etc/passwd" and/or "/etc/group" (or via
NIS, ...).
- AFAIK, you can use "chown" / "chgrp" with
a number (in place
of the name), and it will assign that
number as the numeric ID
of owner / group.
- You can also delete a user (or group)
entry from the system
files ("/etc/passwd", "/etc/group",
and/or NIS ...), that will
not affect any files (or directories)
belonging to that user
(or group). "ls -l" will just show the
number.
This is standard Unix philosophy (and
implementation) from the
very beginnings with Ritchie / Thompson,
AFAIK.
HTH,
Joerg Bruehe
--
Joerg Bruehe, SQL Datenbanksysteme
GmbH, Berlin, Germany
(speaking only for himself)
mailto: joerg@sql.de
Gideon Wheeler :
is 183 consistent across all directory contents?
> Do you use NIS ?
> Who is supposed to own the
Directory ( I say this
> because the
> permissions for the directory
are group read
> writable. Anybody can use
> chown to change it to any value
they wish in that
> group
>
> touch afile
> chown 9999 afile
> ls -al afile
> -rw-rw-r-- 1 9999 staff
0 Jan 29
> 09:55 afile
>
> So there is not much you can do,
except change it
> back
Thanks regards,
Dominic .F .
>
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:49:06 EDT