LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Help with Rkhunter findings............................ (http://www.linuxquestions.org/questions/linux-security-4/help-with-rkhunter-findings-341147/)

M$ISBS 07-07-2005 11:22 PM

Help with Rkhunter findings............................
 
I ran rkhunter and found this:

- PHP 4.3.7 [ Vulnerable ]
- PHP [unknown] [ OK ]
- Procmail MTA 3.15.2 [ OK ]
- ProFTPd 1.2.9 [ Vulnerable ]

I am not running a server so should I worry about these?

Also it says Warning some users in root group, Is that a problem?

Thanks.

hardcorelinux 07-08-2005 12:18 AM

YA both php and proftp are old versions lot of security problems inside that versions,so update your php and proftp.

v00d00101 07-08-2005 08:58 AM

As long as youve disabled those services, there shouldnt be a problem since they cant be exploited if they arent running.

Updating them both of course is the logical way of doing things, but if you really dont use them, id say to remove them from your system full stop, no point in cluttering it with things you have no use for.

M$ISBS 07-09-2005 11:27 AM

Thanks.

Ephracis 07-12-2005 05:32 AM

And having accounts in the root group is bad. Those users will have a lot of access and you should try to put them in more secure groups. What does your /etc/passwd look like?

M$ISBS 07-21-2005 02:38 PM

Quote:

Originally posted by Ephracis
And having accounts in the root group is bad. Those users will have a lot of access and you should try to put them in more secure groups. What does your /etc/passwd look like?
I dont know what you mean? Is it safe to post that file?

Ephracis 07-22-2005 10:20 AM

Quote:

Originally posted by M$ISBS
I dont know what you mean? Is it safe to post that file?
Yes, it does only contain information about users and groups. Even though the name is "passwd" (password) I assume that you use shadowed passwords (most distros do that now), then the actual hashed passwords are in /etc/shadow, encrypted. Your /etc/passwd will then only show a 'x' where in the password field, so it will be safe to post that into this forum.

But anyway, you should not have a regular user in the root-group. That would be unsafe.

M$ISBS 07-22-2005 07:41 PM

How would I go about moving my user from the root group safely? Thanks.

Ephracis 07-22-2005 08:30 PM

Code:

su
<password>
usermod -g users -G "" login

This will put user "login" in group "users" and no other groups than that. You may want to put it into some other group (some distros put every user in their own group, named exactly as the loginname).

And you may also want to put your user in additional groups such as "cdrom", "mount", "sound" and such, to grant it access to various stuff.

This can differ between different distros.

M$ISBS 07-28-2005 08:08 PM

Quote:

Originally posted by Ephracis
Code:

su
<password>
usermod -g users -G "" login

This will put user "login" in group "users" and no other groups than that. You may want to put it into some other group (some distros put every user in their own group, named exactly as the loginname).

And you may also want to put your user in additional groups such as "cdrom", "mount", "sound" and such, to grant it access to various stuff.
This can differ between different distros.

Thanks, But can this be done from KDE if I login to KDE as root? and is there any risk of losing the user I am changing the group of? Thanks.

Ephracis 07-28-2005 08:57 PM

You should never login as root with any desktop environment or window manager, there is no reason to. Just start KDE as usual, open up a terminal of your choice (Konsole, aterm, xterm, rxvt, etc) and type in the commands I listed up for you.

And no, you will not lose the user as long as you don't type userdel or deluser, or start editing /etc/passwd.

M$ISBS 07-31-2005 09:43 PM

I did as stated above and now I have my user under users and root, How did that happen? and how can I fix that? Thanks.

Ephracis 08-01-2005 03:45 AM

The "-g users" put the login under the users group. You may want to put it in another group though, some distros have a group named exactly as the login name, but some uses the "users" group for all the regular users.

I am not sure why your login is still in the root group, check your /etc/groups and edit it so your root group only contains privileged accounts (e g the root account).

This setup should not be default in any distro, have you been doing anything to the accounts or was it like this after you installed Linux?

M$ISBS 08-01-2005 07:28 PM

I just checked and I have a file called group- and one called group but the goup without the hyphen does not show any users in user or root. I just modified the group- file and removed my user from root group. I think I created the accounts in KDE so maybe KDE did something different with setting up the accounts.
After doing the above, I ran rkhunter and the message showing a user group in root group does not show up.


All times are GMT -5. The time now is 06:09 AM.