network accessible only as root after modifying owner of /etc/*

Enochroot · 06-19-2007, 03:44 PM

Hi there,
I installed lots of packages on my ubuntu and since then my network only works for root; all other users are not allowed to access it, e.g.:

Code:

mm@moondust:~$ ping www(dot)google(dot)ch
ping: icmp open socket: Operation not permitted
mm@moondust:~$ sudo ping www(dot)google(dot)ch
PING www(dot)l(dot)google(dot)com (72.14.235.99) 56(84) bytes of data.
64 bytes from google(dot)com (72.14.235.99): icmp_seq=1 ttl=241 time=325

IMHO there are two reasons for this behavior:
a) I (a setup script?) accidentally modified the owner of all files and folders within /etc (and some other top-level folders like /var) to be my normal user, not root
b) which made me some trouble with /etc/sudoers first, which I repared in recovery mode.
Ok, b) is caused by a)...
After recognizing that fault I turned the owner of /etc/* back (???) to root:root, but there's some magic missing. It seems *NOT* to be a problem with wrong IPTABLE config or anything like that. I guess there's still a file with the wrong access rights set.

Does anybody know, which files are necessary for network access and which owners/access rights these files must have?
Or is there a command on ubuntu to reset all this stuff to system default?
Do all top-level folders have root:root as owner by default?

Here some more info:

Code:

mm@moondust:~$ uname -a
Linux moondust 2.6.15-28-386 #1 PREEMPT Thu May 10 09:45:43 UTC 2007 i686 GNU/Linux
mm@moondust:~$ ifconfig
eth0      Protokoll:Ethernet  Hardware Adresse 00:02:3F:93:4B:88
          inet Adresse:192.168.0.101  Bcast:192.168.0.255  Maske:255.255.255.0
          inet6 Adresse: fe80::202:3fff:fe93:4b88/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5962 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6466 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX bytes:5242244 (4.9 MiB)  TX bytes:1011653 (987.9 KiB)
          Interrupt:225 Basisadresse:0x6800

lo        Protokoll:Lokale Schleife
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:7 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:372 (372.0 b)  TX bytes:372 (372.0 b)

Sorry for all the (DOT)s, but it's my first post and thus URLs are not allowed...
Thanks for any help!!
Enoch

unSpawn · 06-19-2007, 04:59 PM

mm@moondust:~$ ping www(dot)google(dot)ch
ping: icmp open socket: Operation not permitted
Sounds like ping not being setuid root.

is there a command on ubuntu to reset all this stuff to system default?
Maybe somebody knows how to make 'dpkg-query' show per-file ownership and permissions (I don't use Debian or derivatives). If it does then a wee script should solve this problem.

Do all top-level folders have root:root as owner by default?
AFAIK yes.

Enochroot · 06-20-2007, 06:44 AM

The solution is quite simple (as most times...):
The sticky bit and the suid/guid bit must be set correctly. They are listed somewhere in the Ubuntu docu (I will post the link as far as I got it again). After setting these bits for some files in /etc, /bin and /sbin, the system works again.
Huuuhhh, try this on Window$ ;D

jschiwal · 06-20-2007, 06:56 AM

Here are the files in /etc/ on my laptop that aren't root:root owned:

Code:

sudo ls /etc/* -lR | grep -v -e '^/' -e '^$' -e '^total' -e 'root root' -e 'root *root'
-rw-rw----  1 mysql mysql     4984 Nov 25  2006 /etc/my.cnf
-rw-r-----  1 root  ntp       2023 Nov 25  2006 /etc/ntp.conf
-rw-r-----  1 root  shadow     626 Jun  4 08:01 /etc/shadow
-rw-r-----  1 root  shadow     625 May 30 04:21 /etc/shadow.old
-rw-r-----  1 root  dialout     72 Nov 25  2006 /etc/smpppd-c.conf
-rw-r-----  1 root  dialout    302 Nov 25  2006 /etc/wvdial.conf
-rw-r----- 1 root lp   1743 Jun 20 04:01 cupsd.conf
-rw-r----- 1 root lp   1801 Jun 20 03:58 cupsd.conf.O
drwxr-xr-x 2 lp   lp   4096 Jan 16 05:07 interfaces
drwxr-xr-x 2 root lp   4096 Jun 20 04:28 ppd
-rw------- 1 root lp    337 Jun 20 04:28 printers.conf
-rw-r--r-- 1 lp   sys   946 Nov 27  2006 pstoraster.convs
drwx------ 2 root lp   4096 Jun 20 04:03 ssl
-rw------- 1 root lp 1062 Jun 20 04:03 server.crt
-rw------- 1 root lp  887 Jun 20 04:03 server.key

If you also changed the permissions, the list would be a lot longer. If you aren't sure which system directories were effected, it might be re-install time unless Ubuntu has the equivalent of "rpm -V"

unSpawn · 06-20-2007, 11:50 AM

Quote:

it might be re-install time unless Ubuntu has the equivalent of "rpm -V"

AFAIK you don't want "rpm -V". What you want is the RPM equiv of "dpkg --fix" :-]
In RPM this goes something like

Code:

case "$#" in 0) rpmopt="a"; unset pkg;; *) unset rpmopt; pkg="$1";; esac
rpm -q${rpmopt} --dump ${pkg}|while read t; do t=( ${t} ); for i in 3 4; do
case "${#t[$i]}" in 7) echo "chmod ${t[$i]:3:4} ${t[0]}"
echo "chown ${t[5]}.${t[6]} ${t[0]}";; esac; done; done

rocket357 · 06-20-2007, 12:35 PM

Quote:

Originally Posted by Enochroot

After setting these bits for some files in /etc, /bin and /sbin, the system works again. Huuuhhh, try this on Window$ ;D

Heh...the first part (breaking due to permissions) is quite easy to accomplish on Windows =)

Fixing it? I don't know...I installed Linux over it...

jschiwal · 06-20-2007, 04:24 PM

Quote:

AFAIK you don't want "rpm -V". What you want is the RPM equiv of "dpkg --fix" :-]
In RPM this goes something like

Code:

case "$#" in
    0) rpmopt="a"
       unset pkg
       ;;
    *) unset rpmopt
       pkg="$1"
       ;;
esac

rpm -q${rpmopt} --dump ${pkg} | while read t
do
    t=( ${t} )
    for i in 3 4
    do
        case "${#t[$i]}" in
            7) echo "chmod ${t[$i]:3:4} ${t[0]}"
               echo "chown ${t[5]}.${t[6]} ${t[0]}"
               ;;
        esac
    done
done

So I should have said the equivalent or better.
What is the reason for checking the 3rd field of the dump? Has the format changed from a previous version?

Using a list of altered packages from
rpm -qaV | awk '{print $NF}' >badfiles
would allow trimming your list down:
./yourscript >fixpermissions
grep -f badfiles fixpermissions >trimmedlist

Or could wrap your script in a loop supplying the package argument: $pkg

unSpawn · 06-21-2007, 02:04 PM

What is the reason for checking the 3rd field of the dump? Has the format changed from a previous version?
Fourth array element actually. Unless the format changed it's the DAC rights field.

Using a list of altered packages from rpm -qaV (...) would allow trimming your list down
Hmm, yes, that would be less destructive :-] Come to think of it, with RPM you can create files w/o listing them in the %files section of the .spec...