LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-28-2006, 04:25 AM   #1
phyrster
LQ Newbie
 
Registered: Jul 2005
Posts: 4

Rep: Reputation: 0
Strange file size and permissions under /usr/sbin


When I did a ls -alh |grep T under /usr/sbin, I found that some files with very strange sizes and permissions:

Code:
ls -hal|grep T
total 4.3T
?-w---xrwT 33261 root root  40T 2006-05-18 23:43 exicyclog
?-w--w---T 33261 root root  18T 2006-05-18 23:43 exigrep
?-w---sr-x 33261 root root  19T 2006-05-18 23:43 exim_checkaccess
?-w-r-S--- 33261 root root 291T 2006-05-18 23:43 exim_convert4r4
How come there is such a file with a size of 291T?!

Am I hacked? What is the cause of this problem?
 
Old 05-28-2006, 09:22 AM   #2
vls
Member
 
Registered: Jan 2005
Location: The grassy knoll
Distribution: Slackware,Debian
Posts: 192

Rep: Reputation: 31
I don't have an answer for what happened but it looks like those files are foobarred beyond belief. Or your filesystem itself has been corrupted.

Easy solution: Delete or un-install the package those files came from and re-install that program. Then check to see if permissions and sizes are sane.

If not --
Pain in the A** solution:
N.B. I can't tell you if this will help or not but it can't hurt and I don't have any other ideas.

Is /usr or /usr/sbin on a separate partition? You could umount that partition, fsck it and see what happens.

If not a separate partition, you could force an fsck by placing a file named forcefsck in the /etc directory and reboot.

You do not want to run fsck on mounted file systems.

If that works, remove the /etc/forcefsck file.

Hopefully, all you need is a fresh install of that particular package. You might considered downloading the latest version from your distro in case say your CD install disc has a corrupted package.

Hacked? I doubt it.

Good Luck
 
Old 05-28-2006, 09:50 AM   #3
phyrster
LQ Newbie
 
Registered: Jul 2005
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks for helping.

Here is what I did, I booted using another linux in the disk and fsck-ed the one causing trouble.

fsck did find some problems and fixed them. But when I booted back, the problems are still there. Ok, I once again booted to the rescue linux and did fsck again on that reiserfs partition. No problems found, clean. When I rechecked these files, they still got the riduculous sizes and permissions.

I am wondering what is causing this? Yes I can delete them and reinstall the pkgs but I want to know the reason. And why fsck couldn't correct them?

Could you also help with another question?
?-w-r-S--- 33261 root root 291T 2006-05-18 23:43 exim_convert4r4

what does the S in capital letter mean? (uncapitalized letter s means sticky, that I know) and what about the firt question mark in the same line above?

Last edited by phyrster; 05-28-2006 at 09:53 AM.
 
Old 05-28-2006, 10:02 AM   #4
vls
Member
 
Registered: Jan 2005
Location: The grassy knoll
Distribution: Slackware,Debian
Posts: 192

Rep: Reputation: 31
An exact reason, I don't know, sorry.

The ? means ls can't tell what kind of file it is because it's hosed.

Actually 't' means that the sticky bit has been set. 's' is the setuid or setgroupid bit. I can't find anything in the info manual indicating a capital S as a file permission bit.

Hope you get it sorted it out.
 
Old 05-29-2006, 07:38 AM   #5
imagineers7
Member
 
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Rep: Reputation: 30
Talking

Hi phyrster,


[root@shakti]# ls -l
-rwSr-Sr-T 1 root root 0 May 29 18:06 y

S is for SUID and T is for sticky bit don't get afraid
they are not harmful as you might have thought

Try this and you will know why:-

touch y
ls -l y
chmod +t y
ls -l y
chmod +s y
ls -l y


Also check out some tutorials on chmod and chattr


Hope, this will help you
 
Old 05-29-2006, 08:20 AM   #6
phyrster
LQ Newbie
 
Registered: Jul 2005
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks. The question is why there is a captilized S and uncapitalized s ?

any difference between them? Also what does the ? mean in the lines quoted in the first posting?
 
Old 05-31-2006, 08:26 AM   #7
linuxmanju
Member
 
Registered: Sep 2003
Location: India
Distribution: Debian
Posts: 50

Rep: Reputation: 15
Upper case S is SGID bit and lower case s is SUID.

Regards
Manjunath
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange file size and permissions in /usr/sbin phyrster Debian 2 05-28-2006 04:53 AM
/usr/sbin/update-gdkpixbuf-loaders: No such file or directory ulaoulao Linux - Software 0 10-17-2004 06:44 PM
Unable to run /usr/sbin/pppd. --> Check permissions [solved] flosch Linux - Networking 0 05-05-2004 09:08 AM
/usr/sbin and /sbin world read/executable... why? lazlow69 Slackware 3 04-29-2004 05:06 PM
permissions for /usr/sbin/pppd slacard Debian 4 11-29-2003 04:40 PM


All times are GMT -5. The time now is 01:09 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration