LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Cant userdel (https://www.linuxquestions.org/questions/linux-server-73/cant-userdel-936720/)

keith2045 03-27-2012 12:10 PM
Cant userdel
 
I'm running RHEL 5.5 and I have locked it down using various hardening guides i have seen on the internet. I thought everything was working until now. I'm unable to delete local users, i can add users but cant delete any.

[code
[root@hostname ~]# userdel test
userdel: unable to lock password file
[/code]

I ran strace and got this
Code:
open("/etc/passwd.4471", O_WRONLY|O_CREAT|O_EXCL,0600) = -1 EACCESS (Permission denied)
So i tried:
Code:
[root@hostname ~]# touch /etc/test
[root@hostname ~]#
[root@hostname ~]# touch /etc/passwd.test
touch: cannot touch `/etc/passwd.test': Permission denied
I cant create any files under /etc/passwd.*. If i change it to passwdt.* anything works.

I've looked over the hardening stuff and cant find anything that i can think of that would have caused this.

Any suggestions? I've read several postings that say to delete .pwd.lock but that didnt work. I found a redhat bug that some had the same problem, but it was just closed without a resolution.

anomie 03-27-2012 12:31 PM
With respect, it's a bad idea to apply changes that you do not fully understand the implications of. Going piecemeal through guides on the 'net -- not always problematic, but it needs to be done with caution (and full regression testing on a proper test system).

That said, do you see any clues in /var/log/messages?

(The first thing that comes to mind in your situation is an SELinux policy problem.)

keith2045 03-27-2012 12:42 PM
selinux is turned off and nothing comes up in the logs

anomie 03-27-2012 01:01 PM
Next thing that comes to mind is extended attributes. Please post output from:
Code:
# lsattr -d /etc

# lsattr /etc/passwd*
(Use the square brackets on code tags, BTW.)

keith2045 03-27-2012 01:53 PM
Oops

Code:
[root@hostname ~]# lsattr -d /etc
----------I-- /etc
[root@hostname ~]# lsattr /etc/passwd*
------------- /etc/passwd
------------- /etc/passwd-

anomie 03-27-2012 01:59 PM
Not totally sure what to make of it at this point. A read-only filesystem is out of the question, since you can create /etc/passwdt.foo. (Right?)

So what does strace(1) report when you run:
Code:
# strace touch /etc/passwd.test
?

keith2045 03-27-2012 02:17 PM
Correct, anything other than passwd.* works fine. I cant copy and paste, but here are a few lines from
strace touch /etc/passwd.test

Code:
open("/etc/passwd.test", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = -1 EACCESS (Permission denied)
write(2, "cannot touch `/etc/passwd.test'", 31) = 31
write(2, ": Permission denied", 19) = 19

keith2045 03-27-2012 02:34 PM
Resolved....

McAfee HIPs was causing this issue. Just need to figure out how to fix it...

Thanks for the help

anomie 03-27-2012 02:36 PM
Please confirm the obvious. (That you ran that test as root...)

If so, it's probably time for you to summarize the hardening steps you took. The symptoms you're describing don't quite make sense to me, so hopefully a list of what was changed will help identify the culprit.

---

edit: Just saw your last post. Not familiar with "McAfee HIPs". When you've got it sorted, consider posting your fix for the next person who is tinkering with that particular app and searches here.

keith2045 03-27-2012 03:26 PM
It's Host Intrusion Prevention, and it's pushed out via EPO. I dont think i'm going to try and change it, it's probably a good thing that it's preventing this.

So for anyone else, just turn it off sh /opt/McAfee/hip/hipts agent off

Make your changes and turn it back on


All times are GMT -5. The time now is 12:50 PM.