LinuxQuestions.org

LinuxQuestions.org (http://www.linuxquestions.org/questions/index.php)
-   Linux - Newbie (http://www.linuxquestions.org/questions/forumdisplay.php?f=8)
-   -   The right command the check on all the user and their permission? (http://www.linuxquestions.org/questions/showthread.php?t=938027)

newbie14 04-04-2012 03:31 AM

The right command the check on all the user and their permission?
 
Dear All,
We have centos 6 server and would like to know which is the right command which tells us the all the relevant user and their permission?

jhwilliams 04-04-2012 03:54 AM

To display status of all users:

Code:

sudo passwd -a -S
To show a list of "real" (non-system) users and their group memberships:

Code:

awk -F\: '{ if ($3 >= 1000 && $3 < 65534) print $1 }' /etc/passwd | xargs groups
Otherwise, users themselves don't have permissions, files have permissions, which map to the users and groups.

newbie14 04-04-2012 09:41 AM

Dear William,
I tried this. Can via the second list of user people hack into our system?


Quote:

sudo passwd -a -S
passwd: bad argument -a: unknown option
This one provides some results.


Quote:

awk -F\: '{ if ($3 >= 1000 && $3 < 65534) print $1 }' /etc/passwd | xargs groups
root bin daemon sys adm disk wheel

chrism01 04-04-2012 07:53 PM

It's not entirely clear what you are trying to achieve, but I believe that if you just read the contents of /etc/passwd & /etc/group, that will give you the info you seek.

newbie14 04-04-2012 08:00 PM

Dear Chrism,
Below is the group. What I am trying to achieve is to look is there any zombie user or group created by external attacks.

Code:

kmem:x:9:
wheel:x:10:root
mail:x:12:mail,postfix
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
video:x:39:
dip:x:40:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
dbus:x:81:
utmp:x:22:
utempter:x:35:
rpc:x:32:
usbmuxd:x:113:
avahi-autoipd:x:170:
desktop_admin_r:x:499:
desktop_user_r:x:498:
floppy:x:19:
vcsa:x:69:
ctapiusers:x:497:
rtkit:x:496:
abrt:x:173:
pegasus:x:65:
cimsrvr:x:500:
cdrom:x:11:
tape:x:33:
dialout:x:18:
apache:x:48:
saslauth:x:76:
postdrop:x:90:
postfix:x:89:
qpidd:x:495:
haldaemon:x:68:haldaemon
ntp:x:38:
mysql:x:27:
avahi:x:70:
rpcuser:x:29:
nfsnobody:x:65534:
pulse:x:494:
pulse-access:x:493:
stapdev:x:492:
stapusr:x:491:
fuse:x:490:
gdm:x:42:
tomcat:x:91:
stap-server:x:155:
webalizer:x:67:
sshd:x:74:
cgred:x:489:
dovecot:x:97:
dovenull:x:488:
sfcb:x:487:root
tcpdump:x:72:
oprofile:x:16:
slocate:x:21:

Below is the passwd.

Code:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rtkit:x:499:496:RealtimeKit:/proc:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
cimsrvr:x:498:500:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:497:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
qpidd:x:496:495:Owner of Qpidd Daemons:/var/lib/qpidd:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pulse:x:495:494:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:494:488:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin


chrism01 04-04-2012 08:16 PM

Quote:

What I am trying to achieve is to look is there any zombie user or group created by external attacks.
To do that you need to know what should be there; that's the admin's job.
You can't (usually) just point to a random entry and say that's definitely 'bad' just by the name alone.
What you should have is backups going back some time; extracting the same files and looking for changes may give some hints, but ultimately the admin needs to know (ie keep track of) what has been installed, inc users.
There's no easy answer...

See also the Security forum here and the rkhunter, chkrootkit tools etc .

newbie14 04-04-2012 08:34 PM

Dear Chrism,
Ok thank you I should post in the security forum then.

chrism01 04-05-2012 12:38 AM

Rather than duplicate, use the Report button to ask the Mods to move this over


All times are GMT -5. The time now is 08:28 PM.