The right command the check on all the user and their permission?

newbie14 · 04-04-2012, 03:31 AM

Dear All,
We have centos 6 server and would like to know which is the right command which tells us the all the relevant user and their permission?

jhwilliams · 04-04-2012, 03:54 AM

To display status of all users:

Code:

sudo passwd -a -S

To show a list of "real" (non-system) users and their group memberships:

Code:

awk -F\: '{ if ($3 >= 1000 && $3 < 65534) print $1 }' /etc/passwd | xargs groups

Otherwise, users themselves don't have permissions, files have permissions, which map to the users and groups.

newbie14 · 04-04-2012, 09:41 AM

Dear William,
I tried this. Can via the second list of user people hack into our system?

Quote:

sudo passwd -a -S
passwd: bad argument -a: unknown option

This one provides some results.

Quote:

awk -F\: '{ if ($3 >= 1000 && $3 < 65534) print $1 }' /etc/passwd | xargs groups
root bin daemon sys adm disk wheel

chrism01 · 04-04-2012, 07:53 PM

It's not entirely clear what you are trying to achieve, but I believe that if you just read the contents of /etc/passwd & /etc/group, that will give you the info you seek.

newbie14 · 04-04-2012, 08:00 PM

Dear Chrism,
Below is the group. What I am trying to achieve is to look is there any zombie user or group created by external attacks.

Code:

kmem:x:9:
wheel:x:10:root
mail:x:12:mail,postfix
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
video:x:39:
dip:x:40:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
dbus:x:81:
utmp:x:22:
utempter:x:35:
rpc:x:32:
usbmuxd:x:113:
avahi-autoipd:x:170:
desktop_admin_r:x:499:
desktop_user_r:x:498:
floppy:x:19:
vcsa:x:69:
ctapiusers:x:497:
rtkit:x:496:
abrt:x:173:
pegasus:x:65:
cimsrvr:x:500:
cdrom:x:11:
tape:x:33:
dialout:x:18:
apache:x:48:
saslauth:x:76:
postdrop:x:90:
postfix:x:89:
qpidd:x:495:
haldaemon:x:68:haldaemon
ntp:x:38:
mysql:x:27:
avahi:x:70:
rpcuser:x:29:
nfsnobody:x:65534:
pulse:x:494:
pulse-access:x:493:
stapdev:x:492:
stapusr:x:491:
fuse:x:490:
gdm:x:42:
tomcat:x:91:
stap-server:x:155:
webalizer:x:67:
sshd:x:74:
cgred:x:489:
dovecot:x:97:
dovenull:x:488:
sfcb:x:487:root
tcpdump:x:72:
oprofile:x:16:
slocate:x:21:

Below is the passwd.

Code:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rtkit:x:499:496:RealtimeKit:/proc:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
cimsrvr:x:498:500:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:497:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
qpidd:x:496:495:Owner of Qpidd Daemons:/var/lib/qpidd:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pulse:x:495:494:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:494:488:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin

chrism01 · 04-04-2012, 08:16 PM

Quote:

What I am trying to achieve is to look is there any zombie user or group created by external attacks.

To do that you need to know what should be there; that's the admin's job.
You can't (usually) just point to a random entry and say that's definitely 'bad' just by the name alone.
What you should have is backups going back some time; extracting the same files and looking for changes may give some hints, but ultimately the admin needs to know (ie keep track of) what has been installed, inc users.
There's no easy answer...

See also the Security forum here and the rkhunter, chkrootkit tools etc .

newbie14 · 04-04-2012, 08:34 PM

Dear Chrism,
Ok thank you I should post in the security forum then.

chrism01 · 04-05-2012, 12:38 AM

Rather than duplicate, use the Report button to ask the Mods to move this over