Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am running two EdUbuntu 12.04 and have them set up as LTSP servers in a small school. We were running only one until last week when, after its resources started being overtaxed, I built and installed the second. Both machines are 6 core amd with either 16 or 32 gb of ram.
I was having really weird network problems last week with the new one. Two pcs in the room would let authroized users login while the rest of the room wouldn't. And those boxes wouldn't let anyone log in even if the ethernet cable from the one letting people in was moved to another machine, as if only certain mac addresses were allowed in. I had to reinstall and got it working friday.
So Friday I had two working servers, one old and one new. They were on separate ethernet lines out and separate switches and each ran separate parts of the school. One was on a 192.168.3.X address and the other was on a 192.168.0.X address. They were turned off early friday evening. I started the old one Sunday and I was on it most of the day but not out in its network.
This morning, the old machine started to exhibit the exact same symptoms of the previous installation on the new one (i.e. a user could login on one pc in the room but not the others). The only common denominator was that this old server was now on the same ethernet cable as the earlier failed install.
I put a tester on the cable and it seemed fine. I ran a second, new line and put a laptop on it and it still acted the same. It seems to authenticate the user ok but then kicks them off and back to the login page. It acts like that is what is going on but can't tell for sure.
So I put the whole school on the same server (the new one). The affected machines were able to login without problem (so not a networking issue right?). I then started to copy student's home directory contents over to the new server manually with a sd card writer. The new server wouldn't let me do it and rejected me as sudo saying something grievous about the sudoers file. After some investigation I discovered the entire etc directory (including the sudoer file) had been chmodded to 777?
My question is in regards to out-of-the box linux security. Is there a security hole that would allow something like this to happen out of the box? I doubt if anyone got my password but there is another person with admin and sudo access.
Thanks if anyone can help me with this..
PS I have been backing up the old site with the Ubuntu backup program but never tried to restore anything with it before. Any pointers on using it would be appreciated also. Basically we just need the home folders.
will also handle any gziped logs ( .log.2.gz etc )
Thanks firerat,
The earliest entry today was at 10:45 which was about three hours after I booted it.
The first post is an odd notice that it was not able to execute sendmail - no such directory or folder. I didn't attempt to mail anything but maybe someone else did.
Right after it says sudoer is chmod 777 should be 440.
I failed to mention I use webmin and at the end of that line it says PWD=usr/share/webmin
Assuming it was a hack, could they have used a webmin vulnerability to get in?
I'm not concerned about salvaging it and will reinstall but I hope I can at least prevent a repeat occurrence.
save the /etc perms for future reference (could be scripted?)
Code:
sudo getfacl /etc/* -R > facl.in
restoring them seems to be like so:
Code:
sudo setfacl --restore=facl.in
from the setfacl man page:
Code:
--restore=file
Restore a permission backup created by ‘getfacl -R’ or similar. All
permissions of a complete directory subtree are restored using this
mechanism. If the input contains owner comments or group comments,
and setfacl is run by root, the owner and owning group of all files
are restored as well. This option cannot be mixed with other
options except ‘--test’.
Warning: I've never used this process, so wait for someone else to chime in.
Good Luck!
Don't mind me, my post is a little "excessive" for a single /etc/sudoers file.
Sorry about that. Unless you enjoy shell exercises of this nature, then you're as sick as I am.
This is a bit of a long shot, but rpm based systems are able to reset perms/ownerships etc correctly from the rpmdb recs http://www.cyberciti.biz/tips/reset-...ermission.html
It says there that this feature is not available to deb based systems .. HOWEVER, that's a very old page (' LAST UPDATED August 28, 2007'), so its possible it may be available now.
imho it ought to be
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
)
