SKEL?! I found /etc/skel directory

sbogus · 07-26-2004, 03:27 PM

Hi ya,
I found today, this very strange directory in my /etc one. The Samhain guard complains about missing security policy for the path /etc/skel/bin

Code:

domain@home:~> ls -lha /etc/skel
total 104K
drwxr-xr-x    7 root     root         4,0K 2004-07-26 22:06 .
drwxr-xr-x   59 root     root         8,0K 2004-07-26 22:12 ..
-rw-------    1 root     root            0 1996-05-18 17:20 .bash_history
-rw-r--r--    1 root     root         1,3K 2002-07-30 12:33 .bashrc
drwxr-xr-x    2 root     root         4,0K 2003-09-02 12:00 bin
drwxr-xr-x    2 root     root         4,0K 2004-07-26 22:06 Documents
-rw-r--r--    1 root     root          208 1995-11-17 19:22 .dvipsrc
-rw-r--r--    1 root     root         1,6K 2002-01-25 14:37 .emacs
-rw-r--r--    1 root     root         1,1K 2000-02-28 22:05 .exrc
drwxr-xr-x    2 root     root         4,0K 2003-03-15 19:40 .fonts
-r--r--r--    1 root     root          16K 2003-10-03 00:46 .gnu-emacs
-rw-r--r--    1 root     root          164 1995-11-17 19:22 .kermrc
-rw-r--r--    1 root     root         6,1K 2003-09-17 22:15 .muttrc
-rw-r--r--    1 root     root          934 2002-07-17 13:42 .profile
drwxr-xr-x    2 root     root         4,0K 2004-05-15 08:49 public_html
-rw-r--r--    1 root     root          311 2000-07-07 14:55 .urlview
-rw-r--r--    1 root     root         7,8K 1995-11-30 17:48 .xcoralrc
drwxr-xr-x    2 root     root         4,0K 2004-07-26 22:07 .xemacs
-rw-r--r--    1 root     root         4,0K 2003-08-06 16:03 .xim.template
-rwxr-xr-x    1 root     root         3,0K 2003-04-12 23:25 .xinitrc.template
-rw-r--r--    1 root     root          119 1997-10-28 13:39 .xtalkrc

Anyone with ideas? I'm almost ready to wipe out my disks in order to avoid the risk "being compromised". If anyone can say something about this found I'll
greatly appreciate it.

EDIT:
I ran chkrootkit from the SystemRescueCD service distro and it didn't find anything suspicious. Also the file times are identical if I see them from my running SuSE and from the SysRescCD. The .bash_history file has length zero, but the folder (/etc/skel) is accessed each time the box starts.
Also the Samhain logs does not contain anything suspicous excetp the complain about missing policy for /etc/skel/bin

Kind regards,
sbogus

sbogus · 07-26-2004, 03:55 PM

Okay,
simply and probably (?!) false alarm - since I'm such total noob I missed the knowledge of useradd and the /etc/skel local user skeleton.
Also I gave improper meaning of the record in the Samhain log - it is not a CRIT (complain) but is just simple INFO (notification).

Well, it is alway good to learn something new.

Anyway, thanks for the attention and excuse me for the spam.

Kind regards,
sbogus

stickman · 07-27-2004, 10:10 AM

Just FYI: /etc/skel contains "skeleton" files that are used at the basis for login scripts and such.

jrmann1999 · 07-27-2004, 12:50 PM

To elaborate a bit more, the skel directory contains files that are copied to every *new* users home directory when you add new users. It's a great place for sysadmins to put anything they want every new user to have. Whether they be scripts or ssh keys, or anything really.