Hi guys, i've got some "weird" experience with my mandy 2k9. Few days ago i've been download wine for mandy 2k9. I placed it on my home directory, eventually i double click my wine file in user mode. MDV ask it would be install or just save. I answer it install, and mandy install it for me.

I look up in my home directory wishing there was some wine file in there but i found nothing. I bring up konsole and typing "whereis wine" and the answer is quit make me shock, the wine is installed in /usr directory! I'm even not use my root account when i install it. But why was wine have access my /usr directory without even asking me a root/su password. Is there a possibility that this was one security hole in mandy 2k9?

Btw i've been using this method before in mandy 2k8 or even in mandy 10, both are asking my root/su pass before install the s/w.

Why didn't you install wine from the repositories? I don't know where you downloaded wine from, there's a reason why files are digitally signed in the repositories. Why did you continue to install when no root password was requested?

Please output the result to the following commands

cd /
ls -l | grep usr

let's check that their isn't write access for other on /usr first.

I'm just curious, coz i've been doing this before ( i install some game if i'm not mistaken)and the installer install the program in my home directory. I think this program behave the same way as my previous programs.

If ls -ld /usr shows anything other than drwxr-xr-x ... with particular attention to the six characters in bold-face, then you have a very serious security exposure here.

You should not be able to successfully issue the (harmless...) command touch /usr/fubar. The command [i]should[/u] not succeed in creating a file named fubar in that directory (which, btw, is the only thing it attempts to do, and if it does, simply remove the file).

The complete output from this ls -l command on my system consists of the following, and for your edification I will explain it:
drwxr-xr-x 15 root root 464 Sep 6 2007 /usr

• The leftmost d indicates that this is a directory.
• The part of the string is a group of three 3-character groups, corresponding to owner, group-members, and others. It indicates that the owner has full-permission ("read, write, execute"); but others cannot "write."
• The next two words indicate that root is the owner, and that the associated group (for permission-purposes) is also coincidentally named root. (You may also see numbers here instead of names, if a name associated with a particular number cannot be found.)
• The remaining items are: the number of entries, the last modification date, and the name itself.

See also: man ls

Thx for all your post bro, I,ve been double check the security in my mandy as sundialcvs and r3sistence suggestion and looking at my looong root log, in there i found some strange activity. Someone broke into my root account using my root pass. wew, i don't believe it someone broke into my root account using my pass note that i've been thrown in the garbage ( eventhough i've shrewd it in paper shredder).

Thx for the answer bro, I'm sorry it's take to long for me answer this post coz i take some vacation for couple of week. THX BRO..

If it's a local login, that's possible, they could also have done a password reset too. If it isn't local access then it's quite possibly a root kit. Either way your safest bet might just have to be to reinstall the system.