accidently changed root privileges

GhostCow · 09-01-2007, 03:25 AM

hello ive been messing around with my linux and by accident i did this:
chmod -R 777 /*
now im getting errors like
"cant set gid" "cant set uid" or something, which are preventing me from switching to root, or using "sudo".
i'm running ubuntu 7.04
how do i undo this mess?

pixellany · 09-01-2007, 07:28 AM

You gave everybody full read/write/execute privileges on every file and directory in the system. I'd say the easy fix would be to re-install the OS.

b0uncer · 09-01-2007, 08:52 AM

There's no "undo" function for that. You should be aware of running recursive commands like that, especially on the root of the filesystem. Usually user permissions would prevent you from doing things like that (for other files than those you own), but seems like you ran the command with higher privileges; maybe with sudo. Anyway, it can't be just undone, you have two choices: either review a working system, see what the permissions should be per each file you changed and use chmod to change the permissions back (takes a veeeeeeeeeeeery long time, or even longer) OR reinstall the thing. In the latter case, take a backup of your /home/username homedirectory, install the OS again (overwriting the existing installation) and put the backup back. Then make sure your _own_ files' permissions in your homedirectory are set up correctly, by running chmod recursively on your _own_ home directory (to take away the 7-rights from other users than you to your files).

This is why root account usage is dangerous, if it's "just done" and not thought about twice

GhostCow · 09-01-2007, 08:57 AM

hehe i noticed later that there is a very clear flag to prevent this...
my system is broken anyhow so a reinstall would be fine...
thanks anyway guys :P

jschiwal · 09-01-2007, 09:05 AM

Check if your package system has the equivalent of rpm's --setperms and --setugids options. You may be able to fix the permission problems that way. Start with the package that supplies the filesystem. It might be called base or filesystem, however I'm not familiar with Ubuntu to say. In the future, leave things outside your home directory alone. Making system directories world writable is very dangerous. When windows did it with the C: drive viruses could spread like wildfire.

GhostCow · 09-01-2007, 09:28 AM

what permissions should i give my base apps?

edit: i read online that debian based systems dont have that option in the package manager.. shame... any other suggestions?

pixellany · 09-01-2007, 09:37 AM

Quote:

Originally Posted by GhostCow

what permissions should i give my base apps?

Unless you have a good reason, leave all the permissions they way they are setup at installation.

More generic answer: Set the permissions according to how your system is going to be used. Only you know who should have permission to do what. With applications (base or otherwise), the execute permission is the important one. Do you have users that you don't want to have access to certain applications? ...Do you want to be forced to su to root in order to mount something?

jschiwal · 09-01-2007, 09:45 AM

If you mount an external drive, for storage, you might want to make yourself the owner and group owner of the drive and use 770 permissions on all of the directories. If you are setting up a directory to share on the network, and it is globally writable, the set the sticky bit on the directory. The ownership's and permissions on system directories should stay the way the system sets them up. Usually the owner and group owner is root. Files like /etc/passwd need to be read by programs running as a user, while other files may be private to root or owned by a system users such as mysql.

For some services, like sshd, you will want to make some changes to the configuration files to make the service more secure. Mysql comes with a large manual, and there is a chapter on securing it.

GhostCow · 09-01-2007, 11:00 AM

ok i understand the security issues, but i have a problem - i cant run sudo or su at all!
why is that?
how can i fix that?
i will deal with the security later, i need a root shell right now though...

pixellany · 09-01-2007, 11:40 AM

Quote:

Originally Posted by GhostCow

ok i understand the security issues, but i have a problem - i cant run sudo or su at all!
why is that?
how can i fix that?
i will deal with the security later, i need a root shell right now though...

Based on the earlier description, I suggested re-installing. If you don't want to do that, you can maybe recover control by booting into single-user mode, or by editing the /etc/passwd file.

single-user mode:
reboot, and then stop the grub countdown with the tab key. Get into edit mode and enter "single" at the end of the kernel line. then boot.

edit passwd:
boot from live CD (eg you install CD) and mount the partition where / is mounted. Edit the /etc/passwd file to remove the first "x" in the entry for <username>. reboot and you should be able to log in without a password.
You can also do this to the root entry to enable root login, but it probably will still not allow root to log in to the GUI.

jschiwal · 09-01-2007, 12:23 PM

If you don't want to reinstall or can't or can't restore from a backup, this list from my system might help you get started fixing the permissions. You will probably need to boot up with a rescue disk at first.

Code:

jschiwal@hpamd64:~> find / -maxdepth 2 -type d -perm 0755 >dirpermlist
find: /lost+found: Permission denied
find: /root: Permission denied
jschiwal@hpamd64:~> cat dirpermlist
/
/dev
/dev/mapper
/dev/bus
/dev/snd
/dev/.udev
/dev/net
/dev/disk
/dev/input
/dev/pts
/mnt
/mnt/grafpup
/mnt/cr256
/mnt/hpmedia
/mnt/delllap
/mnt/cdrom
/mnt/enc
/mtpoint
/sbin
/sbin/conf.d
/sys
/sys/module
/sys/block
/sys/kernel
/sys/power
/sys/firmware
/sys/class
/sys/bus
/sys/devices
/sys/fs
/home
/home/gues
/boot
/boot/grub
/lib
/lib/mkinitrd
/lib/udev
/lib/security
/lib/modules
/lib/lsb
/lib/firmware
/lib/YaST
/lib/apparmor
/etc
/etc/mono
/etc/mms
/etc/xen
/etc/skel
/etc/rpmlint
/etc/named.d
/etc/gconf
/etc/modprobe.d
/etc/lsb-release.d
/etc/syslog-ng
/etc/ssh
/etc/chipcard3
/etc/htdig
/etc/zmd
/etc/mplayer
/etc/java
/etc/postfix
/etc/avahi
/etc/cron.monthly
/etc/udev
/etc/dev.d
/etc/gpm
/etc/sane.d
/etc/NetworkManager
/etc/bonobo-activation
/etc/init.d
/etc/xinetd.d
/etc/kde4
/etc/pm
/etc/pwdutils
/etc/xml
/etc/bluetooth
/etc/ttf2pk
/etc/aliases.d
/etc/resmgr.conf.d
/etc/pam.d
/etc/racoon
/etc/powertweak
/etc/ivman
/etc/security
/etc/unixODBC
/etc/mail
/etc/preload.d
/etc/apparmor.d
/etc/bash_completion.d
/etc/pcmcia
/etc/joe
/etc/gre.d
/etc/susehelp.d
/etc/sysconfig
/etc/permissions.d
/etc/samba
/etc/bootsplash
/etc/SuSEconfig
/etc/xstroke
/etc/hal
/etc/ifplugd
/etc/PolicyKit
/etc/cron.weekly
/etc/ld.so.conf.d
/etc/ndiswrapper
/etc/foomatic
/etc/beagle
/etc/iproute2
/etc/pptp.d
/etc/openldap
/etc/texmf
/etc/hp
/etc/default
/etc/YaST2
/etc/cron.hourly
/etc/sgml
/etc/sasl2
/etc/ghostscript
/etc/fonts
/etc/opt
/etc/.java
/etc/acpi
/etc/RCS
/etc/alsa.d
/etc/enlightenment
/etc/apache2
/etc/lvm
/etc/logrotate.d
/etc/cron.daily
/etc/cron.d
/etc/snmp
/etc/gxine
/etc/ntop
/etc/rpm
/etc/xdg
/etc/dbus-1
/etc/slp.reg.d
/etc/ssl
/etc/xscreensaver
/etc/alternatives
/etc/apparmor
/etc/profile.d
/etc/reader.conf.d
/etc/X11
/var
/var/adm
/var/X11R6
/var/cache
/var/lib
/var/log
/var/opt
/var/spool
/var/yp
/var/run
/media
/media/xmms_audio_cd
/usr
/usr/java
/usr/src
/usr/sbin
/usr/include
/usr/X11R6
/usr/local
/usr/games
/usr/lib
/usr/man
/usr/share
/usr/x86_64-suse-linux
/usr/lib64
/usr/bin
/opt
/opt/gnome
/opt/kde3
/lib64
/lib64/evms
/lib64/security
/lib64/ast
/srv
/srv/www
/srv/ftp
/bin

Your failure to use sudo may be to to resetting the suid bit:

Code:

find /bin /usr/bin /sbin/ /usr/sbin/ -perm -4000
/bin/umount
/bin/su
/bin/ping
/bin/mount
/bin/eject
/bin/ping6
/usr/bin/ncpmount
/usr/bin/newgrp
/usr/bin/ncpumount
/usr/bin/ncplogin
/usr/bin/ncpmap
/usr/bin/fusermount
/usr/bin/enlightenment_sys
/usr/bin/chfn
/usr/bin/v4l-conf
/usr/bin/expiry
/usr/bin/fileshareset
/usr/bin/chage
/usr/bin/Xorg
/usr/bin/passwd
/usr/bin/nwsfind
/usr/bin/man
/usr/bin/at
/usr/bin/crontab
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/mandb
/usr/bin/lppasswd
/usr/bin/sudo
/sbin/pccardctl
/usr/sbin/zypp-checkpatches-wrapper
/usr/sbin/suexec2
/usr/sbin/mtr
/usr/sbin/mgnokiidev

GhostCow · 09-02-2007, 03:06 AM

hey guys just to make myself perfectly clear:
i backed up ALL my data before i started joshing around with my system.
this whole shindig is for educational purposes only!
right now im learning linux by trial and error, and i wanted to know why i get setuid and setgid errors after i changed the root dir permissions.

Quote:

Your failure to use sudo may be to to resetting the suid bit:

ill google this later thanks alot!

GhostCow · 09-05-2007, 05:49 AM

update: thanks for the tips, i managed to fix su and sudo, by resetting the sid and gid bit for /usr/bin/sudo and setting the gid bit for /bin/su, all through single user mode boot.

so thanks guys!