Unix administration - filesystem permissions change by themselves...

Author

filesystem permissions change by themselves...

Rachael

2004-07-22, 8:48 pm

permissions on my /opt filesystem are changing daily, seeming by
themselves.

i.e.

I tried to run a scipt and noticed that the permissions on /opt had
changed to 766, i.e.

drwxrw-rw- 40 root unicentr 1024 Jul 13 11:40 opt

where they had previously always been 755.

Checked that there was nothing in cron that could be causing this to
happen -- found nothing.

At the moment I've had to schedule a cron job to reset the permissions
each night, but have no idea what could be causing them to be changed.

Any ideas??

Rachael

Chris F.A. Johnson

2004-07-22, 8:48 pm

On 2004-07-23, Rachael wrote:
> permissions on my /opt filesystem are changing daily, seeming by
> themselves.
>
> i.e.
>
> I tried to run a scipt and noticed that the permissions on /opt had
> changed to 766, i.e.
>
> drwxrw-rw- 40 root unicentr 1024 Jul 13 11:40 opt
>
> where they had previously always been 755.
>
> Checked that there was nothing in cron that could be causing this to
> happen -- found nothing.
>
> At the moment I've had to schedule a cron job to reset the permissions
> each night, but have no idea what could be causing them to be changed.
>
> Any ideas??

Your OS's security system is probably doing it. Have you changed
the security level recently?

--
Chris F.A. Johnson http://cfaj.freeshell.org/shell
========================================
===========================
My code (if any) in this post is copyright 2004, Chris F.A. Johnson
and may be copied under the terms of the GNU General Public License

Doug Freyburger

2004-07-23, 5:53 pm

Rachael wrote:
>
> permissions on my /opt filesystem are changing daily, seeming by
> themselves.
>
> drwxrw-rw- 40 root unicentr 1024 Jul 13 11:40 opt
> where they had previously always been 755.

Turning off search and turning on ability for anyone to create
and delete files under /opt is extremely bad. Any chance you
have been root-kitted? Get a fresh copy of the checksum
program and run it to see if common binaries have been changed.

> Checked that there was nothing in cron that could be causing this to
> happen -- found nothing.

Check root's /.sh_history for any chmod calls especially ones
with -r. Ask around with the rest of the staff as someone
could be doing it deliberately not knowing how wrong it is.

Log the modify time of /opt each day for several days. Use
"ls -ldc /opt" as well as "ls -ld /opt" to find any chmod's
as well as any time some file is created/renamed/deleted
under /opt. If it is changed as the same time then it's a
cron job that needs *much* closer inspection or a daemon
imitating a cron job.

Rachael

2004-07-29, 5:55 pm

dfreybur@yahoo.com (Doug Freyburger) wrote in message news:<7960d3ee.0407230622.370e4775@posting.google.com>...

> Log the modify time of /opt each day for several days. Use
> "ls -ldc /opt" as well as "ls -ld /opt" to find any chmod's
> as well as any time some file is created/renamed/deleted
> under /opt. If it is changed as the same time then it's a
> cron job that needs *much* closer inspection or a daemon
> imitating a cron job.

---> Well, thats another thing, the modify date of /opt does not
change, but the permissions on the directory do..I will check out the
other things that have been mentioned, thanks!

Doug Freyburger

2004-07-30, 5:52 pm

Rachael wrote:
> Doug Freyburger wrote:
>
>
> ---> Well, thats another thing, the modify date of /opt does not
> change, but the permissions on the directory do..I will check out the
> other things that have been mentioned, thanks!

Modify time and change time mean two different things. So
"ls -ldc" not "ls -ldm". chmod causes ctime to be updated
not mtime. To change mtime create/delete/rename a file in
/opt. To change ctime run chmod/chown/chgrp on /opt itself.