On Thu, Feb 5, 2015 at 4:19 PM, Keith Keller <kkeller at wombat.san-francisco.ca.us> wrote:>> On C5 the default appears to be:- >> >> -rw-r--r-- 1 root root 1220 Jan 31 03:04 shadow > > It is much more likely that someone has screwed up your system. I think > even CentOS 4 had shadow as 400. And what on earth would the point be > in having a world-readable shadow file?!? The whole point of having a > shadow file is to keep password hashes out of /etc/passwd so that people > can't read it. It would be nonsensical to then make the shadow file > readable.Yes, /etc/shadow would have always been readable only by root by default. The interesting question here is whether an intruder did it, clumsily leaving evidence behind, or whether it is just a local change from following some bad advice about things that need to be changed - or running some script to make those changes. The latter seems more likely to me. -- Les Mikesell lesmikesell at gmail.com
On Thu, February 5, 2015 4:29 pm, Les Mikesell wrote:> On Thu, Feb 5, 2015 at 4:19 PM, Keith Keller > <kkeller at wombat.san-francisco.ca.us> wrote: > >>> On C5 the default appears to be:- >>> >>> -rw-r--r-- 1 root root 1220 Jan 31 03:04 shadow >> >> It is much more likely that someone has screwed up your system. I think >> even CentOS 4 had shadow as 400. And what on earth would the point be >> in having a world-readable shadow file?!? The whole point of having a >> shadow file is to keep password hashes out of /etc/passwd so that people >> can't read it. It would be nonsensical to then make the shadow file >> readable. > > Yes, /etc/shadow would have always been readable only by root by > default. The interesting question here is whether an intruder did > it, clumsily leaving evidence behind, or whether it is just a local > change from following some bad advice about things that need to be > changed - or running some script to make those changes. The latter > seems more likely to me. >Be it me, I would consider box compromised. All done on/from that box since probable day it happened compromised as well. If there is no way to establish the day, then since that system originally build. With full blown sweeping up the consequences. Finding really-really-really convincing proof it is not a result of compromise (and yes, fight one's wishful thinking!). But again, it's your money in your bank (and/or whatever else could get into jeopardy). Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Thu, Feb 5, 2015 at 4:39 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> >> >> Yes, /etc/shadow would have always been readable only by root by >> default. The interesting question here is whether an intruder did >> it, clumsily leaving evidence behind, or whether it is just a local >> change from following some bad advice about things that need to be >> changed - or running some script to make those changes. The latter >> seems more likely to me. >> > > Be it me, I would consider box compromised. All done on/from that box > since probable day it happened compromised as well. If there is no way to > establish the day, then since that system originally build. With full > blown sweeping up the consequences. Finding really-really-really > convincing proof it is not a result of compromise (and yes, fight one's > wishful thinking!).You aren't being paranoid enough. If it happened as a result of following some instructions or running a script, it's not just the box that is compromised, it is everything you think you know. On the other hand it could have just been an accidental typo. -- Les Mikesell lesmikesell at gmail.com
On Thu, 2015-02-05 at 16:39 -0600, Valeri Galtsev wrote:> >>> > >>> -rw-r--r-- 1 root root 1220 Jan 31 03:04 shadow> Be it me, I would consider box compromised. All done on/from that box > since probable day it happened compromised as well. If there is no way to > establish the day, then since that system originally build. With full > blown sweeping up the consequences. Finding really-really-really > convincing proof it is not a result of compromise (and yes, fight one's > wishful thinking!).Logically ? 1. to change the permissions on shadow from -rw-x------ or from ---------- to -rw-r--r-- requires root permissions ? 2. if so, then what is the advantage of changing those permissions when the entity possessing root authority can already read shadow - that entity requires neither group nor user permissions to read shadow. -- Regards, Paul. England, EU. Je suis Charlie.