Security Basics mailing list archives
RE: Group permissions changed
From: abc 123 <sf_submit () yahoo com>
Date: Thu, 29 Sep 2005 06:02:24 -0700 (PDT)
Hi, thanks for your response Yes, I'm on Debian and it appears to allow invalid groups. My problem is that noone else (with the exception of the hosting company - I'm not sure about them) has root access to the server, and I hadn't done anything to make the group UID's change. I don't SSH in often, only to check logs, settings, or install something. The reason I noticed it was that my FTP client was giving me errors about not being able to list the directory - which I had never seen before even though I regularly upload and delete files via FTP with the exact same client on the exact same computer. So, all told, I wouldn't mind if I had done it accidentally, I just don't see how I could have - especially since if it was recursive it would have changed all the files in the directory to the same group, and they had a couple different non-existent groups. --- "Nicholson, Dale" <DNicholson () APACMail com> wrote:
On some *nix flavors chown allows you to change the group to whatever you enter even when the group does not really exist. I don't know if you are on one of those, but you can check by trying to chown the files to some other group and see. chown larry:madeupgroup foot.php If this returns "chown: unknown group id madeupgroup" then you might want to get more concerned. If it allows you to change to a made up group name it means this might have been done on accident. In any case you can at least change the group back to the correct one. I have not heard of an exploit that does this but that does not mean it doesn't exist. Dale -----Original Message----- From: sf_submit () yahoo com [mailto:sf_submit () yahoo com] Sent: Thursday, September 22, 2005 8:21 PM To: security-basics () securityfocus com Subject: Group permissions changed Fairly recently I noticed my ftp client wouldn't list files in certain directories on my server anymore - so I ssh'd in (it's dedicated), and did a ls -aFl on the files, hoping to see what the problem was - here are a few of the results: -rw-r--r-- 1 larry 503 371 2005-02-25 08:36 head.php -rw-r--r-- 1 larry 48 873 2005-09-09 03:23 foot.php I never set the group ids to 503 or 48, so I checked just to make sure - and no groups with those ids even exist. Is there an exploit/tool that causes this, and should I be worried? I checked the processes running, and everything seems to be OK - same with any processes connecting to the internet. I'd appreciate any comments
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Current thread:
- Group permissions changed sf_submit (Sep 26)
- <Possible follow-ups>
- RE: Group permissions changed Nicholson, Dale (Sep 28)
- RE: Group permissions changed abc 123 (Sep 30)