On 2015-02-05, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
On Thu, February 5, 2015 5:23 pm, Always Learning wrote:
On Thu, 2015-02-05 at 16:39 -0600, Valeri Galtsev wrote:
-rw-r--r-- 1 root root 1220 Jan 31 03:04 shadowBe it me, I would consider box compromised. All done on/from that box since probable day it happened compromised as well. If there is no way to establish the day, then since that system originally build. With full blown sweeping up the consequences. Finding really-really-really convincing proof it is not a result of compromise (and yes, fight one's wishful thinking!).
Logically ?
- to change the permissions on shadow from -rw-x------ or from
---------- to -rw-r--r-- requires root permissions ?
- if so, then what is the advantage of changing those permissions when
the entity possessing root authority can already read shadow - that entity requires neither group nor user permissions to read shadow.
As I said, it's your money, mister.
It seems very likely that, even if the system's security is not compromised, the sysadmin's certainly is. Some things are beyond our ability to repair.
--keith