On Thu, February 5, 2015 5:23 pm, Always Learning wrote:
On Thu, 2015-02-05 at 16:39 -0600, Valeri Galtsev wrote:
-rw-r--r-- 1 root root 1220 Jan 31 03:04 shadowBe it me, I would consider box compromised. All done on/from that box since probable day it happened compromised as well. If there is no way to establish the day, then since that system originally build. With full blown sweeping up the consequences. Finding really-really-really convincing proof it is not a result of compromise (and yes, fight one's wishful thinking!).
Logically ?
- to change the permissions on shadow from -rw-x------ or from
---------- to -rw-r--r-- requires root permissions ?
- if so, then what is the advantage of changing those permissions when
the entity possessing root authority can already read shadow - that entity requires neither group nor user permissions to read shadow.
As I said, it's your money, mister.
Think of what your users will think about your response to bizarre you have discovered. Sysadmins have their users' trust a priori. But they have to keep deserving this trust all the time.
Just my $0.02
Valeri
PS I figure I really have to thank my teachers! Including great books I've read...
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++