On Thu, February 5, 2015 5:23 pm, Always Learning wrote: > > On Thu, 2015-02-05 at 16:39 -0600, Valeri Galtsev wrote: > >> >>> >> >>> -rw-r--r-- 1 root root 1220 Jan 31 03:04 shadow > >> Be it me, I would consider box compromised. All done on/from that box >> since probable day it happened compromised as well. If there is no way >> to >> establish the day, then since that system originally build. With full >> blown sweeping up the consequences. Finding really-really-really >> convincing proof it is not a result of compromise (and yes, fight one's >> wishful thinking!). > > Logically ? > > 1. to change the permissions on shadow from -rw-x------ or from > ---------- to -rw-r--r-- requires root permissions ? > > 2. if so, then what is the advantage of changing those permissions when > the entity possessing root authority can already read shadow - that > entity requires neither group nor user permissions to read shadow. > As I said, it's your money, mister. Think of what your users will think about your response to bizarre you have discovered. Sysadmins have their users' trust a priori. But they have to keep deserving this trust all the time. Just my $0.02 Valeri PS I figure I really have to thank my teachers! Including great books I've read... ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++