On 2015-02-05, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: > > On Thu, February 5, 2015 5:23 pm, Always Learning wrote: >> >> On Thu, 2015-02-05 at 16:39 -0600, Valeri Galtsev wrote: >> >>> >>> >>> >>> -rw-r--r-- 1 root root 1220 Jan 31 03:04 shadow >> >>> Be it me, I would consider box compromised. All done on/from that box >>> since probable day it happened compromised as well. If there is no way >>> to >>> establish the day, then since that system originally build. With full >>> blown sweeping up the consequences. Finding really-really-really >>> convincing proof it is not a result of compromise (and yes, fight one's >>> wishful thinking!). >> >> Logically ? >> >> 1. to change the permissions on shadow from -rw-x------ or from >> ---------- to -rw-r--r-- requires root permissions ? >> >> 2. if so, then what is the advantage of changing those permissions when >> the entity possessing root authority can already read shadow - that >> entity requires neither group nor user permissions to read shadow. > > As I said, it's your money, mister. It seems very likely that, even if the system's security is not compromised, the sysadmin's certainly is. Some things are beyond our ability to repair. --keith -- kkeller at wombat.san-francisco.ca.us