root user ID number accidentally changed on files
Hello, Short story; accidentally created a user with user ID of '0'. Went to change the ID of all the files owned by the user to the proper ID and now all the root user files have the four digit ID. How can I quickly (real quick) change the four digit ID on the files owned by root back to '0' recursively. Many thanks, James
find . -exec chown root {} \; might work. . is the beginning directory to recurse from If you need the group changed as well then it would like: find. -exec chown root:root {} \;
Robert Lewis wrote:
find . -exec chown root {} \; might work.
. is the beginning directory to recurse from If you need the group changed as well then it would like: find. -exec chown root:root {} \;
The example given will change all files to be owned by root, a better way would be to: find / -user <four digit id> -exec chown -h root {} \; The above will search from the root file system and change all files owned by <four digit id> to be owned by root. Changing / to . will make it search the current path and subdirectories within that path. Since the original command to used to change the files originally a better solution can not be given. Mike
On Tue, 12 Sep 2006 11:12 am, Mike Noble wrote:
find / -user <four digit id> -exec chown -h root {} \;
Danger Will Robinson! If anyone else had access to that user and created any suid files, you have just given away the machine. In this example it's unlikely, but in general watch out when bulk chown-ing a bunch of files to root. Better add a chmod to strip any suid or sgid bits. root> find / -user <four digit id> -exec chmod ug-s {} \; -exec chown -h root {} \; (Beware line wrap, it's all 1 line) If you have the security audit script emailing you, you will get some warning of this in the weekly report. -- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166 No matter how much you pay for software, you always get less than you hoped. Unless you pay nothing, then you get more.
Michael, Good point, the problem is that there could be some files that need to be SUID and this would strip them and this will cause the user more problems. Mike Michael James wrote:
On Tue, 12 Sep 2006 11:12 am, Mike Noble wrote:
find / -user <four digit id> -exec chown -h root {} \;
Danger Will Robinson! If anyone else had access to that user and created any suid files, you have just given away the machine. In this example it's unlikely, but in general watch out when bulk chown-ing a bunch of files to root. Better add a chmod to strip any suid or sgid bits.
root> find / -user <four digit id> -exec chmod ug-s {} \; -exec chown -h root {} \;
(Beware line wrap, it's all 1 line)
If you have the security audit script emailing you, you will get some warning of this in the weekly report.
On Monday 11 September 2006 18:46, Mike Noble wrote:
Good point, the problem is that there could be some files that need to be SUID and this would strip them and this will cause the user more problems.
It seems likely that would have already happened on the first accident, no? -- _____________________________________ John Andersen
On Mon, 11 Sep, 2006 at 14:37:21 -0700, James D. Parra wrote:
Hello,
Short story; accidentally created a user with user ID of '0'. Went to change the ID of all the files owned by the user to the proper ID and now all the root user files have the four digit ID.
How can I quickly (real quick) change the four digit ID on the files owned by root back to '0' recursively.
Unless I'm missing something; SuSEconfig - ought to do it for you? (It checks file ownership/privs agains /etc/permissions and friends, and corrects anything out of 'sync') /Jon -- YMMV
On 11/09/06 23:02, Jon Clausen wrote:
On Mon, 11 Sep, 2006 at 14:37:21 -0700, James D. Parra wrote:
Hello,
Short story; accidentally created a user with user ID of '0'. <snip> Unless I'm missing something;
SuSEconfig
- ought to do it for you?
(It checks file ownership/privs agains /etc/permissions and friends, and corrects anything out of 'sync') SuSEconfig -module permissions
Otherwise, it will run all the scripts in /sbin/conf.d/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2006-09-12 at 07:02 +0200, Jon Clausen wrote:
Unless I'm missing something;
SuSEconfig
- ought to do it for you?
(It checks file ownership/privs agains /etc/permissions and friends, and corrects anything out of 'sync')
Not really for everything, only those that have a sequrity consequence. For instance, /usr/share/doc is not touched. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFBonXtTMYHG2NR9URAqiQAJ9jZwNOcjv9GfCEfhfbF9aj654grwCfWga1 FstC+HKvNMUM84qCqF4fS1o= =LG0Q -----END PGP SIGNATURE-----
On Tue, 12 Sep, 2006 at 12:19:55 +0200, Carlos E. R. wrote:
The Tuesday 2006-09-12 at 07:02 +0200, Jon Clausen wrote:
(It checks file ownership/privs agains /etc/permissions and friends, and corrects anything out of 'sync')
Not really for everything, only those that have a sequrity consequence. For instance, /usr/share/doc is not touched.
True. But the files with a security consequence *are* the most important to fix 'real quick'. The OP wasn't clear about *which* files were affected, so... But in any case the rpm idea presented in another branch of this thread is probably a better solution, overall. /Jon -- YMMV
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2006-09-13 at 07:59 +0200, Jon Clausen wrote:
(It checks file ownership/privs agains /etc/permissions and friends, and corrects anything out of 'sync')
Not really for everything, only those that have a sequrity consequence. For instance, /usr/share/doc is not touched.
True. But the files with a security consequence *are* the most important to fix 'real quick'.
Er... yes, right.
The OP wasn't clear about *which* files were affected, so...
I thought at first he meant those in /root, maybe more.
But in any case the rpm idea presented in another branch of this thread is probably a better solution, overall.
Probably both, rpm first, then suseconfig: rpm -a --setugids rpm -a --setperms SuSEconfig -module permissions I don't knwow why Jon Nelson says that --setugids should always be done before --setperms :-? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFB9wdtTMYHG2NR9URAlUSAJ9uGR13LuDKZ0LlRewYXMRPAfHJBACfWUCs dGvcbD/CciOfJvRbvHlOpgs= =JWrN -----END PGP SIGNATURE-----
Hi, On Monday 11 September 2006 23:37, James D. Parra wrote:
Short story; accidentally created a user with user ID of '0'. Went to change the ID of all the files owned by the user to the proper ID and now all the root user files have the four digit ID.
How can I quickly (real quick) change the four digit ID on the files owned by root back to '0' recursively.
I would recommend using rpm for this: rpm -qa --setugids will set all file user/group ownerships back to how it was installed with RPM. This of course will miss out on files that a) have not been installed through RPM b) have changed ownership by means of a postinstall script Chances are, you will be able to catch b) with SuSEconfig. Greetings from Stuhr hartmut
On Tue, 12 Sep 2006, Hartmut Meyer wrote:
Hi,
On Monday 11 September 2006 23:37, James D. Parra wrote:
Short story; accidentally created a user with user ID of '0'. Went to change the ID of all the files owned by the user to the proper ID and now all the root user files have the four digit ID.
How can I quickly (real quick) change the four digit ID on the files owned by root back to '0' recursively.
I would recommend using rpm for this:
rpm -qa --setugids
will set all file user/group ownerships back to how it was installed with RPM. This of course will miss out on files that
a) have not been installed through RPM b) have changed ownership by means of a postinstall script
Chances are, you will be able to catch b) with SuSEconfig.
You don't need the -q (query). However, it's good advice. I'd follow that up with rpm -a --setperms. Always do --setugids *before* --setperms. Alternatively, you could see what might be wrong with: rpm -Va although that will probably print out stuff like timestamp changed, config file changed, etc... that isn't necessarily what you are looking for. Still, I find it useful to determine what has changed. -- Carpe diem - Seize the day. Carp in denim - There's a fish in my pants! Jon Nelson <jnelson-suse@jamponi.net>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2006-09-12 at 03:42 -0500, Jon Nelson wrote:
Always do --setugids *before* --setperms.
Why is that? :-? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFB9xftTMYHG2NR9URAr7cAJ9g0aqKzy03zLJXYKz2BRrO19H2HQCeK1Ux QTT4Aa9J47vO2c+CR+7AYqo= =P0Z4 -----END PGP SIGNATURE-----
Carlos, On Wednesday 13 September 2006 03:24, Carlos E. R. wrote:
The Tuesday 2006-09-12 at 03:42 -0500, Jon Nelson wrote:
Always do --setugids *before* --setperms.
Why is that? :-?
Because changing a file's ownership (including it's group ID) clears the setuid and / or setgid bits. This happens at the kernel level, so it's not just the chown and chgrp commands that require this treatment. An excerpt from "man 2 chown": -==--==--==--==--==--==--==--==--==--==--==--==--==--==--==- When the owner or group of an executable file are changed by a non- superuser, the S_ISUID and S_ISGID mode bits are cleared. POSIX does not specify whether this also should happen when root does the chown; the Linux behaviour depends on the kernel version. In case of a non- group-executable file (with clear S_IXGRP bit) the S_ISGID bit indi- cates mandatory locking, and is not cleared by a chown. -==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-
-- Cheers, Carlos E. R.
Randall Schulz
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2006-09-13 at 05:35 -0700, Randall R Schulz wrote:
Always do --setugids *before* --setperms.
Why is that? :-?
Because changing a file's ownership (including it's group ID) clears the setuid and / or setgid bits. This happens at the kernel level, so it's not just the chown and chgrp commands that require this treatment.
I wasn't aware of that, but I understand. But I thought that the "rpm - --setperms" command did it all. I can't verify: "man rpm" doesn't say a word, and "info rpm" shows this: | File: libc.info, Node: Yes-or-No Questions, Prev: Formatting Numbers, | Up: Locales | | 7.8 Yes-or-No Questions | ======================= which obviously is not the rpm info page, I think it is missing. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFCFEVtTMYHG2NR9URAoseAJoDUP5SwaZD9JKyMe4pZMxD2pgjAQCfaCuy baFK+RpRcz0cNbtDQ/ICe7c= =Vwa0 -----END PGP SIGNATURE-----
participants (11)
-
Carlos E. R. -
Darryl Gregorash -
Hartmut Meyer -
James D. Parra -
John Andersen -
Jon Clausen -
Jon Nelson -
Michael James -
Mike Noble -
Randall R Schulz -
Robert Lewis