Directory/files owned by a non-existent user

6,074

Solution 1

Other possibilities which don't involve security breach:

  • If root extracts some files from a tar, tar will create that files with uid/gid of source system even if that user/group does not exist on destination host.
  • If root uses rsync -a to synchronize directory on two differents systems, rsync will create that files with uid/gid of source system even if that user/group does not exist on destination host.

A lot of file transfer activities, between hosts that have not the same user list, can create this kind of unknown owner files.

Solution 2

Two obvious possibilities which don't involve security breach:

  • exported file system (NFS, samba, ...) to a computer which has such account
  • network wide identification (NIS, ldap, ...) which allows such account
Share:
6,074

Related videos on Youtube

Chef Flambe
Author by

Chef Flambe

Updated on September 18, 2022

Comments

  • Chef Flambe
    Chef Flambe over 1 year

    A user has created a directory with files, but the user does not exist in /etc/passwd or /etc/group. The system is a Fedora server with an FTP server and proxy which redirects to a CentOS server with Apache where the directory was created. Where could the user have come from? Is this a security problem?

    • rahmu
      rahmu over 12 years
      Is it possible at all that the user has been removed? What happens to the files belonging to him in that case?
    • Chef Flambe
      Chef Flambe over 12 years
      With ls -l I can see his entries. I don't know if it has been removed. If then he has root access... But good question. Is the passwd the single place where such a user can be put in? Or can with a security hole user-rights written without ever an existing user?
  • Chef Flambe
    Chef Flambe over 12 years
    The directory has been created from a tar file. The owner of the tar file is root. So the question now is, how the tar file came on the server. The normal ftp log files doesn't mention something. Either its the apache or a CMS.
  • Chef Flambe
    Chef Flambe over 12 years
    I also thought that. But showmount tells me too much results. So I need another way to narrow the cause for the security breach.
  • serb
    serb over 12 years
    IMHO, this is another question. You can start reading these response on "server fault": How do I know if my Linux server has been hacked? and How can I detect unwanted intrusions on my servers?.
  • dmckee --- ex-moderator kitten
    dmckee --- ex-moderator kitten over 12 years
    Another couple of reasons to never work as root.
  • Random832
    Random832 over 12 years
    Or root simply downloaded the file, with wget or ftp (client) or similar, none of which makes logs. After all, root had to extract it, whether this was done with a shell or part of a CMS. Do you (or whoever else legitimately has root) not remember doing such a thing?