Directory/files owned by a non-existent user
6,074
Solution 1
Other possibilities which don't involve security breach:
- If root extracts some files from a tar,
tar
will create that files with uid/gid of source system even if that user/group does not exist on destination host. - If root uses
rsync -a
to synchronize directory on two differents systems,rsync
will create that files with uid/gid of source system even if that user/group does not exist on destination host.
A lot of file transfer activities, between hosts that have not the same user list, can create this kind of unknown owner files.
Solution 2
Two obvious possibilities which don't involve security breach:
- exported file system (NFS, samba, ...) to a computer which has such account
- network wide identification (NIS, ldap, ...) which allows such account
Related videos on Youtube
Author by
Chef Flambe
Updated on September 18, 2022Comments
-
Chef Flambe over 1 year
A user has created a directory with files, but the user does not exist in
/etc/passwd
or/etc/group
. The system is a Fedora server with an FTP server and proxy which redirects to a CentOS server with Apache where the directory was created. Where could the user have come from? Is this a security problem?-
rahmu over 12 yearsIs it possible at all that the user has been removed? What happens to the files belonging to him in that case?
-
Chef Flambe over 12 yearsWith
ls -l
I can see his entries. I don't know if it has been removed. If then he has root access... But good question. Is the passwd the single place where such a user can be put in? Or can with a security hole user-rights written without ever an existing user?
-
-
Chef Flambe over 12 yearsThe directory has been created from a tar file. The owner of the tar file is root. So the question now is, how the tar file came on the server. The normal ftp log files doesn't mention something. Either its the apache or a CMS.
-
Chef Flambe over 12 yearsI also thought that. But
showmount
tells me too much results. So I need another way to narrow the cause for the security breach. -
serb over 12 yearsIMHO, this is another question. You can start reading these response on "server fault": How do I know if my Linux server has been hacked? and How can I detect unwanted intrusions on my servers?.
-
dmckee --- ex-moderator kitten over 12 yearsAnother couple of reasons to never work as root.
-
Random832 over 12 yearsOr root simply downloaded the file, with wget or ftp (client) or similar, none of which makes logs. After all, root had to extract it, whether this was done with a shell or part of a CMS. Do you (or whoever else legitimately has root) not remember doing such a thing?