On both our new filers, running 6.1.2R1, I have just noticed that the
ownership of its "/vol/vol0/etc" belongs, not to the expected "root", but
to an apparently arbitrary uid "20041" (gid "30").
Fortunately:
(a) we have not allocated that uid to anyone;
(b) I think the only machine to which "/etc" would be user-accessible
(a Solaris UNIX box fro our user admin.) can have access restrictions
to prevent telnet/ssh-like user-access.
Nevertheless, it does seem a little worrying (correction, potentially very
worrying) that this critical "/etc" directory is owned by an ordinary
user. (Just suppose this October's student intake allocates that uid to
someone who likes exploring...)
All the contents of "/etc" are root-owned, except for a subdirectory
called "java" and within that some (not all) of its contents:
drwxr-xr-x 3 20041 30 4096 Jun 11 08:11 .
drwxr-xr-x 20 20041 30 65536 Jul 22 14:53 ..
-rwxr-xr-x 1 root other 1912820 Jan 9 2002 .jitcache.db
-rw-r--r-- 1 root root 1912820 May 14 14:05 .jitcache.db.saved
-rwxr-xr-x 2 root other 8844945 Jan 8 2002 classes.zip
-rwxr-xr-x 2 root other 8844945 Jan 8 2002 classes.zip-inuse
-rw-r--r-- 1 20041 30 238737 Oct 13 2000 crysec.zip
-rw-rw-r-- 1 root root 139895 Jun 14 00:35 jit.log
-rw-r--r-- 1 20041 30 505097 Oct 13 2000 jsafe.zip
drwxr-xr-x 3 root root 4096 May 14 14:05 lib
-rwxr-xr-x 2 root other 1422554 Jan 8 2002 netapp.zip
-rwxr-xr-x 2 root other 1422554 Jan 8 2002 netapp.zip-inuse
-rw-r--r-- 1 20041 30 217093 Oct 13 2000 phaos.zip
-rwxr-xr-x 2 root other 1942824 Jan 8 2002 redshift.zip
-rwxr-xr-x 2 root other 1942824 Jan 8 2002 redshift.zip-inuse
-rw-r--r-- 1 20041 30 113216 Oct 13 2000 secureadmin.zip
-rwxr-xr-x 2 root other 139753 Jan 8 2002 servlet.zip
-rwxr-xr-x 2 root other 139753 Jan 8 2002 servlet.zip-inuse
Is this general, affecting other sites, or does it suggest that something
peculiar happened at our installation?
I understand that, since site installation, we have had something added:
from memory, I think it was "Secure FilerView", but I may be wrong, and
the local person who oversaw this is currently away.
Any comments, anyone?
--
: David Lee I.T. Service :
: Systems Programmer Computer Centre :
: University of Durham :
: http://www.dur.ac.uk/t.d.lee/ South Road :
: Durham :
: Phone: +44 191 374 2882 U.K. :
ownership of its "/vol/vol0/etc" belongs, not to the expected "root", but
to an apparently arbitrary uid "20041" (gid "30").
Fortunately:
(a) we have not allocated that uid to anyone;
(b) I think the only machine to which "/etc" would be user-accessible
(a Solaris UNIX box fro our user admin.) can have access restrictions
to prevent telnet/ssh-like user-access.
Nevertheless, it does seem a little worrying (correction, potentially very
worrying) that this critical "/etc" directory is owned by an ordinary
user. (Just suppose this October's student intake allocates that uid to
someone who likes exploring...)
All the contents of "/etc" are root-owned, except for a subdirectory
called "java" and within that some (not all) of its contents:
drwxr-xr-x 3 20041 30 4096 Jun 11 08:11 .
drwxr-xr-x 20 20041 30 65536 Jul 22 14:53 ..
-rwxr-xr-x 1 root other 1912820 Jan 9 2002 .jitcache.db
-rw-r--r-- 1 root root 1912820 May 14 14:05 .jitcache.db.saved
-rwxr-xr-x 2 root other 8844945 Jan 8 2002 classes.zip
-rwxr-xr-x 2 root other 8844945 Jan 8 2002 classes.zip-inuse
-rw-r--r-- 1 20041 30 238737 Oct 13 2000 crysec.zip
-rw-rw-r-- 1 root root 139895 Jun 14 00:35 jit.log
-rw-r--r-- 1 20041 30 505097 Oct 13 2000 jsafe.zip
drwxr-xr-x 3 root root 4096 May 14 14:05 lib
-rwxr-xr-x 2 root other 1422554 Jan 8 2002 netapp.zip
-rwxr-xr-x 2 root other 1422554 Jan 8 2002 netapp.zip-inuse
-rw-r--r-- 1 20041 30 217093 Oct 13 2000 phaos.zip
-rwxr-xr-x 2 root other 1942824 Jan 8 2002 redshift.zip
-rwxr-xr-x 2 root other 1942824 Jan 8 2002 redshift.zip-inuse
-rw-r--r-- 1 20041 30 113216 Oct 13 2000 secureadmin.zip
-rwxr-xr-x 2 root other 139753 Jan 8 2002 servlet.zip
-rwxr-xr-x 2 root other 139753 Jan 8 2002 servlet.zip-inuse
Is this general, affecting other sites, or does it suggest that something
peculiar happened at our installation?
I understand that, since site installation, we have had something added:
from memory, I think it was "Secure FilerView", but I may be wrong, and
the local person who oversaw this is currently away.
Any comments, anyone?
--
: David Lee I.T. Service :
: Systems Programmer Computer Centre :
: University of Durham :
: http://www.dur.ac.uk/t.d.lee/ South Road :
: Durham :
: Phone: +44 191 374 2882 U.K. :