Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Help w/file mode settings

Discussion in 'General Discussion' started by mickalo, Jan 13, 2007.

  1. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    778
    Likes Received:
    4
    Trophy Points:
    318
    Location:
    N.W. Iowa
    Hello,

    the following files(below) have lost the suid bit ('rws'); guid for the 'write' command ('r-s'). I have no idea why??

    What is the specific chmod commands to get these file set back correctly??

    Current file mode setting:
    Code:
    -rwxr-xr-x  1 root root 84232 May 24  2006 /bin/mount*
    -rwxr-xr-x  1 root root 54412 May 24  2006 /bin/umount*
    -rwx--x--x  1 root root 17708 May 24  2006 /usr/bin/chfn*
    -rwx--x--x  1 root root 18392 May 24  2006 /usr/bin/chsh*
    -rwx--x--x  1 root root  7700 May 24  2006 /usr/bin/newgrp*
    -rwxr-xr-x  1 root tty  10124 May 24  2006 /usr/bin/write*
    
    Correct file mode setting:
    Code:
    -rwsr-xr-x  1 root root 84232 May 24  2006 /bin/mount
    -rwsr-xr-x  1 root root 54412 May 24  2006 /bin/umount
    -rws--x--x  1 root root 17708 May 24  2006 /usr/bin/chfn
    -rws--x--x  1 root root 18392 May 24  2006 /usr/bin/chsh
    -rws--x--x  1 root root  7700 May 24  2006 /usr/bin/newgrp
    -rwxr-sr-x  1 root tty  10124 May 24  2006 /usr/bin/write
    
    Thanks,
    Mickalo
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    You're usually better of removing the SUID bit from those binaries as a security precuation. If you do want clients to run those binaries (why would you?) then you can put it back with:

    chmod a+s /path/to/binary
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    778
    Likes Received:
    4
    Trophy Points:
    318
    Location:
    N.W. Iowa
    thanks chirpy. I'll take your advise.

    Not sure how they all got changed in the first place, our "Rootkit Hunter" that we run daily is what brought our attention to this matter earlier. Does Cpanel change these file modes or "Up2date" updates possibly ??

    Mickalo
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Neither would, AFAIK. There is a script in /scripts/secureit that may have done it if you ran that.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    778
    Likes Received:
    4
    Trophy Points:
    318
    Location:
    N.W. Iowa
    no one ran this script. as I am the only one who root access to this particular server, and the logs verified no other person accessed the server in the past 2 days except myself. Strange! :confused:

    Mickalo
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice