The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help w/file mode settings

Discussion in 'General Discussion' started by mickalo, Jan 13, 2007.

  1. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    Hello,

    the following files(below) have lost the suid bit ('rws'); guid for the 'write' command ('r-s'). I have no idea why??

    What is the specific chmod commands to get these file set back correctly??

    Current file mode setting:
    Code:
    -rwxr-xr-x  1 root root 84232 May 24  2006 /bin/mount*
    -rwxr-xr-x  1 root root 54412 May 24  2006 /bin/umount*
    -rwx--x--x  1 root root 17708 May 24  2006 /usr/bin/chfn*
    -rwx--x--x  1 root root 18392 May 24  2006 /usr/bin/chsh*
    -rwx--x--x  1 root root  7700 May 24  2006 /usr/bin/newgrp*
    -rwxr-xr-x  1 root tty  10124 May 24  2006 /usr/bin/write*
    
    Correct file mode setting:
    Code:
    -rwsr-xr-x  1 root root 84232 May 24  2006 /bin/mount
    -rwsr-xr-x  1 root root 54412 May 24  2006 /bin/umount
    -rws--x--x  1 root root 17708 May 24  2006 /usr/bin/chfn
    -rws--x--x  1 root root 18392 May 24  2006 /usr/bin/chsh
    -rws--x--x  1 root root  7700 May 24  2006 /usr/bin/newgrp
    -rwxr-sr-x  1 root tty  10124 May 24  2006 /usr/bin/write
    
    Thanks,
    Mickalo
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You're usually better of removing the SUID bit from those binaries as a security precuation. If you do want clients to run those binaries (why would you?) then you can put it back with:

    chmod a+s /path/to/binary
     
  3. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    thanks chirpy. I'll take your advise.

    Not sure how they all got changed in the first place, our "Rootkit Hunter" that we run daily is what brought our attention to this matter earlier. Does Cpanel change these file modes or "Up2date" updates possibly ??

    Mickalo
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Neither would, AFAIK. There is a script in /scripts/secureit that may have done it if you ran that.
     
  5. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    no one ran this script. as I am the only one who root access to this particular server, and the logs verified no other person accessed the server in the past 2 days except myself. Strange! :confused:

    Mickalo
     
Loading...

Share This Page