Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

WWWXXXAPC, docmd.close 2585, WWWXXXDOCO, nu vot, dhcpd lease file "binding state", WWWXXXDOCO, how to setup procmail to process html2text, how to setup procmail html2text, WWWXXXAPC., XXXCNZZZ

Links

XODOX
Impressum

#1: "spontaneous" permissions changes

Posted on 2009-08-26 23:08:26 by Yuri Csapo

--------------000808060705050005070302
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

Hi all, I have a strange situation I wish someone could help me with. This is the setup:

- Virtual machine running the latest VM under ESXi
- VM has one processor, 2 GB RAM, 1 GB swap
- Ubuntu 8.04 LTS
- The virtual host runs only this VM
- Virtual host connects to a Lefthand Networks (now HP) SAN through 1 GB copper ethernet and iSCSI
- VM has a 1 TB volume from the SAN that looks like a SCSI drive to Linux (/dev/sdc)
- sdc is formatted as one big ext3 partition (sdc1)
- sdc1 is exported both as an NFS resource and a SMB share (via Samba)
- Authentication is Kerberos and authorization is local, if that matters

The permissions on that partition's mount point, usually 755, changed suddenly to 400. I have looked
at sudo logs, root's and all admins' history files and I can find no evidence of someone changing
those permissions or of tampering with the logs.

Physical access to the box requires the right keycard; logon (ssh) access to the box is restricted
to sysadmins and support personel only; the root password is a 32 char long random string that lives
in an encrypted repository on my iPod Touch. There are only 2 people, myself included, with full
sudo rights; there are another 5 people with sudo rights to a number of administration things
including chmod.

This is a state university and it happened on the first day of classes.

My questions:

- Did I look everywhere I should be looking to find evidence of foul play?
- Does anyone know of anything in this setup that could trigger a seemingly spontaneous permissions
change like that?

Thanks,

--
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone: (303) 273-3503
Fax: (303) 273-3475
Email: ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster

--------------000808060705050005070302
Content-Type: text/x-vcard; charset="utf-8"; name="ycsapo.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="ycsapo.vcf"

begin:vcard
fn:Yuri Csapo
n:Csapo;Yuri
org:Colorado School of Mines;CCIT
email;internet:ycsapo@mines.edu
title:System Administrator
tel;work:(303) 273-3503
x-mozilla-html:FALSE
version:2.1
end:vcard


--------------000808060705050005070302--
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Report this message

#2: Re: "spontaneous" permissions changes

Posted on 2009-08-26 23:56:35 by rick

In article <4A95A44A.50305@exchange.mines.edu>,
Yuri Csapo <ycsapo@mines.edu> wrote:

>The permissions on that partition's mount point, usually 755, changed suddenly to 400. I have looked
>at sudo logs, root's and all admins' history files and I can find no evidence of someone changing
>those permissions or of tampering with the logs.

Installed any RPMs lately?

--
http://www.spinics.net/lists/linux-admin/


--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Report this message

#3: RE: "spontaneous" permissions changes

Posted on 2009-08-27 10:45:31 by Franck RICHARD

If the permission change to 400 (read only), it's a security when the f=
ilesystem is corrupted, to protect it.

Do a check of your Filesystem, (umount, e2fsck, mount).

Maybe you can find something...




-----Message d'origine-----
De=A0: linux-admin-owner@vger.kernel.org [mailto:linux-admin-owner@vger=
=2Ekernel.org] De la part de Yuri Csapo
Envoyé : mercredi 26 ao=FBt 2009 23:08
À : linux-admin
Objet=A0: "spontaneous" permissions changes

Hi all, I have a strange situation I wish someone could help me with. T=
his is the setup:

- Virtual machine running the latest VM under ESXi
- VM has one processor, 2 GB RAM, 1 GB swap
- Ubuntu 8.04 LTS
- The virtual host runs only this VM
- Virtual host connects to a Lefthand Networks (now HP) SAN through 1 G=
B copper ethernet and iSCSI
- VM has a 1 TB volume from the SAN that looks like a SCSI drive to Lin=
ux (/dev/sdc)
- sdc is formatted as one big ext3 partition (sdc1)
- sdc1 is exported both as an NFS resource and a SMB share (via Samba)
- Authentication is Kerberos and authorization is local, if that matter=
s

The permissions on that partition's mount point, usually 755, changed s=
uddenly to 400. I have looked at sudo logs, root's and all admins' hist=
ory files and I can find no evidence of someone changing those permissi=
ons or of tampering with the logs.

Physical access to the box requires the right keycard; logon (ssh) acce=
ss to the box is restricted to sysadmins and support personel only; the=
root password is a 32 char long random string that lives in an encrypt=
ed repository on my iPod Touch. There are only 2 people, myself include=
d, with full sudo rights; there are another 5 people with sudo rights t=
o a number of administration things including chmod.

This is a state university and it happened on the first day of classes.

My questions:

- Did I look everywhere I should be looking to find evidence of foul pl=
ay?
- Does anyone know of anything in this setup that could trigger a seemi=
ngly spontaneous permissions change like that?

Thanks,

--
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone: (303) 273-3503
=46ax: (303) 273-3475
Email: ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
==================== =====
===================3D
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Report this message

#4: Re: "spontaneous" permissions changes

Posted on 2009-08-27 22:22:38 by Yuri Csapo

--------------000803010002070008070409
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

Rick, thanks, that's a good suggestion; but no, I haven't installed anything lately - especially not
any RPMs, since this is a Ubuntu system ;-)

--Yuri

Rick wrote:
> In article <4A95A44A.50305@exchange.mines.edu>,
> Yuri Csapo <ycsapo@mines.edu> wrote:
>
>> The permissions on that partition's mount point, usually 755, changed suddenly to 400. I have looked
>> at sudo logs, root's and all admins' history files and I can find no evidence of someone changing
>> those permissions or of tampering with the logs.
>
> Installed any RPMs lately?
>
> --
> http://www.spinics.net/lists/linux-admin/
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html

--
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone: (303) 273-3503
Fax: (303) 273-3475
Email: ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster

--------------000803010002070008070409
Content-Type: text/x-vcard; charset="utf-8"; name="ycsapo.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="ycsapo.vcf"

begin:vcard
fn:Yuri Csapo
n:Csapo;Yuri
org:Colorado School of Mines;CCIT
email;internet:ycsapo@mines.edu
title:System Administrator
tel;work:(303) 273-3503
x-mozilla-html:FALSE
version:2.1
end:vcard


--------------000803010002070008070409--
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Report this message

#5: Re: "spontaneous" permissions changes

Posted on 2009-08-27 22:25:21 by Yuri Csapo

--------------060302040206030801080709
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 8bit

Franck, that's a very good idea - I'll certainly check as soon as I can. Unfortunately I just can't
umount right now. Maybe this weekend.

Thanks

--Yuri

Franck RICHARD wrote:
> If the permission change to 400 (read only), it's a security when the filesystem is corrupted, to protect it.
>
> Do a check of your Filesystem, (umount, e2fsck, mount).
>
> Maybe you can find something...
>
>
>
>
> -----Message d'origine-----
> De : linux-admin-owner@vger.kernel.org [mailto:linux-admin-owner@vger.kernel.org] De la part de Yuri Csapo
> Envoyé : mercredi 26 août 2009 23:08
> À : linux-admin
> Objet : "spontaneous" permissions changes
>
> Hi all, I have a strange situation I wish someone could help me with. This is the setup:
>
> - Virtual machine running the latest VM under ESXi
> - VM has one processor, 2 GB RAM, 1 GB swap
> - Ubuntu 8.04 LTS
> - The virtual host runs only this VM
> - Virtual host connects to a Lefthand Networks (now HP) SAN through 1 GB copper ethernet and iSCSI
> - VM has a 1 TB volume from the SAN that looks like a SCSI drive to Linux (/dev/sdc)
> - sdc is formatted as one big ext3 partition (sdc1)
> - sdc1 is exported both as an NFS resource and a SMB share (via Samba)
> - Authentication is Kerberos and authorization is local, if that matters
>
> The permissions on that partition's mount point, usually 755, changed suddenly to 400. I have looked at sudo logs, root's and all admins' history files and I can find no evidence of someone changing those permissions or of tampering with the logs.
>
> Physical access to the box requires the right keycard; logon (ssh) access to the box is restricted to sysadmins and support personel only; the root password is a 32 char long random string that lives in an encrypted repository on my iPod Touch. There are only 2 people, myself included, with full sudo rights; there are another 5 people with sudo rights to a number of administration things including chmod.
>
> This is a state university and it happened on the first day of classes.
>
> My questions:
>
> - Did I look everywhere I should be looking to find evidence of foul play?
> - Does anyone know of anything in this setup that could trigger a seemingly spontaneous permissions change like that?
>
> Thanks,
>
> --
> Yuri Csapo
> Academic Computing & Networking
> Colorado School of Mines
> CT-256
> Phone: (303) 273-3503
> Fax: (303) 273-3475
> Email: ycsapo@mines.edu
>
> Please use the following link to open a service request:
> http://helpdesk.mines.edu
> ===========================================
> With a PC, I always felt limited
> by the software available.
> On Unix, I am limited only by my knowledge.
> --Peter J. Schoenster

--
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone: (303) 273-3503
Fax: (303) 273-3475
Email: ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster

--------------060302040206030801080709
Content-Type: text/x-vcard; charset="utf-8"; name="ycsapo.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="ycsapo.vcf"

begin:vcard
fn:Yuri Csapo
n:Csapo;Yuri
org:Colorado School of Mines;CCIT
email;internet:ycsapo@mines.edu
title:System Administrator
tel;work:(303) 273-3503
x-mozilla-html:FALSE
version:2.1
end:vcard


--------------060302040206030801080709--
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Report this message

#6: Re: "spontaneous" permissions changes

Posted on 2009-08-27 22:30:37 by Yuri Csapo

--------------020808050209020406040308
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

Daniel,

Thank you for your reply. Unfortunately regulations don't allow me to divulge configuration files.
What specifically were you looking for in /etc/fstab?

I will be performing the tests you suggest soon; I can't do them right now because the box is under
heavy use. Maybe this weekend.

Thanks again!

--Yuri

Daniel A. Avelino wrote:
> Yuri,
>
> could you show us your /etc/fstab file?
> Could you perform some tests, like mount this partition, list permissions so
> umount the partition and list permissions again?
>
> On Wed, Aug 26, 2009 at 6:08 PM, Yuri Csapo <ycsapo@exchange.mines.edu<mailto:ycsapo@exchange.mines.edu>> wrote:
> Hi all, I have a strange situation I wish someone could help me with. This is the setup:
>
> - Virtual machine running the latest VM under ESXi
> - VM has one processor, 2 GB RAM, 1 GB swap
> - Ubuntu 8.04 LTS
> - The virtual host runs only this VM
> - Virtual host connects to a Lefthand Networks (now HP) SAN through 1 GB copper ethernet and iSCSI
> - VM has a 1 TB volume from the SAN that looks like a SCSI drive to Linux (/dev/sdc)
> - sdc is formatted as one big ext3 partition (sdc1)
> - sdc1 is exported both as an NFS resource and a SMB share (via Samba)
> - Authentication is Kerberos and authorization is local, if that matters
>
> The permissions on that partition's mount point, usually 755, changed suddenly to 400. I have looked at sudo logs, root's and all admins' history files and I can find no evidence of someone changing those permissions or of tampering with the logs.
>
> Physical access to the box requires the right keycard; logon (ssh) access to the box is restricted to sysadmins and support personel only; the root password is a 32 char long random string that lives in an encrypted repository on my iPod Touch. There are only 2 people, myself included, with full sudo rights; there are another 5 people with sudo rights to a number of administration things including chmod.
>
> This is a state university and it happened on the first day of classes.
>
> My questions:
>
> - Did I look everywhere I should be looking to find evidence of foul play?
> - Does anyone know of anything in this setup that could trigger a seemingly spontaneous permissions change like that?
>
> Thanks,
>
> --
> Yuri Csapo
> Academic Computing & Networking
> Colorado School of Mines
> CT-256
> Phone: (303) 273-3503
> Fax: (303) 273-3475
> Email: ycsapo@mines.edu<mailto:ycsapo@mines.edu>
>
> Please use the following link to open a service request:
> http://helpdesk.mines.edu
> ===========================================
> With a PC, I always felt limited
> by the software available.
> On Unix, I am limited only by my knowledge.
> --Peter J. Schoenster
>
>

--
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone: (303) 273-3503
Fax: (303) 273-3475
Email: ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster

--------------020808050209020406040308
Content-Type: text/x-vcard; charset="utf-8"; name="ycsapo.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="ycsapo.vcf"

begin:vcard
fn:Yuri Csapo
n:Csapo;Yuri
org:Colorado School of Mines;CCIT
email;internet:ycsapo@mines.edu
title:System Administrator
tel;work:(303) 273-3503
x-mozilla-html:FALSE
version:2.1
end:vcard


--------------020808050209020406040308--
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Report this message

#7: Re: "spontaneous" permissions changes

Posted on 2009-08-28 16:09:42 by Yuri Csapo

--------------030306030507030307060300
Content-Type: text/plain; charset="windows-1252"; format=flowed
Content-Transfer-Encoding: 8bit

Franck, that's a very good point. I shall be asking VMware support about this.

Thanks!

Yuri

Franck RICHARD wrote:
> Hi,
>
> When you work with virtual systems, when you have the filesystem of your virtual machine corrupted,
> maybe you have only errors on the syslog of your Host and not on your virtual machine¬Ö
>
> The kernel of the virtual machine detect that she doesn't have anymore a write permission on the disk and switch the permissions¬Ö
>
> I'm not sure, but I have a similar case in the past with Xen
>
>
> De : Herta Van den Eynde [mailto:herta.vandeneynde@gmail.com]
> Envoyé : jeudi 27 août 2009 23:01
> À : ycsapo@mines.edu
> Cc : Franck RICHARD; linux-admin
> Objet : Re: "spontaneous" permissions changes
>
> Hi Franck,
>
> That sounds like a plausible theory, but I've had my share of filesystem corruptions, and they always logged errors in syslog. Does your mileage vary?
>
> Also, if this were a filesystem corruption, could Yuri have worked passed it without a filesystem check?
>
> Kind regards,
>
> Herta
> 2009/8/27 Yuri Csapo <ycsapo@exchange.mines.edu<mailto:ycsapo@exchange.mines.edu>>
> Franck, that's a very good idea - I'll certainly check as soon as I can. Unfortunately I just can't umount right now. Maybe this weekend.
>
> Thanks
>
> --Yuri
>
>
> Franck RICHARD wrote:
> If the permission change to 400 (read only), it's a security when the filesystem is corrupted, to protect it.
>
> Do a check of your Filesystem, (umount, e2fsck, mount).
>
> Maybe you can find something...
>
>
>
>
> -----Message d'origine-----
> De : linux-admin-owner@vger.kernel.org<mailto:linux-admin-owner@vger.kernel.org> [mailto:linux-admin-owner@vger.kernel.org<mailto:linux-admin-owner@vger.kernel.org>] De la part de Yuri Csapo
> Envoyé : mercredi 26 août 2009 23:08
> À : linux-admin
> Objet : "spontaneous" permissions changes
>
> Hi all, I have a strange situation I wish someone could help me with. This is the setup:
>
> - Virtual machine running the latest VM under ESXi
> - VM has one processor, 2 GB RAM, 1 GB swap
> - Ubuntu 8.04 LTS
> - The virtual host runs only this VM
> - Virtual host connects to a Lefthand Networks (now HP) SAN through 1 GB copper ethernet and iSCSI
> - VM has a 1 TB volume from the SAN that looks like a SCSI drive to Linux (/dev/sdc)
> - sdc is formatted as one big ext3 partition (sdc1)
> - sdc1 is exported both as an NFS resource and a SMB share (via Samba)
> - Authentication is Kerberos and authorization is local, if that matters
>
> The permissions on that partition's mount point, usually 755, changed suddenly to 400. I have looked at sudo logs, root's and all admins' history files and I can find no evidence of someone changing those permissions or of tampering with the logs.
>
> Physical access to the box requires the right keycard; logon (ssh) access to the box is restricted to sysadmins and support personel only; the root password is a 32 char long random string that lives in an encrypted repository on my iPod Touch. There are only 2 people, myself included, with full sudo rights; there are another 5 people with sudo rights to a number of administration things including chmod.
>
> This is a state university and it happened on the first day of classes.
>
> My questions:
>
> - Did I look everywhere I should be looking to find evidence of foul play?
> - Does anyone know of anything in this setup that could trigger a seemingly spontaneous permissions change like that?
>
> Thanks,
>
> --
> Yuri Csapo
> Academic Computing & Networking
> Colorado School of Mines
> CT-256
> Phone: (303) 273-3503
> Fax: (303) 273-3475
> Email: ycsapo@mines.edu<mailto:ycsapo@mines.edu>
>
> Please use the following link to open a service request:
> http://helpdesk.mines.edu
> ===========================================
> With a PC, I always felt limited
> by the software available.
> On Unix, I am limited only by my knowledge.
> --Peter J. Schoenster
>
> --
> Yuri Csapo
> Academic Computing & Networking
> Colorado School of Mines
> CT-256
> Phone: (303) 273-3503
> Fax: (303) 273-3475
> Email: ycsapo@mines.edu<mailto:ycsapo@mines.edu>
>
> Please use the following link to open a service request:
> http://helpdesk.mines.edu
> ===========================================
> With a PC, I always felt limited
> by the software available.
> On Unix, I am limited only by my knowledge.
> --Peter J. Schoenster
>
>
>
> --
> "Life on Earth may be expensive,
> but it comes with a free ride around the Sun."
>

--
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone: (303) 273-3503
Fax: (303) 273-3475
Email: ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster

--------------030306030507030307060300
Content-Type: text/x-vcard; charset="utf-8"; name="ycsapo.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="ycsapo.vcf"

begin:vcard
fn:Yuri Csapo
n:Csapo;Yuri
org:Colorado School of Mines;CCIT
email;internet:ycsapo@mines.edu
title:System Administrator
tel;work:(303) 273-3503
x-mozilla-html:FALSE
version:2.1
end:vcard


--------------030306030507030307060300--
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Report this message