"spontaneous" permissions changes

"spontaneous" permissions changes

am 26.08.2009 23:08:26 von Yuri Csapo

--------------000808060705050005070302
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

Hi all, I have a strange situation I wish someone could help me with. This is the setup:

- Virtual machine running the latest VM under ESXi
- VM has one processor, 2 GB RAM, 1 GB swap
- Ubuntu 8.04 LTS
- The virtual host runs only this VM
- Virtual host connects to a Lefthand Networks (now HP) SAN through 1 GB copper ethernet and iSCSI
- VM has a 1 TB volume from the SAN that looks like a SCSI drive to Linux (/dev/sdc)
- sdc is formatted as one big ext3 partition (sdc1)
- sdc1 is exported both as an NFS resource and a SMB share (via Samba)
- Authentication is Kerberos and authorization is local, if that matters

The permissions on that partition's mount point, usually 755, changed suddenly to 400. I have looked
at sudo logs, root's and all admins' history files and I can find no evidence of someone changing
those permissions or of tampering with the logs.

Physical access to the box requires the right keycard; logon (ssh) access to the box is restricted
to sysadmins and support personel only; the root password is a 32 char long random string that lives
in an encrypted repository on my iPod Touch. There are only 2 people, myself included, with full
sudo rights; there are another 5 people with sudo rights to a number of administration things
including chmod.

This is a state university and it happened on the first day of classes.

My questions:

- Did I look everywhere I should be looking to find evidence of foul play?
- Does anyone know of anything in this setup that could trigger a seemingly spontaneous permissions
change like that?

Thanks,

--
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone: (303) 273-3503
Fax: (303) 273-3475
Email: ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster

--------------000808060705050005070302
Content-Type: text/x-vcard; charset="utf-8"; name="ycsapo.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="ycsapo.vcf"

begin:vcard
fn:Yuri Csapo
n:Csapo;Yuri
org:Colorado School of Mines;CCIT
email;internet:ycsapo@mines.edu
title:System Administrator
tel;work:(303) 273-3503
x-mozilla-html:FALSE
version:2.1
end:vcard


--------------000808060705050005070302--
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: "spontaneous" permissions changes

am 26.08.2009 23:56:35 von rick

In article <4A95A44A.50305@exchange.mines.edu>,
Yuri Csapo wrote:

>The permissions on that partition's mount point, usually 755, changed suddenly to 400. I have looked
>at sudo logs, root's and all admins' history files and I can find no evidence of someone changing
>those permissions or of tampering with the logs.

Installed any RPMs lately?

--
http://www.spinics.net/lists/linux-admin/


--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

RE: "spontaneous" permissions changes

am 27.08.2009 10:45:31 von Franck RICHARD

If the permission change to 400 (read only), it's a security when the f=
ilesystem is corrupted, to protect it.

Do a check of your Filesystem, (umount, e2fsck, mount).

Maybe you can find something...




-----Message d'origine-----
De=A0: linux-admin-owner@vger.kernel.org [mailto:linux-admin-owner@vger=
kernel.org] De la part de Yuri Csapo
Envoyé : mercredi 26 ao=FBt 2009 23:08
À : linux-admin
Objet=A0: "spontaneous" permissions changes

Hi all, I have a strange situation I wish someone could help me with. T=
his is the setup:

- Virtual machine running the latest VM under ESXi
- VM has one processor, 2 GB RAM, 1 GB swap
- Ubuntu 8.04 LTS
- The virtual host runs only this VM
- Virtual host connects to a Lefthand Networks (now HP) SAN through 1 G=
B copper ethernet and iSCSI
- VM has a 1 TB volume from the SAN that looks like a SCSI drive to Lin=
ux (/dev/sdc)
- sdc is formatted as one big ext3 partition (sdc1)
- sdc1 is exported both as an NFS resource and a SMB share (via Samba)
- Authentication is Kerberos and authorization is local, if that matter=
s

The permissions on that partition's mount point, usually 755, changed s=
uddenly to 400. I have looked at sudo logs, root's and all admins' hist=
ory files and I can find no evidence of someone changing those permissi=
ons or of tampering with the logs.

Physical access to the box requires the right keycard; logon (ssh) acce=
ss to the box is restricted to sysadmins and support personel only; the=
root password is a 32 char long random string that lives in an encrypt=
ed repository on my iPod Touch. There are only 2 people, myself include=
d, with full sudo rights; there are another 5 people with sudo rights t=
o a number of administration things including chmod.

This is a state university and it happened on the first day of classes.

My questions:

- Did I look everywhere I should be looking to find evidence of foul pl=
ay?
- Does anyone know of anything in this setup that could trigger a seemi=
ngly spontaneous permissions change like that?

Thanks,

--
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone: (303) 273-3503
=46ax: (303) 273-3475
Email: ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
==================== =====
===================3D
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: "spontaneous" permissions changes

am 27.08.2009 22:22:38 von Yuri Csapo

--------------000803010002070008070409
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

Rick, thanks, that's a good suggestion; but no, I haven't installed anything lately - especially not
any RPMs, since this is a Ubuntu system ;-)

--Yuri

Rick wrote:
> In article <4A95A44A.50305@exchange.mines.edu>,
> Yuri Csapo wrote:
>
>> The permissions on that partition's mount point, usually 755, changed suddenly to 400. I have looked
>> at sudo logs, root's and all admins' history files and I can find no evidence of someone changing
>> those permissions or of tampering with the logs.
>
> Installed any RPMs lately?
>
> --
> http://www.spinics.net/lists/linux-admin/
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html

--
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone: (303) 273-3503
Fax: (303) 273-3475
Email: ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster

--------------000803010002070008070409
Content-Type: text/x-vcard; charset="utf-8"; name="ycsapo.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="ycsapo.vcf"

begin:vcard
fn:Yuri Csapo
n:Csapo;Yuri
org:Colorado School of Mines;CCIT
email;internet:ycsapo@mines.edu
title:System Administrator
tel;work:(303) 273-3503
x-mozilla-html:FALSE
version:2.1
end:vcard


--------------000803010002070008070409--
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: "spontaneous" permissions changes

am 27.08.2009 22:25:21 von Yuri Csapo

--------------060302040206030801080709
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 8bit

Franck, that's a very good idea - I'll certainly check as soon as I can. Unfortunately I just can't
umount right now. Maybe this weekend.

Thanks

--Yuri

Franck RICHARD wrote:
> If the permission change to 400 (read only), it's a security when the filesystem is corrupted, to protect it.
>
> Do a check of your Filesystem, (umount, e2fsck, mount).
>
> Maybe you can find something...
>
>
>
>
> -----Message d'origine-----
> De : linux-admin-owner@vger.kernel.org [mailto:linux-admin-owner@vger.kernel.org] De la part de Yuri Csapo
> Envoyé : mercredi 26 août 2009 23:08
> À : linux-admin
> Objet : "spontaneous" permissions changes
>
> Hi all, I have a strange situation I wish someone could help me with. This is the setup:
>
> - Virtual machine running the latest VM under ESXi
> - VM has one processor, 2 GB RAM, 1 GB swap
> - Ubuntu 8.04 LTS
> - The virtual host runs only this VM
> - Virtual host connects to a Lefthand Networks (now HP) SAN through 1 GB copper ethernet and iSCSI
> - VM has a 1 TB volume from the SAN that looks like a SCSI drive to Linux (/dev/sdc)
> - sdc is formatted as one big ext3 partition (sdc1)
> - sdc1 is exported both as an NFS resource and a SMB share (via Samba)
> - Authentication is Kerberos and authorization is local, if that matters
>
> The permissions on that partition's mount point, usually 755, changed suddenly to 400. I have looked at sudo logs, root's and all admins' history files and I can find no evidence of someone changing those permissions or of tampering with the logs.
>
> Physical access to the box requires the right keycard; logon (ssh) access to the box is restricted to sysadmins and support personel only; the root password is a 32 char long random string that lives in an encrypted repository on my iPod Touch. There are only 2 people, myself included, with full sudo rights; there are another 5 people with sudo rights to a number of administration things including chmod.
>
> This is a state university and it happened on the first day of classes.
>
> My questions:
>
> - Did I look everywhere I should be looking to find evidence of foul play?
> - Does anyone know of anything in this setup that could trigger a seemingly spontaneous permissions change like that?
>
> Thanks,
>
> --
> Yuri Csapo
> Academic Computing & Networking
> Colorado School of Mines
> CT-256
> Phone: (303) 273-3503
> Fax: (303) 273-3475
> Email: ycsapo@mines.edu
>
> Please use the following link to open a service request:
> http://helpdesk.mines.edu
> ===========================================
> With a PC, I always felt limited
> by the software available.
> On Unix, I am limited only by my knowledge.
> --Peter J. Schoenster

--
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone: (303) 273-3503
Fax: (303) 273-3475
Email: ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster

--------------060302040206030801080709
Content-Type: text/x-vcard; charset="utf-8"; name="ycsapo.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="ycsapo.vcf"

begin:vcard
fn:Yuri Csapo
n:Csapo;Yuri
org:Colorado School of Mines;CCIT
email;internet:ycsapo@mines.edu
title:System Administrator
tel;work:(303) 273-3503
x-mozilla-html:FALSE
version:2.1
end:vcard


--------------060302040206030801080709--
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: "spontaneous" permissions changes

am 27.08.2009 22:30:37 von Yuri Csapo

--------------020808050209020406040308
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

Daniel,

Thank you for your reply. Unfortunately regulations don't allow me to divulge configuration files.
What specifically were you looking for in /etc/fstab?

I will be performing the tests you suggest soon; I can't do them right now because the box is under
heavy use. Maybe this weekend.

Thanks again!

--Yuri

Daniel A. Avelino wrote:
> Yuri,
>
> could you show us your /etc/fstab file?
> Could you perform some tests, like mount this partition, list permissions so
> umount the partition and list permissions again?
>
> On Wed, Aug 26, 2009 at 6:08 PM, Yuri Csapo > wrote:
> Hi all, I have a strange situation I wish someone could help me with. This is the setup:
>
> - Virtual machine running the latest VM under ESXi
> - VM has one processor, 2 GB RAM, 1 GB swap
> - Ubuntu 8.04 LTS
> - The virtual host runs only this VM
> - Virtual host connects to a Lefthand Networks (now HP) SAN through 1 GB copper ethernet and iSCSI
> - VM has a 1 TB volume from the SAN that looks like a SCSI drive to Linux (/dev/sdc)
> - sdc is formatted as one big ext3 partition (sdc1)
> - sdc1 is exported both as an NFS resource and a SMB share (via Samba)
> - Authentication is Kerberos and authorization is local, if that matters
>
> The permissions on that partition's mount point, usually 755, changed suddenly to 400. I have looked at sudo logs, root's and all admins' history files and I can find no evidence of someone changing those permissions or of tampering with the logs.
>
> Physical access to the box requires the right keycard; logon (ssh) access to the box is restricted to sysadmins and support personel only; the root password is a 32 char long random string that lives in an encrypted repository on my iPod Touch. There are only 2 people, myself included, with full sudo rights; there are another 5 people with sudo rights to a number of administration things including chmod.
>
> This is a state university and it happened on the first day of classes.
>
> My questions:
>
> - Did I look everywhere I should be looking to find evidence of foul play?
> - Does anyone know of anything in this setup that could trigger a seemingly spontaneous permissions change like that?
>
> Thanks,
>
> --
> Yuri Csapo
> Academic Computing & Networking
> Colorado School of Mines
> CT-256
> Phone: (303) 273-3503
> Fax: (303) 273-3475
> Email: ycsapo@mines.edu
>
> Please use the following link to open a service request:
> http://helpdesk.mines.edu
> ===========================================
> With a PC, I always felt limited
> by the software available.
> On Unix, I am limited only by my knowledge.
> --Peter J. Schoenster
>
>

--
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone: (303) 273-3503
Fax: (303) 273-3475
Email: ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster

--------------020808050209020406040308
Content-Type: text/x-vcard; charset="utf-8"; name="ycsapo.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="ycsapo.vcf"

begin:vcard
fn:Yuri Csapo
n:Csapo;Yuri
org:Colorado School of Mines;CCIT
email;internet:ycsapo@mines.edu
title:System Administrator
tel;work:(303) 273-3503
x-mozilla-html:FALSE
version:2.1
end:vcard


--------------020808050209020406040308--
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: "spontaneous" permissions changes

am 28.08.2009 16:09:42 von Yuri Csapo

--------------030306030507030307060300
Content-Type: text/plain; charset="windows-1252"; format=flowed
Content-Transfer-Encoding: 8bit

Franck, that's a very good point. I shall be asking VMware support about this.

Thanks!

Yuri

Franck RICHARD wrote:
> Hi,
>
> When you work with virtual systems, when you have the filesystem of your virtual machine corrupted,
> maybe you have only errors on the syslog of your Host and not on your virtual machine…
>
> The kernel of the virtual machine detect that she doesn't have anymore a write permission on the disk and switch the permissions…
>
> I'm not sure, but I have a similar case in the past with Xen
>
>
> De : Herta Van den Eynde [mailto:herta.vandeneynde@gmail.com]
> Envoyé : jeudi 27 août 2009 23:01
> À : ycsapo@mines.edu
> Cc : Franck RICHARD; linux-admin
> Objet : Re: "spontaneous" permissions changes
>
> Hi Franck,
>
> That sounds like a plausible theory, but I've had my share of filesystem corruptions, and they always logged errors in syslog. Does your mileage vary?
>
> Also, if this were a filesystem corruption, could Yuri have worked passed it without a filesystem check?
>
> Kind regards,
>
> Herta
> 2009/8/27 Yuri Csapo >
> Franck, that's a very good idea - I'll certainly check as soon as I can. Unfortunately I just can't umount right now. Maybe this weekend.
>
> Thanks
>
> --Yuri
>
>
> Franck RICHARD wrote:
> If the permission change to 400 (read only), it's a security when the filesystem is corrupted, to protect it.
>
> Do a check of your Filesystem, (umount, e2fsck, mount).
>
> Maybe you can find something...
>
>
>
>
> -----Message d'origine-----
> De : linux-admin-owner@vger.kernel.org [mailto:linux-admin-owner@vger.kernel.org] De la part de Yuri Csapo
> Envoyé : mercredi 26 août 2009 23:08
> À : linux-admin
> Objet : "spontaneous" permissions changes
>
> Hi all, I have a strange situation I wish someone could help me with. This is the setup:
>
> - Virtual machine running the latest VM under ESXi
> - VM has one processor, 2 GB RAM, 1 GB swap
> - Ubuntu 8.04 LTS
> - The virtual host runs only this VM
> - Virtual host connects to a Lefthand Networks (now HP) SAN through 1 GB copper ethernet and iSCSI
> - VM has a 1 TB volume from the SAN that looks like a SCSI drive to Linux (/dev/sdc)
> - sdc is formatted as one big ext3 partition (sdc1)
> - sdc1 is exported both as an NFS resource and a SMB share (via Samba)
> - Authentication is Kerberos and authorization is local, if that matters
>
> The permissions on that partition's mount point, usually 755, changed suddenly to 400. I have looked at sudo logs, root's and all admins' history files and I can find no evidence of someone changing those permissions or of tampering with the logs.
>
> Physical access to the box requires the right keycard; logon (ssh) access to the box is restricted to sysadmins and support personel only; the root password is a 32 char long random string that lives in an encrypted repository on my iPod Touch. There are only 2 people, myself included, with full sudo rights; there are another 5 people with sudo rights to a number of administration things including chmod.
>
> This is a state university and it happened on the first day of classes.
>
> My questions:
>
> - Did I look everywhere I should be looking to find evidence of foul play?
> - Does anyone know of anything in this setup that could trigger a seemingly spontaneous permissions change like that?
>
> Thanks,
>
> --
> Yuri Csapo
> Academic Computing & Networking
> Colorado School of Mines
> CT-256
> Phone: (303) 273-3503
> Fax: (303) 273-3475
> Email: ycsapo@mines.edu
>
> Please use the following link to open a service request:
> http://helpdesk.mines.edu
> ===========================================
> With a PC, I always felt limited
> by the software available.
> On Unix, I am limited only by my knowledge.
> --Peter J. Schoenster
>
> --
> Yuri Csapo
> Academic Computing & Networking
> Colorado School of Mines
> CT-256
> Phone: (303) 273-3503
> Fax: (303) 273-3475
> Email: ycsapo@mines.edu
>
> Please use the following link to open a service request:
> http://helpdesk.mines.edu
> ===========================================
> With a PC, I always felt limited
> by the software available.
> On Unix, I am limited only by my knowledge.
> --Peter J. Schoenster
>
>
>
> --
> "Life on Earth may be expensive,
> but it comes with a free ride around the Sun."
>

--
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone: (303) 273-3503
Fax: (303) 273-3475
Email: ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster

--------------030306030507030307060300
Content-Type: text/x-vcard; charset="utf-8"; name="ycsapo.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="ycsapo.vcf"

begin:vcard
fn:Yuri Csapo
n:Csapo;Yuri
org:Colorado School of Mines;CCIT
email;internet:ycsapo@mines.edu
title:System Administrator
tel;work:(303) 273-3503
x-mozilla-html:FALSE
version:2.1
end:vcard


--------------030306030507030307060300--
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html