[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SV: Ext3 destroying ownerships and permissions



There are so many "layers" involved in analyzing this sort of problem,
there must be a reasonable, systematic approach to rule out things that
may be going on at other "layers."

Other potential variables, which may or may not apply to you, this is
just speculation:  NIS weirdness (or LDAP), NFS UID mapping problems,
trojan executables or buffer overrun exploits.  If you are using NIS or
LDAP for anything, I would suspect that as a strong potential source of
the problem--maybe there are some "conflicts" between the local files
and the network maps, or sometimes the "connection" to the NIS or LDAP
server is "lost" eg. due to network overload such as DoS attack.  If the
ext3 is being accessed over NFS I would wonder about that too.  I have
been seeing some weirdness with NFS and/or NIS between Red Hat 7.0
systems with 2.2.19 kernel and Red Hat 7.1 systems with 2.4 kernel and
different nfs-utils.

Attempted RPC exploits against an NFS server could probably cause
mysterious UID and permission changes.  Someone could be trying to give
SUID root to an executable or script file through a buffer overrun.  I
have seen strange and unpredictable things happen when buffer overrun
exploits are run on a system, for example system clock getting reset to
apparently random times, so file ownership and permissions changes are
not inconceivable.

Andreas Dilger wrote:
> Like Stephen says, it is very unusual that something would corrupt only
> the UID and mode.  Are you sure there are no scripts running, files
> being restored from backup, or other user-space activity which might
> change the UID and mode?  Nobody messing with the /etc/passwd file?

-- 
"Jonathan F. Dill" (dill umbi umd edu)





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]