3

Please forgive me if this is the wrong place to ask this, but I ran ls -l on an ubuntu machine today in /etc and found a few entries like the following middle entry which appears to have spaces in front of the GID.

-rw-r--r-- 1 root root      92 Apr  9 11:10 host.conf
-rw-r--r-- 1 root   1002    25 Aug 13 05:26 hostname
-rw-r--r-- 1 root root     116 Aug 13 05:26 hosts

Tried to run a few different commands to get the group name from the GID like:

getent group %20%201002 | cut -d: -f1

and 

getent group \ \ 1002 | cut -d: -f1

But nothing.

Read up a little on Linux GIDs and POSIX says this shouldn't be possible.

Is this something to be concerned about security-wise?

And can someone perhaps offer an explanation?

Google doesn't seem to know anything about this.

Thanks in advance.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
uofc
  • 135
  • 7

1 Answers1

4

That hostname file is owned by group ID 1002, and there is no entry in /etc/group mapping any group name to GID 1002, so ls -l simply shows the group number instead of a name. And when a bare GID is displayed, unlike a named group, it is right-justified, making it look like it has leading spaces compared to any longer group names. Here you can see with three files that I created and gave user/group ownerships that would demonstrate this:

$ ls -l foo*
-rw-r--r-- 1 gowenfawr          1002 0 Aug 23 01:29 foo
-rw-r--r-- 1 systemd-resolve nogroup 0 Aug 23 01:30 foo2
-rw-r--r-- 1 gowenfawr       cdrom   0 Aug 23 01:33 foo3
$

There's no particular security concern here, except perhaps that somehow your /etc/hostname file got it's group ownership changed. You might want to search for any users which belong to that group:

$ awk -F: '$4 == 1002 {print $0}' /etc/passwd

and you might want to search for other files with that group ownership:

$ find /etc -gid 1002 -ls
   136023      4 -rw-r--r-- 1 root   1002    25 Aug 13 05:26 /etc/hostname

If you were to find that, say, /etc/passwd and /etc/shadow were owned by 1002, that would like indicate a serious security concern.

If, as you comment, /etc/resolv.conf and /etc/network/interfaces are also owned by that file, then you almost certainly have a DHCP client or other network manager that is managing those files and setting the group ownership to 1002 when it updates them, likely in response to a configuration file that says to use GID 1002. A blunt way to check for this would be

$ grep -r 1002 /etc/*

but that may have a false positive or two. If you find a networky named config file with an entry like "group = 1002" then that's your culprit :)

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • Loving your edits and updates on this; extremely educational answer so far. – uofc Aug 23 '18 at 01:45
  • No other users belonging to group, but /resolv.conf and /network/interfaces both have the same permissions. Does that look normal as well? Thanks again for your help. – uofc Aug 23 '18 at 01:48
  • @uofc glad to help :). If this works for you, you can upvote it and mark it as the accepted answer. And if you find that config file please comment so I can add that to the answer! – gowenfawr Aug 23 '18 at 02:08
  • Right on! Huge help so far. Output from grep found this: /etc/rpc:sgi_fam 391002. Look familiar? Thank you again in advance. Marking this awesome solution as answered right now. – uofc Aug 23 '18 at 02:51
  • 1
    @uofc `/etc/rpc` is the Remote Procedure Call mapping file - like /etc/group, but for RPC programs instead of for user groups. So, no, that's not something that would affect file ownership of the network files. – gowenfawr Aug 23 '18 at 03:05