0

I have some issues with files /etc/passwd and /etc/shadow. Both of them are without permissions:

---------- 1 root root   1357 Aug  5 11:30 passwd
---------- 1 root shadow 1175 Aug  5 11:30 shadow

And i don't know how this happened or why. Basically I can't edit/remove these files or change permissions when I am logged as the root user. It ends with "Operation not permitted". Eg. when I try:

root@server:/etc# chmod 600 passwd
chmod: changing permissions of ‘passwd’: Operation not permitted

The main issue is that any logged user has "I have no name!@..." in the command line and I can't use "su" or run some services as an another user. I guess these files should have some permissions and that's the problem. My system is Ubuntu 14.04.3 LTS with the newest updates.

Martin Sudolsky
  • 11
  • 1
  • 1
  • 2
  • 1
    What happened on the 5th August at 11:30? I'll bet that your system has been compromised. – Michael Hampton Aug 14 '15 at 01:19
  • I don't know, there are not logs from 5th August, the last one syslog.7.gz is from 6th August. That's possible but i haven't noticed any abnormal behavior like high traffic, cpu load, or so, except these two files. – Martin Sudolsky Aug 14 '15 at 01:27
  • Go get maldet and scan the system. – Michael Hampton Aug 14 '15 at 01:28
  • 1
    possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – womble Aug 14 '15 at 01:30
  • Although it's easy to close this question with the answer that the server was compromised, but I would like to know if someone else went into similar issues with these two files and if there is not any other reasonable explanation. – Martin Sudolsky Aug 14 '15 at 01:39
  • You changed the permission to remove root access ? Aka, you brinked yourself – yagmoth555 Aug 14 '15 at 02:03
  • No, I haven't changed permissions for these files. Well, normally you can change permissions like `chmod 000 some_file.txt` without problems and you can change it back too. In my case I can't change permissions for passwd or shadow, even if these files are owned by root. – Martin Sudolsky Aug 14 '15 at 02:17

1 Answers1

3

Did you try:

# lsattr /etc/shadow

What's the output of this on the command line?

If is looking like this:

----i-------- /etc/shadow

Then is immutable and you can't edit/delete the file even as root.

You have to run:

chattr -i /etc/shadow

Now you can edit the file.
This procedure is available only if the immutable -i is showing on the file.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
DoruH
  • 115
  • 2
  • Thank you very much! This helped! I removed the immutable attribute for both files via chattr, then I set permissions to 644 for passwd and 640 for shadow and finally i added the immutable attribute back. After reboot is all ok. Probably I won't know what happened to these two files or what did this, if the server was compromised, some broken update, broken virtual partition or file system. So for sure i am going to reinstall server. – Martin Sudolsky Aug 14 '15 at 18:32