1

Recently one of my Gentoo linux servers, which has been working happily for quite a few years suddenly stopped responding to BASH commands that I commonly issue it. Very basic commands such as rc-update, or check my iptables configuration status. Now after a few minutes of sleuthing, I discovered that it was because my $PATH variable no longer referenced /sbin/ or /usr/sbin/. Now this seemed like a trivial fix, but strange that it should happen out of the blue like that.

Now where this is where it gets a little strange: I just logged into the OTHER Gentoo server located on the same facility, and suddenly it has the same issue. Both /sbin/ and /usr/sbin are gone from the $PATH env variable. I am the only person in the wheel group, and the only person with even sudo access to either of these systems. One of them is accessible via SSH, but there is no record of anyone su'ing to root or sudoing at a time when I know it wasnt me. And I certanly can not think of anything else that could have changed this.

I guess I have two questions here:
1) Is it possible that this is some sort of breakin where someone did something malicious and this is just a symptom of what they have done? If so what should I look for.
2) If this is benign, then can anyone suggest a permanent fix for this, and more importantly a reasonable explanation of how this could happen to a server that is not being modified by anyone with permissions to change system files?

Now I use Gentoo for servers at my house as well, a multitude of desktops, and this laptop I'm writing this on right now. None of these systems have experienced similar issues, some have been updated, others have not. But none have experienced this sort of problem. This is what makes me suspicious of the two servers that have experienced this issue a month or so apart.

Thank you in advance for any help you can provide me with

dynamphorous
  • 276
  • 1
  • 2
  • 13
  • Check in `/etc/profile` if your desired directories are set in $PATH there. Also run `sudo etc-update`, this might've been caused by some config files not updated after updating some packages (`openrc` perhaps). – Rob Wouters Jan 27 '12 at 22:13
  • Have you done something simple like a find of `/etc` to with the `-mtime` option to see what has changed in the last couple days? – Zoredache Jan 27 '12 at 22:36
  • Its even stranger, since /etc/profile DOES contain the correct variables for the $ROOTPATH.... So why does my shell not have those variables set? I can do **source /etc/profile**, and it shows up, but then if I close the root shell, then su to it again the $PATH variable looses the data that was there after the source command. – dynamphorous Jan 27 '12 at 23:12
  • Look at the profile in your home directory, are you sure you haven't over-written anything? – Zoredache Jan 27 '12 at 23:33
  • There is no .bashrc file for root at this moment. This is not uncommon however, none of my other systems have a .bashrc file for root either, but it doesn't override the default $PATH variable. – dynamphorous Jan 28 '12 at 19:23
  • One other interesting note.. If I **su** to root, the path variable is only set to **/usr/local/bin:/usr/bin:/bin**. Now this is not because it inherited it from the normal user I su'ed from, that user DOES have a complete $PATH variable. However if I use **su -** then it works correctly and I have a full $PATH variable. Now whats strange here is that it changed so suddenly to require that to su to root and be able to run most commands. Very odd – dynamphorous Jan 28 '12 at 19:29

0 Answers0