linux automatic change permissions in resolv.file

Question

In various linux servers I see how the permissions of the /etc/resolv.conf file change automatically.

In state normal:

-r--r--r-- 1 root root 103 Jul  4 11:50 resolv.conf

In changed state:

-r--r----- 1 root root 103 Jul  4 11:50 resolv.conf

I installed auditd for monitoring it, and these are the two entries between the change:

type=PATH msg=audit(07/04/2012 12:20:02.719:303) : item=0 name=/etc/resolv.conf inode=137102 dev=fe:00 mode=file,644 ouid=root ogid=root rdev=00:00 
type=CWD msg=audit(07/04/2012 12:20:02.719:303) :  cwd=/ 
type=SYSCALL msg=audit(07/04/2012 12:20:02.719:303) : arch=x86_64 syscall=open success=yes exit=3 a0=7feeb1405dec a1=0 a2=1b6 a3=0 items=1 ppid=1585 pid=3445 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4294967295 comm=hostid exe=/usr/bin/hostid key=(null) 

type=PATH msg=audit(07/04/2012 12:50:03.727:304) : item=0 name=/etc/resolv.conf inode=137102 dev=fe:00 mode=file,440 ouid=root ogid=root rdev=00:00 
type=CWD msg=audit(07/04/2012 12:50:03.727:304) :  cwd=/ 
type=SYSCALL msg=audit(07/04/2012 12:50:03.727:304) : arch=x86_64 syscall=open success=yes exit=3 a0=7f2bcf7abdec a1=0 a2=1b6 a3=0 items=1 ppid=1585 pid=3610 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4294967295 comm=hostid exe=/usr/bin/hostid key=(null)

any ideas about the change of permissions?

FIXED: puppet was configured and running on the server, it changed the file.

Are you using dhcp to get your network configuration? – Jenny D Jul 04 '12 at 12:15 — Jenny D, Jul 04 '12 at 12:15

score 0 · Answer 1 · answered Jul 07 '12 at 08:16

There's something wrong between your auditd log and the timing of your two ls commands.

The first line says mode=file,644 but the first ls shows the file has mode 444. The second line is consistent; mode=file,440 and the ls shows the file with mode 440.

You might want to run your experiment again, possibly automating the ls captures with something like this:

while true; do echo -n `date`" "; ls -l /etc/resolv.conf; sleep 5; done > ~/resolv-ls.log

Also check to see if there are any other entries in your auditd.log regarding resolv.conf.

It's probably also worth asking a specific question in your question, such as "What process is doing this?" or "Why does the process do this?" or "What is the appropriate ownership and mode for /etc/resolv.conf?"

linux automatic change permissions in resolv.file

1 Answers1