0

I have some issues with files /etc/passwd and /etc/shadow. Both of them are without permissions:

---------- 1 root root   1357 Aug  5 11:30 passwd
---------- 1 root shadow 1175 Aug  5 11:30 shadow

And i don't know how this happened or why. Basically I can't edit/remove these files or change permissions when I am logged as the root user. It ends with "Operation not permitted". Eg. when I try:

root@server:/etc# chmod 600 passwd
chmod: changing permissions of ‘passwd’: Operation not permitted

The main issue is that any logged user has "I have no name!@..." in the command line and I can't use "su" or run some services as an another user. I guess these files should have some permissions and that's the problem. My system is Ubuntu 14.04.3 LTS with the newest updates.

Martin Sudolsky
  • 11
  • 1
  • 1
  • 2
  • 1
    What happened on the 5th August at 11:30? I'll bet that your system has been compromised. – Michael Hampton Aug 14 '15 at 01:19
  • I don't know, there are not logs from 5th August, the last one syslog.7.gz is from 6th August. That's possible but i haven't noticed any abnormal behavior like high traffic, cpu load, or so, except these two files. – Martin Sudolsky Aug 14 '15 at 01:27
  • Go get maldet and scan the system. – Michael Hampton Aug 14 '15 at 01:28
  • 1
    possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – womble Aug 14 '15 at 01:30
  • Although it's easy to close this question with the answer that the server was compromised, but I would like to know if someone else went into similar issues with these two files and if there is not any other reasonable explanation. – Martin Sudolsky Aug 14 '15 at 01:39
  • You changed the permission to remove root access ? Aka, you brinked yourself – yagmoth555 Aug 14 '15 at 02:03
  • No, I haven't changed permissions for these files. Well, normally you can change permissions like `chmod 000 some_file.txt` without problems and you can change it back too. In my case I can't change permissions for passwd or shadow, even if these files are owned by root. – Martin Sudolsky Aug 14 '15 at 02:17

1 Answers1

4

Did you try:

# lsattr /etc/shadow

What's the output of this on the command line?

If is looking like this:

----i-------- /etc/shadow

Then is immutable and you can't edit/delete the file even as root.

You have to run:

chattr -i /etc/shadow

Now you can edit the file.
This procedure is available only if the immutable -i is showing on the file.

HBruijn
  • 77,029
  • 24
  • 135
  • 201
DoruH
  • 125
  • 2
  • Thank you very much! This helped! I removed the immutable attribute for both files via chattr, then I set permissions to 644 for passwd and 640 for shadow and finally i added the immutable attribute back. After reboot is all ok. Probably I won't know what happened to these two files or what did this, if the server was compromised, some broken update, broken virtual partition or file system. So for sure i am going to reinstall server. – Martin Sudolsky Aug 14 '15 at 18:32
  • Just to add to my bookmark, I could not change password/add user due to my attr being `-----a--------e----- /etc/shadow` I used `sudo chattr -a /etc/shadow ` to remove the append only mode attribute. It works now. – Suraj Mandal Aug 13 '23 at 19:31