Re: Group permissions changed
From: Jan Slupski (jslupski_at_juljas.net)
Date: Fri, 30 Sep 2005 01:41:43 +0200 (CEST) To: email@example.com
On Thu, 29 Sep 2005, joop gerritse wrote:
> On Wednesday 28 September 2005 20:33, firstname.lastname@example.org wrote:
>> I posted this before on the security basics, but haven't recieved a
>> response, and it worries me a bit, so I'm sending this to a few other
>> groups in hopes that someone will have an idea about it.
>> Fairly recently I noticed my ftp client wouldn't list files in certain
>> directories on my server anymore - so I ssh'd in (it's dedicated), and did
>> a ls -aFl on the files, hoping to see what the problem was - here are a few
>> of the results:
>> -rw-r--r-- 1 larry 503 371 2005-02-25 08:36 head.php
>> -rw-r--r-- 1 larry 48 873 2005-09-09 03:23 foot.php
>> I never set the group ids to 503 or 48, so I checked just to make sure -
>> and no groups with those ids even exist. Is there an exploit/tool that
>> causes this, and should I be worried?
> I seem to remember that tar preserves group numbers when unpacking an archive,
> but I cannot check it right now.
It does if you are member of that group, or unpacking as root.
But 'larry' cannot be a member of nonexisting group.
And if the archive was unpacked by root, why the owner would be right
(I assume 'larry' is expected owner of the file) if the group numbers
_ _ _ _ _____________________________________________
| |_| |\ | S L U P S K I email@example.com
|_| | | | \| http://juljas.net/