<html><head></head><body>Someone was justifiably fired who had full root sudo and I realized the scale of the environment made old method checks impossible. Still have do a full audit of all root level scripts and crontabs (go git!). A fast and dirty was a total account purge.<br><br>What I'm really looking for is a way to not allow ANY file to be executed without regard to any chmod setting that has an owner with only UID and no username. <br><br>Said a different way, file execution requires owner name matching owner UID and execute bit set. So ownername NULL will always fail.<br><br>If other people are using anything he wrote, they are totally incompetent idiots and will soon be joining him in the soup line. Since all the other people were complaining about having to work with him, I doubt they trusted anything he did.<br><br><div class="gmail_quote">On February 13, 2022 12:48:43 PM EST, Bob Toxen via Ale <ale@ale.org> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail">Sure it would be runnable, by anyone if it's permissions include<br>the 001 bit being set. This is trivial to prove by:<br><br> su<br> cd ~<br> cp /bin/date zdate<br> chmod 001 zdate<br> chown 80 zdate<br> su notroot<br> ./zdate<br><br>If you fear that your system has been hacked then refer to my book's<br>chapters on recovering from hacks.<br><br>Bob<br><br>On Sat, Feb 12, 2022 at 08:03:43PM -0500, Jim Kinney via Ale wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">I'm 99.8% convinced that a binary or script owned by just a userID<br>number formerly associated with a deleted user can not be run by anyone<br>but root unless set chmod 755. Cron should fail as there's no entry<br>in passwd or ldap so no defined shell (and no crontab for the user<br>was found).<br></blockquote><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">Can't readily browse up a link that explains operation on a deleted<br>user binary.<br></blockquote><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">-- <br>Computers amplify human error<br>Super computers are really cool<br></blockquote><hr>Ale mailing list<br>Ale@ale.org<br><a href="https://mail.ale.org/mailman/listinfo/ale">https://mail.ale.org/mailman/listinfo/ale</a><br>See JOBS, ANNOUNCE and SCHOOLS lists at<br><a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><br></pre></blockquote></div><br>-- <br>Computers amplify human error<br>Super computers are really cool</body></html>