View previous topic :: View next topic |
Author |
Message |
carlos123 Guru
Joined: 12 Feb 2003 Posts: 536 Location: Alberta, Canada.
|
Posted: Sat Mar 08, 2003 11:23 am Post subject: Who or what is user 500?? |
|
|
I have noticed that sometimes I end up with a user by the name of "500" as in the following output...
Code: |
root@pine [/mnt/temp]
# ls -la
total 9
drwxrwxrwt 3 root root 4096 Mar 7 17:37 .
drwxr-xr-x 6 root root 144 Feb 23 12:08 ..
drwxrwxrwt 27 500 500 4096 Mar 8 2003 carlos
root@pine [/mnt/temp]
|
Who or what is user "500"??
Anybody know?
Thanks.
Carlos |
|
Back to top |
|
|
mvr_rennes Apprentice
Joined: 23 Oct 2002 Posts: 155
|
Posted: Sat Mar 08, 2003 12:14 pm Post subject: |
|
|
try
Code: |
grep 500 /etc/passwd
|
In my passwd file, it's me
Cheers,
M |
|
Back to top |
|
|
rtn Guru
Joined: 15 Nov 2002 Posts: 427
|
Posted: Mon Mar 10, 2003 8:17 pm Post subject: |
|
|
Generally, adduser starts with uid 500, so it's likely to be the first account
generated on a system if you use adduser. It's also possible to get files owned
by uid 500 if you untar something that was owned by uid 500.
--rtn |
|
Back to top |
|
|
elzbal Guru
Joined: 31 Aug 2002 Posts: 364 Location: Seattle, WA, USA
|
Posted: Mon Mar 10, 2003 8:47 pm Post subject: |
|
|
In this case, it seems likely that the user was created, gained ownership over some files (such as the 'carlos' directory), and was deleted. This would produce the output seen above.
The command 'ls -l' looks up the userid and groupid numbers in the /etc/passwd and /etc/group files, and converts those to more friendly names. In the case where the userid or groupid does not exist in the aforementioned files, it will simply display the userid or groupid numbers themselves. |
|
Back to top |
|
|
nephros Advocate
Joined: 07 Feb 2003 Posts: 2139 Location: Graz, Austria (Europe - no kangaroos.)
|
Posted: Mon Mar 10, 2003 9:12 pm Post subject: |
|
|
File listings with UID numbers instead of usernames can also come from packaged files (zip or tar), where the users saved in the package do not exist on the system where it is unpacked.
Therefore, you should always check for this after unpackaging an archive from another machine, as this can be a security hazard.
Imagine user foo (UID 502), member of group root (GID 0) on system A packaging a file:
-rwSrwsr-- foo root script.sh
or
-rwSrwsr-- 502 0 script.sh
User bar unpacking it to /tmp on system B , where UID 502 maps to another user (baz), resulting in:
-rwSrwsr-- baz root script.sh
User bar helped user baz to a SUID root executable lying around in /tmp... _________________ Please put [SOLVED] in your topic if you are a moron. |
|
Back to top |
|
|
elzbal Guru
Joined: 31 Aug 2002 Posts: 364 Location: Seattle, WA, USA
|
Posted: Mon Mar 10, 2003 9:20 pm Post subject: |
|
|
nephros wrote: |
User bar helped user baz to a SUID root executable lying around in /tmp... |
That's rather brilliant... I never thought of that usage before. That also seems to make for a *very* wide-open security hole... all an individual needs is root access on any computer (possibly of the same OS type) to exploit this. What do various operating systems (Linux, BSD, Solaris, etc) do to prevent this type of attack? |
|
Back to top |
|
|
|