Hi rosel,
On Thu, Jun 17, 2010 at 3:42 PM, k0l0s0s <[email protected]> wrote:
> Try to check the sshd_config if the following parameter is set:
>
> AllowUsers root
>
> This will limit to only allow root access on the ssh service. config for sshd
> can be be found at /etc/ssh/sshd_config
no, that's not there. no AllowUsers list at all. And anyway, it's
not limited to ssh. once I'm ssh'ed in as root, I can't run any other
program as a regular user either.
Holden suggested trying another shell. I created a user with
/bin/dash as his shell (also tested with /bin/sh)
strace -ff su -c /bin/ls test
has, (toward the end)
...
setuid32(1001) = 0
close(3) = 0
clone(Process 23389 attached (waiting for parent)
Process 23389 resumed (parent 23386 ready)
child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x4001eaa8) = 23389
[pid 23389] execve("/bin/dash", ["dash", "-c", "/bin/ls"], [/* 21 vars
*/] <unfinished ...>
[pid 23389] +++ killed by SIGKILL +++
--- SIGCHLD (Child exited) @ 0 (0) ---
so the user's shell (defined in /etc/passwd) is used to execute the
/bin/ls command and I get the same behavior.
I suppose it's possible that the machine has been cracked. It's in
the DMZ, it's jaunty (so a bit old). Although I have:
Chain INPUT (policy DROP)
and the only ports that Shields Up can see (because I don't want to
run nmap against it from my work desktop :-) are the ssh and openvpn
ports.
I also have UDP ports 67 and 68 open for dnsmasq. Shields Up says
those are stealthed. I'm not clear though on how to secure those.
They're used for DHCP and at that point, there are no IP addresses yet
to filter against. and my understanding is that DHCP only works
within the same subnet since there are no IP addresses (Mac addresses
don't get you beyond your router).
tiger
--
Gerald Timothy Quimpo http://bopolissimus.blogspot.com
[email protected] [email protected]
Even Tom Lane said: "Or, if you're worried
about actions from functions, use a trigger
to do the logging. There are approximately
no cases where a rule is really better than
a trigger :-( "
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
http://lists.linux.org.ph/mailman/listinfo/plug
Searchable Archives: http://archives.free.net.ph
