pearmana@prlhp1.prl.philips.co.uk (Andy Pearman) (06/12/91)
A couple of weeks ago I upgraded my HP9000-350 to HP-UX6.5 Today I noticed a couple of odd processes (see below) running owned by root, apparently going through the filesystem and doing something with acl's for uids 248 and 251. These uids in fact belonged to two users that I deleted earlier today. I notice that the processes appear to have been started by init, though I find no references in inittab. Is this something new, and if so what's going on ? UID PID PPID C STIME TTY TIME COMMAND root 1 0 0 Jun 5 ? 0:39 /etc/init root 10497 10496 10 15:28:55 ttyp5 3:58 find / -acl opt -a ( ! -user 248 ) -a -acl 248.* -print root 10496 1 0 15:28:54 ttyp5 0:00 xargs chacl -d 248.* root 10452 1 0 15:25:26 ttyp5 0:00 xargs chacl -d 251.* root 10453 10452 8 15:25:26 ttyp5 4:30 find / -acl opt -a ( ! -user 251 ) -a -acl 251.* -print Andy. -- Andy Pearman, Computer Dept, Philips Research Labs, Redhill, Surrey, England. pearmana@prl.philips.co.uk
rodean@hpfcdc.HP.COM (Bruce Rodean) (06/14/91)
In article <1356@prlhp1.prl.philips.co.uk> pearmana@prlhp1.prl.philips.co.uk (Andy Pearman) writes: > A couple of weeks ago I upgraded my HP9000-350 to HP-UX6.5 > > Today I noticed a couple of odd processes (see below) running owned by > root, apparently going through the filesystem and doing something with > acl's for uids 248 and 251. These uids in fact belonged to two users > that I deleted earlier today. > > I notice that the processes appear to have been started by init, though > I find no references in inittab. > > Is this something new, and if so what's going on ? You probably used SAM to remove those users, right? It looks to me like the finds are traversing through the filesystem looking for files that have optional ACL entries for those users. Those file names are being piped into xargs commands such that chacl is called to delete any ACL entries for those users. If you never converted your system into a trusted system, these commands would not do anything. Bruce Rodean rodean@hpfclg.fc.hp.com
aalcorn@hpcc01.HP.COM (Albert Alcorn) (06/14/91)
>Today I noticed a couple of odd processes (see below) running owned by >root, apparently going through the filesystem and doing something with >acl's for uids 248 and 251. These uids in fact belonged to two users >that I deleted earlier today. These are probably the commands to remove all files belonging to these users. I think that reconfig had an option to do this. The find is searching the entirefile system to remove any file owned by these users. >I notice that the processes appear to have been started by init, though >I find no references in inittab. They were not started by init, but init owns them now. nohup will cause this to happen. > Andy. >-- > >Andy Pearman, Computer Dept, Philips Research Labs, Redhill, Surrey, England. > pearmana@prl.philips.co.uk >---------- Albert Alcorn albert@hpprsd1.hp.com
ses@hpfcdc.HP.COM (Steve Speer) (06/15/91)
>> A couple of weeks ago I upgraded my HP9000-350 to HP-UX6.5 >> >> Today I noticed a couple of odd processes (see below) running owned by >> root, apparently going through the filesystem and doing something with >> acl's for uids 248 and 251. These uids in fact belonged to two users >> that I deleted earlier today. >You probably used SAM to remove those users, right? It looks to me like > >Bruce Rodean SAM didn't exist for S300 boxes in 6.5, I'd look further. Not to be paranoid, but have you considered that you may have a security problem? I don't know, but perhaps reconfig used a process similar to sam in 6.5 and Bruce's suggestion could be right on. 6.5 is three years old now, why the delay and why not a newer version (like 7.0)? -Steve ses@hpfcls.hp.com