Re: "spontaneous" permissions changes

[Yuri Csapo <ycsapo@exchange.mines.edu>]

[-- Attachment #1: Type: text/plain, Size: 3143 bytes --]

Daniel,

Thank you for your reply. Unfortunately regulations don't allow me to divulge configuration files. 
What specifically were you looking for in /etc/fstab?

I will be performing the tests you suggest soon; I can't do them right now because the box is under 
heavy use. Maybe this weekend.

Thanks again!

--Yuri

Daniel A. Avelino wrote:
> Yuri,
> 
> could you show us your /etc/fstab file?
> Could you perform some tests, like mount this partition, list permissions so
> umount the partition and list permissions again?
> 
> On Wed, Aug 26, 2009 at 6:08 PM, Yuri Csapo <ycsapo@exchange.mines.edu<mailto:ycsapo@exchange.mines.edu>> wrote:
> Hi all, I have a strange situation I wish someone could help me with. This is the setup:
> 
> - Virtual machine running the latest VM under ESXi
> - VM has one processor, 2 GB RAM, 1 GB swap
> - Ubuntu 8.04 LTS
> - The virtual host runs only this VM
> - Virtual host connects to a Lefthand Networks (now HP) SAN through 1 GB copper ethernet and iSCSI
> - VM has a 1 TB volume from the SAN that looks like a SCSI drive to Linux (/dev/sdc)
> - sdc is formatted as one big ext3 partition (sdc1)
> - sdc1 is exported both as an NFS resource and a SMB share (via Samba)
> - Authentication is Kerberos and authorization is local, if that matters
> 
> The permissions on that partition's mount point, usually 755, changed suddenly to 400. I have looked at sudo logs, root's and all admins' history files and I can find no evidence of someone changing those permissions or of tampering with the logs.
> 
> Physical access to the box requires the right keycard; logon (ssh) access to the box is restricted to sysadmins and support personel only; the root password is a 32 char long random string that lives in an encrypted repository on my iPod Touch. There are only 2 people, myself included, with full sudo rights; there are another 5 people with sudo rights to a number of administration things including chmod.
> 
> This is a state university and it happened on the first day of classes.
> 
> My questions:
> 
> - Did I look everywhere I should be looking to find evidence of foul play?
> - Does anyone know of anything in this setup that could trigger a seemingly spontaneous permissions change like that?
> 
> Thanks,
> 
> --
> Yuri Csapo
> Academic Computing & Networking
> Colorado School of Mines
> CT-256
> Phone:  (303) 273-3503
> Fax:      (303) 273-3475
> Email:   ycsapo@mines.edu<mailto:ycsapo@mines.edu>
> 
> Please use the following link to open a service request:
> http://helpdesk.mines.edu
> ===========================================
> With a PC, I always felt limited
> by the software available.
> On Unix, I am limited only by my knowledge.
> --Peter J. Schoenster
> 
> 

-- 
Yuri Csapo
Academic Computing & Networking
Colorado School of Mines
CT-256
Phone:  (303) 273-3503
Fax:      (303) 273-3475
Email:   ycsapo@mines.edu

Please use the following link to open a service request:
http://helpdesk.mines.edu
===========================================
With a PC, I always felt limited
by the software available.
On Unix, I am limited only by my knowledge.
--Peter J. Schoenster

[-- Attachment #2: ycsapo.vcf --]
[-- Type: text/x-vcard, Size: 200 bytes --]

begin:vcard
fn:Yuri Csapo
n:Csapo;Yuri
org:Colorado School of Mines;CCIT
email;internet:ycsapo@mines.edu
title:System Administrator
tel;work:(303) 273-3503
x-mozilla-html:FALSE
version:2.1
end:vcard