cannot remove file - even as root !!!!

cannot remove file - even as root !!!!

Post by dan sawye » Thu, 30 May 2002 08:37:35



I have posted several posts on ssh. The level may be
backleveled. I am trying to upgrade uning rpm.

The script file sshd in /etc/rc.d/init.d has somehow gotten
corrupted. It shows a group of root and a owner of lp and a
mod of 700.

rpm attempts to update this file and gets permission denyed
so I shut sshd down and tried to remove it. That action got
the same result.

So I brought the system to init level 1 as root and tried
changing the mod, the owner, the group all to the same
error. I even tried moving it.

How can I remove this file??

Thanks,
Dan

 
 
 

cannot remove file - even as root !!!!

Post by Dave Uhrin » Thu, 30 May 2002 08:43:29



> How can I remove this file??

man lsattr
man chattr

 
 
 

cannot remove file - even as root !!!!

Post by Mike Tuxfo » Thu, 30 May 2002 10:31:08


:The script file sshd in /etc/rc.d/init.d has somehow gotten
:corrupted. It shows a group of root and a owner of lp and a
:mod of 700.

:How can I remove this file??

  I don't like just rm'ing init rc's.  You can't go back.
I would advise an /etc/ dir tree for temp storage and mv
the rc script.
    mkdir /etc/was.init.d
    cd /etc/rc.d/init.d
    mv <filename> /etc/was.init.d/

Also, the sticky bit may be set on the file perms.
as root: chmod 0700 <filename>

--
  _ _    ____
 //\/\ike ||uxford

 
 
 

cannot remove file - even as root !!!!

Post by dan sawye » Thu, 30 May 2002 12:01:54


Thanks,

as root: chmod 0700 <filename> fails with "Operation not
permitted"

I also tried the mv idea and that got the same error.

This was discovered because I tried to rpm a new version and
rpm errored at the same spot.

I believe the correct thing to do is erase the files and
then start over.

Dan



> :The script file sshd in /etc/rc.d/init.d has somehow gotten
> :corrupted. It shows a group of root and a owner of lp and a
> :mod of 700.

> :How can I remove this file??

>   I don't like just rm'ing init rc's.  You can't go back.
> I would advise an /etc/ dir tree for temp storage and mv
> the rc script.
>     mkdir /etc/was.init.d
>     cd /etc/rc.d/init.d
>     mv <filename> /etc/was.init.d/

> Also, the sticky bit may be set on the file perms.
> as root: chmod 0700 <filename>

 
 
 

cannot remove file - even as root !!!!

Post by dan sawye » Thu, 30 May 2002 12:48:12


All,

There are hidden attributes on files. These can be viewed
with lsattr and changed with chattr.

Dan



> :The script file sshd in /etc/rc.d/init.d has somehow gotten
> :corrupted. It shows a group of root and a owner of lp and a
> :mod of 700.

> :How can I remove this file??

>   I don't like just rm'ing init rc's.  You can't go back.
> I would advise an /etc/ dir tree for temp storage and mv
> the rc script.
>     mkdir /etc/was.init.d
>     cd /etc/rc.d/init.d
>     mv <filename> /etc/was.init.d/

> Also, the sticky bit may be set on the file perms.
> as root: chmod 0700 <filename>

 
 
 

cannot remove file - even as root !!!!

Post by Jayasutha » Fri, 31 May 2002 05:02:15


Hi,

hmmm okey.. let see where the problem is.

first see for master sort of priv control

lsattr /etc/rc.d/filename

make sure it doesn't hv any flags. If got remove it. To see if the file
really corrupted or something wrong. do copy out to /tmp and see if its
readable. If nope u got a serious problem. Do this.

init 1  <-- run into single mode
mount -oremount,rw /  <-- remount root filesystem read-only
e2fsck -f /dev/"root disk"  <-- run check disk

if the problem resist then u going to hv allot of fun. learn to use
"debugfs" but do take extra care when use this command. Check also
/lost+found, if got lots of file inside .. signal is that filesystem or
hard disk isn't stable.

On Tue, 28 May 2002 23:37:35 GMT


> I have posted several posts on ssh. The level may be
> backleveled. I am trying to upgrade uning rpm.

> The script file sshd in /etc/rc.d/init.d has somehow gotten
> corrupted. It shows a group of root and a owner of lp and a
> mod of 700.

> rpm attempts to update this file and gets permission denyed
> so I shut sshd down and tried to remove it. That action got
> the same result.

> So I brought the system to init level 1 as root and tried
> changing the mod, the owner, the group all to the same
> error. I even tried moving it.

> How can I remove this file??

> Thanks,
> Dan

--

Jayasuthan
System Support
Fairchild Semiconductor M'sia
http://epss09                 [internal]
http://jjsuthan.tripod.com [external]
Tel: 6-04-8502630 (630)

 
 
 

cannot remove file - even as root !!!!

Post by Dave Uhrin » Fri, 31 May 2002 07:27:35



> init 1  <-- run into single mode
> mount -oremount,rw /  <-- remount root filesystem read-only

                  ^^

Quote:> e2fsck -f /dev/"root disk"  <-- run check disk

The option "rw" is read-only???
And you forgot a space.
 
 
 

cannot remove file - even as root !!!!

Post by Bill Unr » Fri, 31 May 2002 08:24:12


]Hi,

]hmmm okey.. let see where the problem is.

]first see for master sort of priv control

]lsattr /etc/rc.d/filename

]make sure it doesn't hv any flags. If got remove it. To see if the file
]really corrupted or something wrong. do copy out to /tmp and see if its
]readable. If nope u got a serious problem. Do this.

]init 1  <-- run into single mode
]mount -oremount,rw /  <-- remount root filesystem read-only
]e2fsck -f /dev/"root disk"  <-- run check disk

]if the problem resist then u going to hv allot of fun. learn to use
]"debugfs" but do take extra care when use this command. Check also
]/lost+found, if got lots of file inside .. signal is that filesystem or
]hard disk isn't stable.

]On Tue, 28 May 2002 23:37:35 GMT

]> I have posted several posts on ssh. The level may be
]> backleveled. I am trying to upgrade uning rpm.
]>
]> The script file sshd in /etc/rc.d/init.d has somehow gotten
]> corrupted. It shows a group of root and a owner of lp and a
]> mod of 700.
]>
]> rpm attempts to update this file and gets permission denyed
]> so I shut sshd down and tried to remove it. That action got
]> the same result.
]>
]> So I brought the system to init level 1 as root and tried
]> changing the mod, the owner, the group all to the same
]> error. I even tried moving it.
]>
]> How can I remove this file??

This almost always means that you have been rooted, as they say-- ie
someone has cracked your machine, and has installed their own version of
various programs. They have used chattr to change the attributes of the
files so you cannot (easily) remove them.
To remove the file, you can do
chattr -i name.of.the.file
(i stands for immutable)
However, I would not do that-- I would look for other evidence of being
cracked.

rpm -Va |grep '..5'>/tmp/verify
and look through /tmp/verify for files which have been changed. Some
should have been (/etc/passwd, etc) but some should not (ssh,
ps,ls,find,...) If you find evidence of the latter, you have definitely
been broken into. You must reinstall.

It is possible that the rpm database has been comprimised, or that the
rpm program itself has been altered to hide their depredations.
Copy a copy of rpm from a place you know to be valid.
ince reinstalling is a pain, which if it is not necessary may be worse
than the disease,  so it is worthwhile trying to get a valid version of
rpm if you suspect that it has been comprimised.

 
 
 

cannot remove file - even as root !!!!

Post by dan sawye » Fri, 31 May 2002 11:41:45


Thank you.

Yes lsatta followed by chattr worked.

Dan



> ]Hi,

> ]hmmm okey.. let see where the problem is.

> ]first see for master sort of priv control

> ]lsattr /etc/rc.d/filename

> ]make sure it doesn't hv any flags. If got remove it. To see if the file
> ]really corrupted or something wrong. do copy out to /tmp and see if its
> ]readable. If nope u got a serious problem. Do this.

> ]init 1  <-- run into single mode
> ]mount -oremount,rw /  <-- remount root filesystem read-only
> ]e2fsck -f /dev/"root disk"  <-- run check disk

> ]if the problem resist then u going to hv allot of fun. learn to use
> ]"debugfs" but do take extra care when use this command. Check also
> ]/lost+found, if got lots of file inside .. signal is that filesystem or
> ]hard disk isn't stable.

> ]On Tue, 28 May 2002 23:37:35 GMT

> ]> I have posted several posts on ssh. The level may be
> ]> backleveled. I am trying to upgrade uning rpm.
> ]>
> ]> The script file sshd in /etc/rc.d/init.d has somehow gotten
> ]> corrupted. It shows a group of root and a owner of lp and a
> ]> mod of 700.
> ]>
> ]> rpm attempts to update this file and gets permission denyed
> ]> so I shut sshd down and tried to remove it. That action got
> ]> the same result.
> ]>
> ]> So I brought the system to init level 1 as root and tried
> ]> changing the mod, the owner, the group all to the same
> ]> error. I even tried moving it.
> ]>
> ]> How can I remove this file??

> This almost always means that you have been rooted, as they say-- ie
> someone has cracked your machine, and has installed their own version of
> various programs. They have used chattr to change the attributes of the
> files so you cannot (easily) remove them.
> To remove the file, you can do
> chattr -i name.of.the.file
> (i stands for immutable)
> However, I would not do that-- I would look for other evidence of being
> cracked.

> rpm -Va |grep '..5'>/tmp/verify
> and look through /tmp/verify for files which have been changed. Some
> should have been (/etc/passwd, etc) but some should not (ssh,
> ps,ls,find,...) If you find evidence of the latter, you have definitely
> been broken into. You must reinstall.

> It is possible that the rpm database has been comprimised, or that the
> rpm program itself has been altered to hide their depredations.
> Copy a copy of rpm from a place you know to be valid.
> ince reinstalling is a pain, which if it is not necessary may be worse
> than the disease,  so it is worthwhile trying to get a valid version of
> rpm if you suspect that it has been comprimised.

 
 
 

cannot remove file - even as root !!!!

Post by Jayasutha » Fri, 31 May 2002 20:09:47


Yeakkssss...

sorry u are right it should be "ro" anyway the problem is resolved.

On Wed, 29 May 2002 17:27:35 -0500



> > init 1  <-- run into single mode
> > mount -oremount,rw /  <-- remount root filesystem read-only
>                   ^^
> > e2fsck -f /dev/"root disk"  <-- run check disk

> The option "rw" is read-only???
> And you forgot a space.

--

Jayasuthan
System Support
Fairchild Semiconductor M'sia
http://epss09                 [internal]
http://jjsuthan.tripod.com [external]
Tel: 6-04-8502630 (630)

 
 
 

cannot remove file - even as root !!!!

Post by Jayasutha » Fri, 31 May 2002 20:12:27


Hi,

this isn't a crack.. unless someone trying to hv something running.
Usually boot file where give such flag so that root won't mess this
important boot files. Just don't want a crying day for admin. so no fear

On 29 May 2002 23:24:12 GMT



> ]Hi,

> ]hmmm okey.. let see where the problem is.

> ]first see for master sort of priv control

> ]lsattr /etc/rc.d/filename

> ]make sure it doesn't hv any flags. If got remove it. To see if the
> file]really corrupted or something wrong. do copy out to /tmp and see
> if its]readable. If nope u got a serious problem. Do this.

> ]init 1  <-- run into single mode
> ]mount -oremount,rw /  <-- remount root filesystem read-only
> ]e2fsck -f /dev/"root disk"  <-- run check disk

> ]if the problem resist then u going to hv allot of fun. learn to use
> ]"debugfs" but do take extra care when use this command. Check also
> ]/lost+found, if got lots of file inside .. signal is that filesystem
> or]hard disk isn't stable.

> ]On Tue, 28 May 2002 23:37:35 GMT

> ]> I have posted several posts on ssh. The level may be
> ]> backleveled. I am trying to upgrade uning rpm.
> ]>
> ]> The script file sshd in /etc/rc.d/init.d has somehow gotten
> ]> corrupted. It shows a group of root and a owner of lp and a
> ]> mod of 700.
> ]>
> ]> rpm attempts to update this file and gets permission denyed
> ]> so I shut sshd down and tried to remove it. That action got
> ]> the same result.
> ]>
> ]> So I brought the system to init level 1 as root and tried
> ]> changing the mod, the owner, the group all to the same
> ]> error. I even tried moving it.
> ]>
> ]> How can I remove this file??

> This almost always means that you have been rooted, as they say-- ie
> someone has cracked your machine, and has installed their own version
> of various programs. They have used chattr to change the attributes of
> the files so you cannot (easily) remove them.
> To remove the file, you can do
> chattr -i name.of.the.file
> (i stands for immutable)
> However, I would not do that-- I would look for other evidence of
> being cracked.

> rpm -Va |grep '..5'>/tmp/verify
> and look through /tmp/verify for files which have been changed. Some
> should have been (/etc/passwd, etc) but some should not (ssh,
> ps,ls,find,...) If you find evidence of the latter, you have
> definitely been broken into. You must reinstall.

> It is possible that the rpm database has been comprimised, or that the
> rpm program itself has been altered to hide their depredations.
> Copy a copy of rpm from a place you know to be valid.
> ince reinstalling is a pain, which if it is not necessary may be worse
> than the disease,  so it is worthwhile trying to get a valid version
> of rpm if you suspect that it has been comprimised.

--

Jayasuthan
System Support
Fairchild Semiconductor M'sia
http://epss09                 [internal]
http://jjsuthan.tripod.com [external]
Tel: 6-04-8502630 (630)

 
 
 

cannot remove file - even as root !!!!

Post by Bill Unr » Sat, 01 Jun 2002 01:26:47


]Hi,

]this isn't a crack.. unless someone trying to hv something running.
]Usually boot file where give such flag so that root won't mess this
]important boot files. Just don't want a crying day for admin. so no fear

No. The installer does NOT do a chmod +i on anything. something else or
someone else did that, probably a cracker.

It is root's job to be able to "mess". That is why you should only be
root when you need to "mess".

Now, maybe he or someone else did a chmod +i on that file, and then
forgot about it. But in any case, if ever you find a file with the
immutable set and you do not recall doing it yourself, ALWAYS check for
a crack.

 
 
 

cannot remove file - even as root !!!!

Post by Bill Unr » Sat, 01 Jun 2002 01:29:27


]Thank you.

]Yes lsatta followed by chattr worked.

]Dan

As I said, unless you remember using chattr +i, you have almost
certainly been broken into. Check and fix.

 
 
 

1. can't remove/rename file, even as root

I'm running RH 6.1 and was trying to upgrade the bind package via rpm but it
fails saying it is unable to delete (via RPM_DELETE) the /usr/sbin/named file.
I then went in as root and tried to manually remove named but get an error
message saying "rm: cannot unlink `/usr/sbin/named': Operation not permitted".
I'd had a 4 second power outage recently and thought perhaps the problem had to
do with an inode or something being corrupted so I ran fsck to try to fix the
problems that were listed at boot. This did not do the trick.
Besides not being able to remove or overwrite this file, I'm also unable to run
chmod on it...
Any thoughts/suggestions on how I can kill off this pesky file?
Thanks.

-jason

2. Routing - is it possible... ?

3. cannot mount drives through ssh or telnet even as root

4. talkd does NOT work; where to find patches?

5. After upgrading to RC2, cannot log in using kdm(even as root!)

6. Porting solaris software to Linux

7. remove file Input/output error - can't even display

8. The solution...

9. File Security in ksh that even verbose mode cannot display?

10. I cannot execute files, even when I have the permissions set to do so.

11. Is it possible to make a file undeletable (even by root) in Solaris 2.5?

12. read only file system..even for root

13. SAMBA Q: file ownership is root even with force user = %U