[Novalug] cant remove ssh. cant even chown it

Peter Larsen plarsen@famlarsen.homelinux.com
Tue Jul 22 22:02:47 EDT 2008



> Look what happened when i did this:
> 
> server1:/usr/sbin# who is 501
> root     pts/0        2008-07-22 18:03 (:0.0)
> 

Try typing "who is stupid" or "who knows virgnia wolf".. I think you'll
be "amazed" by the answer. It's not telling you what you think it is.
"who" tells you the users who are logged in. 

First of all - reinstalling seldom fixes a "bug". So to solve your
problems you don't help yourself by doing reinstalls. You may, as you
have here, make things worse. 

Linux has several security features - and with ssh they're pretty heavy.
And no, root cannot just delete everything - that's on purpose.

User 501 would be the second user ever created on your system. If
there's no user id 501 in /etc/passwd it looks like you may have removed
that user. Do a "find / -user 501 -print" and see what files on your
system is owned by that user. Most likely it's been manually deleted
from the user db but it's files are still around on the system.

How did you try to remove ssh? What kind of errors did you get? Did you
ignore them or try to solve them?
What is your distribution, version etc?  Before you dig yourself deeper
with trying to manually manage this, it would be better to try to manage
it via your package manager.


-- 
Peter Larsen <plarsen@famlarsen.homelinux.com>


-----Original Message-----
From: Norman Bird <steelpulsefan@gmail.com>
To: Mike Shade <mshade@mshade.org>
Cc: Novalug <Novalug@calypso.tux.org>
Subject: Re: [Novalug] cant remove ssh. cant even chown it
Date: Tue, 22 Jul 2008 21:16:57 -0400

Look what happened when i did this:

server1:/usr/sbin# who is 501
root     pts/0        2008-07-22 18:03 (:0.0)


what does this mean? maybe 501 is root in debian etch.?

On Tue, Jul 22, 2008 at 9:10 PM, Norman Bird <steelpulsefan@gmail.com>
wrote:
        no user 501. checked those files just now. good idea though
        thanks
        
        
        
        On Tue, Jul 22, 2008 at 7:29 PM, Mike Shade <mshade@mshade.org>
        wrote:
        
                
                > -rwxr-xr-x 1  501 root  236457 2008-05-15 07:36 sshd
                
                
                
                
                Why on *earth* is sshd owned by a user?  Did you at one
                point do a chown -R from / by mistake?
                
                Even more interesting is that it's giving you the UID
                instead of a user's name.  Do you *have* a user 501?
                Check with:
                
                # grep 501 /etc/passwd /etc/shadow /etc/group (as root)
                
                You may also want to run chkrootkit, as this is not
                normal ;)
                
                -- Mike
                
                
                
                
                
                _______________________________________________
                Novalug mailing list
                Novalug@calypso.tux.org
                http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
                
                
        
        
        


_______________________________________________
Novalug mailing list
Novalug@calypso.tux.org
http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20080722/a9ab1074/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20080722/a9ab1074/attachment.asc>


More information about the Novalug mailing list