Sunday, August 22, 2010

every: command not found

This was an interesting puzzle. I was looking at a hardening document for Linux that identified a huge number of files that needed more restrictive file permissions. Among them were /root/.bashc, /root/.bash_profile, /root/.bash_logout, and so on. It made sense-- nobody else needs to read them, yet they were 644 instead of 600.

But the doc pointed out that the user "root" might not use the bash shell. What if he was a psychopath and used csh? In that case you'd have to look for a bunch of .c* files. I immediately realized the best thing to do was to wildcard this task:
chmod 600 /root/.*
And then I moved on.

But within a few minutes... something was wrong. In another window, as user "doug", I tried to list a directory.
-bash: ls: command not found
What? I couldn't even list my home directory. As a matter of fact, I couldn't execute any command.

This is where your heart kind of skips a beat. As root I could list anything, including /bin/ls. So as root, I tried to switch to user doug:
su: warning: cannot changeto directory /home/doug:
  Permission denied
su: /bin/bash: Permission denied
Oh crap!

Eventually it occurred to me. Consider this situation:
ls -a /root
.   ..   .bashrc   .bash_logout   .bash_profile
When I used the dot-splat wild card, it must have picked up dot-dot, which would be the root directory. From there it probably reset the permissions on /bin, /etc, and so on. I just needed to reset those perms to 755.

No luck. As a matter of fact, every directory seemed to be correct. I could not see any permission that was wrong. And then... in a stroke of unparalleled genius, I tried something else. I looked at the only set of directory permissions you can never see:
# ls -ld /
drw------- 24 root root 4096 Aug 22 22:51 /
What about:
# chmod 755 /
# ls -ld /
drwxr-xr-x 24 root root 4096 Aug 22 22:51 /
And now everything works.


In the end, however, I do have to admit one thing: The system was significantly hardened. Hard as a brick!

No comments:

Post a Comment