Hi,
I have a bit of a headache with a server doing some rather mysterious yet static changes to permissions in /home. The server in question is a FreeBSD server. It's an older beast with quite a few custom tweaks and now I'm stuck with it
The problem is that some of the directories in /home will get their owner and group changed to a numeric value. The value does not have anything in common with UID or GID and when a temporary fix is made (chown user:user user), it's a matter of time before it happens again. It may happen within 24 hours or within a week, there seems to be no indicator.
The numeric value for each user will remain the same. This sounds a bit weird, but consider this:
Before the change:
brightstorm:brightstorm brightstorm (owner, group, (home)dir)
otheruser:otheruser otheruser
After the change:
192382:192382 brightstorm (again - owner, group, (home)dir)
934329:934329 otheruser (owner/group values are made up for this example)
Then we chmod it back.
brightstorm:brightstorm brightstorm (owner, group, (home)dir)
otheruser:otheruser otheruser
Next time it happens, same values.
192382:192382 brightstorm
934329:934329 otheruser
Since we have a large serverfarm my first instinct was to check for suspicious crontab entries - none found.
I then checked root's authorized keys to see if any old timers would have some kind of (horrible) remote "cleanup" - none found.
I have been knee-deep in pretty much /var/log* - especially auth.log, cron, messages, etc. for good measure, but there is really no indicator.
I know little about the machine itself besides that it's a virtual guest on a VMWare host. I wrote a workaround script to look at /home every 5 minutes and pull anything with an odd looking (numeric) owner and fix permissions by taking the name of the homedir and chown the poor people's functionality back, because this problem effectively prevents them from writing anything in their homedir.
I know I may be leading you on a wild goosechase here because of the tricky element that the server is a modified FreeBSD and is an older version back from 2003. (One can reason that it need upgrading but a lot of legacy are preventing us for doing so at the moment), but I am very curious if any of you have seen similar behaviour before or would have any other suggestions on where to look for culprits.
/Klaus