FreeBSD abnormal permission changes in /home

brightstorm · May 10, 2011, 11:45pm

Hi,

I have a bit of a headache with a server doing some rather mysterious yet static changes to permissions in /home. The server in question is a FreeBSD server. It's an older beast with quite a few custom tweaks and now I'm stuck with it

The problem is that some of the directories in /home will get their owner and group changed to a numeric value. The value does not have anything in common with UID or GID and when a temporary fix is made (chown user:user user), it's a matter of time before it happens again. It may happen within 24 hours or within a week, there seems to be no indicator.

The numeric value for each user will remain the same. This sounds a bit weird, but consider this:

Before the change:

brightstorm:brightstorm brightstorm (owner, group, (home)dir)
otheruser:otheruser otheruser

After the change:

192382:192382 brightstorm (again - owner, group, (home)dir)
934329:934329 otheruser (owner/group values are made up for this example)

Then we chmod it back.

brightstorm:brightstorm brightstorm (owner, group, (home)dir)
otheruser:otheruser otheruser

Next time it happens, same values.

192382:192382 brightstorm
934329:934329 otheruser

Since we have a large serverfarm my first instinct was to check for suspicious crontab entries - none found.
I then checked root's authorized keys to see if any old timers would have some kind of (horrible) remote "cleanup" - none found.
I have been knee-deep in pretty much /var/log* - especially auth.log, cron, messages, etc. for good measure, but there is really no indicator.

I know little about the machine itself besides that it's a virtual guest on a VMWare host. I wrote a workaround script to look at /home every 5 minutes and pull anything with an odd looking (numeric) owner and fix permissions by taking the name of the homedir and chown the poor people's functionality back, because this problem effectively prevents them from writing anything in their homedir.

I know I may be leading you on a wild goosechase here because of the tricky element that the server is a modified FreeBSD and is an older version back from 2003. (One can reason that it need upgrading but a lot of legacy are preventing us for doing so at the moment), but I am very curious if any of you have seen similar behaviour before or would have any other suggestions on where to look for culprits.

/Klaus

Celtic_Monkey · May 11, 2011, 4:38am

Very strange.... is the / home directory nfs shared (or mounted) elsewhere? is it subject to access by any other system (for backup purposes etc) that could possibly be changing permissions.

I'm thinking along the similar lines or un-tarring source code where the user/groupid is numerical because the source user doesn't exist on the local system. does the userid "192382" in your example exist on another system?

just stabbing in the dark here...

brightstorm · May 16, 2011, 8:47am

Hi Celtic,

Thanks for the response and sorry for my lack of response, I was pretty busy the rest of the week. I have dug deeper into this and while there are "repository servers" there are no trace of any user management system/scripts and there is also no trace of any strange jobs.

I am closing in on the "periodic daily" as the likely culprit. I have set some monitoring up which sounds an alert at pretty much the same time as periodic daily runs

1       3       *       *       *       root    periodic daily

I'm probably going to have to dissect the /etc/periodic/daily stuff to try to find evidence for this (or either just uncomment periodic for a day or two and see if the permissions behave). According to man periodic it just executes shell scripts in /etc/periodic/daily|weekly|monthly|security.