On Tue, 2005-01-11 at 17:42 +0000, Sharon Kimble wrote: > Paul Howarth wrote: > > > Sharon Kimble wrote: > >> Paul Howarth wrote: > >>>What you should be worried about is how your system got into this state > >>>in the first place. Any ideas on how someone running as root could > >>>change the permissions of the root directory so that any regular user > >>>could create, delete and rename files there? For instance, on your > >>>system a regular user could run the command "mv /lib /trash" and > >>>completely break your system in a way that would be quite difficult to > >>>recover from. > >> > >> Thanks, this sorted it, and I've got sendmail working again. > >> > >> Regarding the other problem - the last sendmail message was at 0500 on > >> Sunday last ..... so its something that happened (or I did) between then > >> and now. I'm currently investigating. > > > > A couple of possibilities: > > > > 1. See if there are any files/directories owned by a non-root user in > > the root directory. That might provide a clue if there are any such > > files/directories. > > > None at all. No files and no directories. > > > 2. Are you in the habit of logging in as root or leaving a terminal > > window with a root shell running? If so, you might have inadvertently > > typed a chmod command or run a script in the wrong directory, as root, > > by mistake. This is why people regularly recommend only switching to > > root when you really need to run a command as root, and then switch back. > > > The last time that I logged in as root was when I installed FC3 and set > myself up as the user which was 2004-11-10. Don't think that I left a > 'root' terminal running. I tend to do something as root and then just exit > the terminal. > > Its a puzzle, but thanks for the pointers. > > Sharon. You might want to run chkrootkit or one of the similar tools to find out if you may have been "rooted". / did not change mode to 757 by itself. Something was done either deliberately or inadvertently that changed it. If you did not make the change then you should be very suspicious of how it happened. BTW, your listing of the permissions shows / was last modified on Jan 8 @ 14:15. A perusal of the /var/log/messages(.X) and /var/log/secure (.X) files as well as using the "last" command may give you some pointers. Jeff
