cancel
Showing results for 
Search instead for 
Did you mean: 
Chetan_Tiwary_
Community Manager
Community Manager
  • 800 Views

Red Hat Linux Interview Series 5

Q.) Analyze the audit logs and troubleshoot this error :

time->Tue Sep 21 14:59:59 2024
type=PROCTITLE msg=audit(1647889199.608:3076): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44

type=SYSCALL msg=audit(1647889199.608:3076): arch=c000003e syscall=4 success=no exit=-13 a0=7fe48c041c50 a1=7fe48a7fb890 a2=7fe48a7fb890 a3=7fe48a7fc4f0 items=0 ppid=1378098 pid=1415603 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1647889199.608:3076): avc: denied { getattr } for pid=1415603 comm="httpd" path="/data/website/index.html" dev="dm-0" ino=34897893 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0

 

Q.) Accidentaly did "chmod 444 /bin/chmod" as a root user - how to resolve this error :

-bash: /bin/chmod: Permission denied

 

Q.) passwd executable has root user and group ownership then how does a normal user is able to change it's password ?

Chetan_Tiwary__0-1726604973705.png

 

 

I'll be posting a series of Linux-related questions covering various skill levels. Feel free to share your insights and expertise. Your contributions will benefit learners at all stages, from those in current roles to those preparing for Linux interviews.

5 Replies
TM
Flight Engineer Flight Engineer
Flight Engineer
  • 650 Views

Q3.

Because /usr/bin/passwd as the setuid bit set (the s in place of x in owner permissions), and so when executed by a normal user it effectively uses the file owner (here root) privileges.
-rwsr-xr-x. 1 root root 32648 Aug 10 2021 /usr/bin/passwd

TM
Flight Engineer Flight Engineer
Flight Engineer
  • 646 Views

Q2.

rpm --setperms -f /bin/chmod
or (better ?)
rpm --restore -f /bin/chmod

Emanuel_Haine
Flight Engineer
Flight Engineer
  • 589 Views

Q1 - SELinux label context issue

SELinux is expecting the file to have httpd related contexts, but it has the 'default_t'

There are two ways to fix it. Changing the context just for the file:

 

semanage fcontext -a -t httpd_sys_content_t "/data/website/index.html"
restorecon -v "/data/website/index.html"

 

Or changing the context recursively for the /data/website dir:

 

semanage fcontext -a -t httpd_sys_content_t "/data/website(/.*)?"
restorecon -Rv "/data/website/"

 

 

Q2 - Find the package that owns the file and then reinstall the package

 

rpm -qf $(which --skip-alias chmod)
coreutils-8.30-15.el8.x86_64

dnf reinstall -y coreutils

 

In this case the rpm --setperms or --restore will not work because it will use /bin/chmod

 

Q3 - SetUID

/usr/bin/passwd has the setuid set on the execution bit (also set) for the owner, which is root. So, as the file has execution permission for everyone, any user who executes it, will have root permission for this operation. Here is the stat output:

 

stat /usr/bin/passwd
  File: /usr/bin/passwd
  Size: 33424     	Blocks: 72         IO Block: 4096   regular file
Device: 10303h/66307d	Inode: 269776753   Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:passwd_exec_t:s0
Access: 2023-09-09 01:26:06.466083331 -0300
Modify: 2022-02-07 15:27:26.000000000 -0300
Change: 2022-05-11 00:01:05.838011388 -0300
 Birth: 2022-05-11 00:01:05.836011393 -0300

 

And why is it necessary to have root permission for this operation? It is because the file /etc/shadow must be updated, ans since this file has no permissions, just root can manipulate it.

 

stat /etc/shadow
  File: /etc/shadow
  Size: 1582      	Blocks: 8          IO Block: 4096   regular file
Device: 10303h/66307d	Inode: 537335406   Links: 1
Access: (0000/----------)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:shadow_t:s0
Access: 2024-09-20 19:46:48.560002288 -0300
Modify: 2024-08-17 17:52:02.168748104 -0300
Change: 2024-08-17 17:52:02.169748105 -0300
 Birth: 2024-08-17 17:52:02.168748104 -0300

 

Chetan_Tiwary_
Community Manager
Community Manager
  • 499 Views

@Emanuel_Haine Thanks for the great explanation!

Emanuel_Haine
Flight Engineer
Flight Engineer
  • 496 Views

@Chetan_Tiwary_ , you are welcome!

Join the discussion
You must log in to join this conversation.