Re: Red Hat Linux Interview Series 5

Chetan_Tiwary_

Q.) Analyze the audit logs and troubleshoot this error :

time->Tue Sep 21 14:59:59 2024
type=PROCTITLE msg=audit(1647889199.608:3076): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44

type=SYSCALL msg=audit(1647889199.608:3076): arch=c000003e syscall=4 success=no exit=-13 a0=7fe48c041c50 a1=7fe48a7fb890 a2=7fe48a7fb890 a3=7fe48a7fc4f0 items=0 ppid=1378098 pid=1415603 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1647889199.608:3076): avc: denied { getattr } for pid=1415603 comm="httpd" path="/data/website/index.html" dev="dm-0" ino=34897893 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0

Q.) Accidentaly did "chmod 444 /bin/chmod" as a root user - how to resolve this error :

-bash: /bin/chmod: Permission denied

Q.) passwd executable has root user and group ownership then how does a normal user is able to change it's password ?

I'll be posting a series of Linux-related questions covering various skill levels. Feel free to share your insights and expertise. Your contributions will benefit learners at all stages, from those in current roles to those preparing for Linux interviews.

TM

Q3.

Because /usr/bin/passwd as the setuid bit set (the s in place of x in owner permissions), and so when executed by a normal user it effectively uses the file owner (here root) privileges.
-rwsr-xr-x. 1 root root 32648 Aug 10 2021 /usr/bin/passwd

TM

Q2.

rpm --setperms -f /bin/chmod
or (better ?)
rpm --restore -f /bin/chmod

Emanuel_Haine

Q1 - SELinux label context issue

SELinux is expecting the file to have httpd related contexts, but it has the 'default_t'

There are two ways to fix it. Changing the context just for the file:

semanage fcontext -a -t httpd_sys_content_t "/data/website/index.html"
restorecon -v "/data/website/index.html"

Or changing the context recursively for the /data/website dir:

semanage fcontext -a -t httpd_sys_content_t "/data/website(/.*)?"
restorecon -Rv "/data/website/"

Q2 - Find the package that owns the file and then reinstall the package

rpm -qf $(which --skip-alias chmod)
coreutils-8.30-15.el8.x86_64

dnf reinstall -y coreutils

In this case the rpm --setperms or --restore will not work because it will use /bin/chmod

Q3 - SetUID

/usr/bin/passwd has the setuid set on the execution bit (also set) for the owner, which is root. So, as the file has execution permission for everyone, any user who executes it, will have root permission for this operation. Here is the stat output:

stat /usr/bin/passwd
  File: /usr/bin/passwd
  Size: 33424     	Blocks: 72         IO Block: 4096   regular file
Device: 10303h/66307d	Inode: 269776753   Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:passwd_exec_t:s0
Access: 2023-09-09 01:26:06.466083331 -0300
Modify: 2022-02-07 15:27:26.000000000 -0300
Change: 2022-05-11 00:01:05.838011388 -0300
 Birth: 2022-05-11 00:01:05.836011393 -0300

And why is it necessary to have root permission for this operation? It is because the file /etc/shadow must be updated, ans since this file has no permissions, just root can manipulate it.

stat /etc/shadow
  File: /etc/shadow
  Size: 1582      	Blocks: 8          IO Block: 4096   regular file
Device: 10303h/66307d	Inode: 537335406   Links: 1
Access: (0000/----------)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:shadow_t:s0
Access: 2024-09-20 19:46:48.560002288 -0300
Modify: 2024-08-17 17:52:02.168748104 -0300
Change: 2024-08-17 17:52:02.169748105 -0300
 Birth: 2024-08-17 17:52:02.168748104 -0300

Chetan_Tiwary_

@Emanuel_Haine Thanks for the great explanation!

Emanuel_Haine

@Chetan_Tiwary_ , you are welcome!

Red Hat Linux Interview Series 5

administration

job interview

Learn

linux

linux-admin

Practice

Question

round

screening

SysAdmin

technical

troubleshooting