Date: Mon, 27 Feb 2017 09:25:51 -0600 (CST) From: "Valeri Galtsev" <galtsev@kicp.uchicago.edu> To: "Steve O'Hara-Smith" <steve@sohara.org> Cc: freebsd-questions@freebsd.org Subject: Re: home directory overridden by root? Message-ID: <34847.128.135.52.6.1488209151.squirrel@cosmo.uchicago.edu> In-Reply-To: <20170227145725.81ca3555a2fbfa472fa3e6a6@sohara.org> References: <B9C3096B-970E-468D-9316-9E650BAEC448@gmail.com> <20170227111307.5441830c@kalimero.tijl.coosemans.org> <F7C92D16-BEF9-4BA3-9F4E-CB5702D5069F@gmail.com> <20170227145725.81ca3555a2fbfa472fa3e6a6@sohara.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, February 27, 2017 8:57 am, Steve O'Hara-Smith wrote: > On Mon, 27 Feb 2017 06:44:42 -0800 > Paul Beard <paulbeard@gmail.com> wrote: > >> >> > On Feb 27, 2017, at 2:13 AM, Tijl Coosemans <tijl@FreeBSD.org> wrote: >> > >> > If that's not correct check if some login script sets that variable >> > and remove that. Its value should be correct by default. >> >> I have no idea what could set that other than that some . script. But I >> found nothing that set any environment variables. > > Those or login.conf or /etc/profile are about the only places it > should be able to happen. > >> I created a .bashrc that explicitly sets it for now. I may create a new >> user and see if that account gets its $HOME set properly. > > HOME normally gets set up correctly so something is awry on your > system. Creating another user is well worth doing, it will tell you > straight away whether the problem is in your own environment setup or in > the system. There is one more possibility: the problem was in the system the moment "defunct" user was created. But since they it was fixed. The fact that it is not there anymore may merely be due to the fact that intruders did "sweep up" of their traces after they installed backdoor for themselves. Alternatively, there just could have been typo on command line when you were creating "defunct" account. But I agree, creating one more account will give you additional information in figuring out what's wrong. Unless all weirdness is explained and has benign reasons, I would assume the machine compromised and follow compromise recovery procedures (back up user data, re-format the drive, install fresh system, patch, secure system, re-create users, restore user data; and make sure all users know about potential event of compromise, use different passwords, and change passwords everywhere else where they logged in from compromised machine). All in all, finding out reasons of weirdness is less hassle than blindly assuming compromise and following recovery procedure. Good luck! Valeri > > -- > Steve O'Hara-Smith <steve@sohara.org> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?34847.128.135.52.6.1488209151.squirrel>