You can take a look at which special attributes are set for files using lsattr. Hopefully that will help you find out which files he had fun with.
Matt On 10/21/06, John Hebert <johnahebert at yahoo.com> wrote: > Howdy, > > A "security analyst" made some unknown changes with 'chattr' to a server I'm > administrating (yeah, I know. I'm waiting on a detailed list of changes he > made.) and now I can't add or del users from /etc/passwd. When I try, I get > "unable to lock password file". Also, when I try to change a user's password, > I get the error "passwd: Authentication token lock busy". > > I've removed the immutable bit from /etc/passwd* and /etc/shadow* with > 'chattr -i ...' and it still didn't work. I even recursively removed the > immutable bit for /etc/* and _still_ can't add or delete users. > > Anybody ever see anything like this? Where does the password lock file get > created? I think PAM is failing, but I'm not sure why. > > Thanks, > John Hebert > > > > > > _______________________________________________ > General mailing list > General at brlug.net > http://brlug.net/mailman/listinfo/general_brlug.net >
