Deleted 'nobody' - turned out to be very bad idea...

mladen · 2007-01-31 23:51:56

Gals, guys...

Few days ago I rounded up a small project:
- Installed and configured Arch on Toshiba Portege 3110ct (no floppy, no CD drive - just connection hub, PXE misbehaved, so ripped the HD to another machine )
- Installed and configured lighttpd (beautifull little http server - configured at no time!)
- Installed and configured Arno firewall
- Installed and configured RootKit Hunter and chkrootkit
- finally, made and moved my web pages to the 'server'.

And this was all fine for few days... until I wanted to help out RKHunter in it's system analysis...
Amongst all other thngs, RKHunter checks and gives info on crontab run for user Nobody. And makes it OK, since no rootkit was found (I hope because there's none ).
But, to avoid this effort ofr it, *late* last night, I userdel -r nobody. ...Mistake. Now I don't have /bin/bash for any of accouts, root inclusive.

Symptoms are, even while still in current KDE session (opened while I was monkeying around), if I want to open a konsole, it can't keep on the screen. Shows up on the screen and quickly disappears. So, I restarted X, tried another session, but it doesn't even begin - an X window shows up and says something like "... no file /bin/bash" and returns back to Arch login splash.

I didn't power the system down, and checked the web pages serving today from my job and its OK.

Now, question you probably guessed is coming: how to make things back to normal?
Please bear in mind that I don't have CD/DVD access on this machine... Otherwise it would be relatively easy (though I haven't had an issue like this ever before).

Thanks and cheers to all,
mladen

p.s. Or, could this be one of those accidental "security breakthrough's" - system does the job, but no one can log in and do malice, he, he :D:D ?)

hacosta · 2007-02-01 01:22:45

try adding init=/bin/bash to your grub entry, then add the user

mladen · 2007-02-01 03:03:52

hmm, sounds simple! Will give it a go once at home!

Thanks even it doesn't work out

Last edited by mladen (2007-02-01 03:04:22)

mladen · 2007-02-01 23:35:45

No, it didn't work out
The only response I could get is "File not found..." (or similar) just before kernel decompresses. And it hangs there.
I guess, I've effectively killed bash and nothing would be executed without it.

So, this machine got reinstalled from 0.8 alpha3 and is running again... Few questions do remain but, for another thread.

Anyway, it would be nice to know what actually happened to the system with user nobody deleted. Anyone!?
(meantime I've leartn a lot on user nobody, but couldn't find the sequence of events after it is deleted.)

Cheers,
mladen

Leffe · 2007-02-02 14:56:14

mladen wrote:

Anyway, it would be nice to know what actually happened to the system with user nobody deleted. Anyone!?

userdel -r removes everything in the user's home directory, nobody's home directory is set to /... Meaning it's (pretty much) the same as doing rm -Rf /. Not much can be done to recover from that.

mladen · 2007-02-03 09:55:52

rm -Rf /

I learnt it out later. But never felt it before - now I know !

It was, actually, kind a surprising that my server was still normally(?) running after that. Another surprise was a thought that this could be a way to secure running processes - BUT one would need the way to recover... an efficient way...

Thanks Leffe and cheers,
mladen

vs.taras · 2008-02-12 18:50:40

A little off-topic, but how were you able to get the harddrive out? I have the same model, and can't seem to locate it.
I'm SUCH a n00b
It seems I will have to take the whole thing apart.

Last edited by vs.taras (2008-02-12 18:51:38)

Arch Linux

#1 2007-01-31 23:51:56

Deleted 'nobody' - turned out to be very bad idea...

#2 2007-02-01 01:22:45

Re: Deleted 'nobody' - turned out to be very bad idea...

#3 2007-02-01 03:03:52

Re: Deleted 'nobody' - turned out to be very bad idea...

#4 2007-02-01 23:35:45

Re: Deleted 'nobody' - turned out to be very bad idea...

#5 2007-02-02 14:56:14

Re: Deleted 'nobody' - turned out to be very bad idea...

#6 2007-02-03 09:55:52

Re: Deleted 'nobody' - turned out to be very bad idea...

#7 2008-02-12 18:50:40

Re: Deleted 'nobody' - turned out to be very bad idea...

Board footer