System I administer: - RH 7.0 / Intel, updated from RH 6.2 - Shadow passwords are in use - There are several entries in /etc/passwd having UID=0 / GID=0 with different usernames Damage happened: all entries having UID=0 and username NOT beginning with "root[something]" were changed so that the UID and GID were copied from the entry above. For example: --<cut>-- figu:x:531:531:Risto Avila:/home/figu:/bin/bash bofh:x:0:0:Bastard Operator From Hell:/root:/bin/bash --<cut>-- was changed to figu:x:531:531:Risto Avila:/home/figu:/bin/bash bofh:x:531:531:Bastard Operator From Hell:/root:/bin/bash --<cut>-- Entries where username was, t.ex "rootbeer", beginning with "root" were just as they were supposed to be. When: That is unfortunately not clear, and I couldn't reproduce the problem. The things that I suspect are use of: "passwd somebody" run as root "adduser -u 123 -g 123 -d /home/person person" This may be a bit paranoid or caused by some user having the root priviledges with some other commands, I'm not too sure everybody's knowhow is high enough to do what they're doing.. But please do something if reports with similar sympthons pop up. Jarkko Hakala
Jarkko, this looks really weird... Anyway I was unable to reproduce it, if such thing happens to you again using a recent Red Hat release and is reproducible, please create a new bug. Thanks! Jindrich