Strange behavior of linux: why are files under one of the users created, but when the content is written to them, they are deleted?

S

Stanislav2017-04-01 08:13:01

linux

Stanislav, 2017-04-01 08:13:01

The situation is this. There is Debian 8, recently it was Debian 7. There is one user (not root) in it, when working with which strange things occur. It is impossible to connect via ssh through it, although there was such an opportunity before. The `su -` command also does not help, the console looks like this:

15:05:23:[email protected]>~#su ouruser
Fri Mar 31 15:05:40 MSK 2017
15:05:40:[email protected]>~#

The /var/log/auth.log log looks like this at this moment:

Mar 31 17:29:37 server su[2172]: Successful su for ouruser by root
Mar 31 17:29:37 server su[2172]: + /dev/pts/1 root:ouruser
Mar 31 17:29:37 server su[2172]: pam_unix(su:session): session opened for user ouruser by sshuser(uid=0)
Mar 31 17:29:37 server su[2172]: pam_unix(su:session): session closed for user ouruser

Where sshuser is the user under which we first got to the server via ssh, and then using `su -` got into root, from where we conduct the experiment. Warning questions - no, from under sshuser it is also impossible to get into the user we need through `su -`. The rest of the system logs for grep ouruser do not show anything at this moment.
Checking through clamav and rkhunter showed nothing either.
When connecting via ftp, the connection occurs, however, there are also oddities - when you try to create a certain file, it is created, but when you try to write something to this file, it simply disappears.
Could you tell me what could be the problem or where to start diagnosing? Recreating the user as a whole is an option, but an extreme one, and will be considered last.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

Mikhail Konyukhov, 2017-04-01
@piromanlynx

1. This is very similar to the fact that instead of a shell, the user has / bin / date. Just change its shell:

# chsh ouruser
Changing the login shell for ouruser
Enter the new value, or press ENTER for the default
  Login Shell [/bin/date]: /bin/bash

2. You can also write exit inside profile or bashrc. then you just need to find these lines and at least comment out:

# egrep -i  -n '(exit|date)' /home/ouruser/.* 2>/dev/null
/home/ouruser/.bash_logout:1:# ~/.bash_logout: executed by bash(1) when login shell exits.
/home/ouruser/.bashrc:23:# update the values of LINES and COLUMNS.
/home/ouruser/.bashrc:114:date
/home/ouruser/.bashrc:115:exit
# mcedit -d /home/ouruser/.bashrc:114

3. There may also be some kind of hack in /etc/profile or /etc/profile.d. Add to /etc/profile at the beginning of set -x

# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).

set -x

if [ "`id -u`" -eq 0 ]; then

and you can see which command exits, and then find it in the profile files.

S

Saboteur, 2017-04-02
@saboteur_kiev

Run and show
cat /etc/passwd | grep ouruser
see how he is configured - where is his home directory, what is his shell, what is his UID.
Run df -h
Run df -h /var/www