local user get created magically ! system hacked ?

Rick Stevens ricks at alldigital.com
Tue Dec 3 22:27:31 UTC 2013 

On 12/03/2013 02:08 PM, Jehan Procaccia issued this missive:
> hello
> I use about a hundred fedora19 stations in computer labs at our school
> users accounts comes from an ldap directory and the homedir is
> automounted via NFS.
> However, recently I noticed that on some stations, local user account
> had been created !
> looking at the log file, I discovered in /var/log/secure  something like
> this:
>
> /accounts-daemon: request by system-bus-name ::1.733
> [/usr/libexec/gnome-initial-setup pid:15259 uid:991]: create user 'foobar'//
> //useradd[29724]: new group: name=foobar, GID=1001//
> //secure-20131117:Nov 15 17:16:43 b3-4 useradd[29724]: new user:
> name=susana, UID=1001, GID=1001, home=/home/susana, shell=/bin/bash//
> //secure-20131117:Nov 15 17:16:43 b3-4 useradd[29724]: add 'susana' to
> group 'wheel'//
> //secure-20131117:Nov 15 17:16:43 b3-4 useradd[29724]: add 'susana' to
> shadow group 'wheel'/
>
> Scary ! how comes gnome-initial-setup could create users, and morever
> add them to the wheel group !
> could it be a bug in /gnome-initial-setup , /a feature side effect ? or
> our students found a "back door" ?
> any suggestion greatly appreciated .

The system does want a local "administrator" account--one that's not
dependent on the network (and hence LDAP) being available.

Normally the first-boot mechanism would create the "administrator"
account once you've installed the system, but the username doesn't have
to be "administrator" or "admin". It can be any name you want and this
first user will be given administrator privileges (group "wheel"). The
fact that the log entries indicate that this was done by "gnome-initial-
setup" and the user was added to group "wheel" indicates that's exactly
what happened.

It could be that someone ran gnome-initial-setup" manually. It's
supposed to unlink from the systemd startup once it's complete, but I
guess it could be run manually.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks at alldigital.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-      Always remember you're unique, just like everyone else.       -
----------------------------------------------------------------------

More information about the users mailing list