I'm not a linux expert, but I installed Splunk to take a look. It worked fine. After playing awhile, I noticed that one of my program's permissions had been changed to being owned by splunk!

In the /usr/sbin directory, the mumble program had changed permissions! This happened only to the mumble binary, as well as the mumble statup file in /etc/init.d (same exact permission change)

Server is Ubuntu 10.04 Server. Splunk is latest, downloaded and installed two days ago.

Orig:

-rwxr-xr-x  1 joe  1001   6612323 2011-01-15 19:51 mumble*

Now:

-rwxr-xr-x  1 splunk  admin   6612323 2011-01-15 19:51 mumble*

Tried to fix:

$ chown joe:1001 mumble
ls -l mumble
-rwxr-xr-x  1 joe  splunk   6612323 2011-01-15 19:51 mumble*

$ chgrp root mumble
ls -l mumble
-rwxr-xr-x  1 joe  root   6612323 2011-01-15 19:51 mumble*

$ chgrp 1001 mumble
ls -l mumble
-rwxr-xr-x  1 joe  splunk   6612323 2011-01-15 19:51 mumble*

I don't understand why splunk would take ownership of this file, and why is group 1001 resulting in "splunk"? Admittedly, I'm no linux expert, so I apologize if I'm missing something obvious.

So, I am unable to change the group ownership back to 1001 as it was originally. This is a test machine, but I'm rather concerned that this could happen. Thanks.