When I first experienced "promiscuous" escalation of etc mode from 755 to
600 (at least 8 to 10 years ago) I hunted down a reference by someone that
this could happen if the lpd daemon was compromised. I stopped using lpd,
and rebuilt my system. That system then worked fine until it was junked.
When both of my current systems experienced this deja vue, I was quite
astounded. Why me? Anyway, I logged into my AMD64 in recovery mode, and
began to exit out just about every service script in init.d I felt I could
get away without. The mode changing stopped. I then painfully began
reenabling scripts, and rebooting, until the mode on etc escalated. Unless
this is a very clever exploit, it seems the problem is limited to samba. I
haven't had a mode escalation problem, either from reboots, or just power on
time since stopping samba on both machines.
Either I'm doing something to cause gross misbehavior in samba, there is a
bug in samba, or, taking the path of paranoia, someone along the samba
source chain might be a sabateur. I'll start with the first proposition. My
first symptom was the "i have no name" prompts in my xterms when whoami
failed. There is a lot of that going on out there on the net, but no one
every mentions as a possible cause, an overescalated mode on etc. I'll be
ripping my samba out, and replacing it with a surgical install via dpkg from
the Debian main site. We'll see....