From owner-freebsd-security Wed Dec 17 09:56:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA27997 for security-outgoing; Wed, 17 Dec 1997 09:56:25 -0800 (PST) (envelope-from owner-freebsd-security) Received: from ymris.ddm.on.ca (cisco7-152.cas.golden.net [207.216.76.152]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA27989 for ; Wed, 17 Dec 1997 09:56:17 -0800 (PST) (envelope-from dchapes@ddm.on.ca) Received: from squigy.ddm.on.ca (squigy.ddm.on.ca [209.47.139.138]) by ymris.ddm.on.ca (8.8.7/8.8.8) with ESMTP id MAA04254 for ; Wed, 17 Dec 1997 12:55:41 -0500 (EST) (envelope-from dchapes@ymris.ddm.on.ca) Received: (from dchapes@localhost) by squigy.ddm.on.ca (8.8.7/8.8.7) id MAA17520; Wed, 17 Dec 1997 12:55:40 -0500 (EST) Message-ID: <19971217125540.06561@ddm.on.ca> Date: Wed, 17 Dec 1997 12:55:40 -0500 From: Dave Chapeskie To: freebsd-security@FreeBSD.ORG Subject: Re: Is this something to worry about? References: <199712170222.MAA01090@word.smith.net.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.81 In-Reply-To: ; from Martin Kammerhofer on Wed, Dec 17, 1997 at 08:05:02AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 17 Dec 1997, Mike Smith wrote: > This is a "feature" of the system; occasionally executables appear to > be written to while they're running. Nobody has been able to work out > why; the write doesn't appear to change any of the actual contents of > the file. On Wed, Dec 17, 1997 at 08:05:02AM +0100, Martin Kammerhofer wrote: > And it breaks things like tripwire ;-I Things like tripwire should be looking at the md5, not the timestamp. The same thing goes for the stuff in /etc/security that uses an ugly find | xargs ls | sort pipe to get a list of suid timestamps. This is silly and usless when they should be using mtree(8) with the "md5digest" keyword. -- Dave Chapeskie, DDM Consulting E-Mail: dchapes@ddm.on.ca