From owner-freebsd-questions@FreeBSD.ORG Wed Feb 18 20:25:24 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5E5A5AEC for ; Wed, 18 Feb 2015 20:25:24 +0000 (UTC) Received: from formentor.toolfactory.net (pina.toolfactory.net [213.97.158.39]) by mx1.freebsd.org (Postfix) with ESMTP id EEBE8218 for ; Wed, 18 Feb 2015 20:25:22 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by formentor.toolfactory.net (Postfix) with ESMTP id A239D177883 for ; Wed, 18 Feb 2015 21:25:20 +0100 (CET) Received: from formentor.toolfactory.net ([127.0.0.1]) by localhost (formentor.toolfactory.net [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 6CSRCdC9-z1B for ; Wed, 18 Feb 2015 21:25:19 +0100 (CET) Received: from localhost (localhost.localdomain [127.0.0.1]) by formentor.toolfactory.net (Postfix) with ESMTP id E5959177905 for ; Wed, 18 Feb 2015 21:25:19 +0100 (CET) X-Virus-Scanned: amavisd-new at logpmzimmta01v.toolfactory.net Received: from formentor.toolfactory.net ([127.0.0.1]) by localhost (formentor.toolfactory.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id KeRn-tsQLeBJ for ; Wed, 18 Feb 2015 21:25:19 +0100 (CET) Received: from xorrigo.toolfactory.net (unknown [192.168.2.210]) by formentor.toolfactory.net (Postfix) with ESMTP id CC18F177883 for ; Wed, 18 Feb 2015 21:25:19 +0100 (CET) Date: Wed, 18 Feb 2015 21:25:18 +0100 (CET) From: Raimund Sacherer Reply-To: Raimund Sacherer To: freebsd-questions@freebsd.org Message-ID: <28505455.89479949.1424291118283.JavaMail.zimbra@logitravel.com> In-Reply-To: <20150218190200.GD26575@neutralgood.org> References: <1630133808.88787292.1424250372563.JavaMail.zimbra@logitravel.com> <535737942.88794111.1424250825035.JavaMail.zimbra@logitravel.com> <20150218190200.GD26575@neutralgood.org> Subject: Re: setuid diffs in daily security run output MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [192.168.2.213] X-Mailer: Zimbra 8.0.8_GA_6184 (ZimbraWebClient - SAF7 (Mac)/8.0.8_GA_6184) Thread-Topic: setuid diffs in daily security run output Thread-Index: XT1d3Acr2XZLZWUOvzAWDTpbTJhaow== X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Feb 2015 20:25:24 -0000 ----- Original Message ----- > From: kpneal@pobox.com > To: "Raimund Sacherer" > Cc: freebsd-questions@freebsd.org > Sent: Wednesday, February 18, 2015 8:02:00 PM > Subject: Re: setuid diffs in daily security run output > On Wed, Feb 18, 2015 at 10:13:45AM +0100, Raimund Sacherer wrote: > > Hello, > > > > This is one of our first FreeBSD servers we use, and I be rather safe than > > sorry, we put in production a FreeBSD 10.0 system and it is running (in > > production) a couple of weeks now. Reading the security run emails today i > > noticed a lot of those: > > > > --- snip --- > > - 587 -r-sr-xr-x 1 root wheel 19912 Jan 16 22:40:07 2014 /bin/rcp > > - 511 -r-sr-x--- 1 root operator 9880 Jan 16 22:40:33 2014 /sbin/mksnap_ffs > > - 471 -r-sr-xr-x 1 root wheel 28024 Jan 16 22:40:34 2014 /sbin/ping > > - 546 -r-sr-xr-x 1 root wheel 36496 Jan 16 22:40:34 2014 /sbin/ping6 > > - 528 -r-sr-x--- 2 root operator 15656 Jan 16 22:40:34 2014 /sbin/poweroff > > - 528 -r-sr-x--- 2 root operator 15656 Jan 16 22:40:34 2014 /sbin/shutdown > > - 672 -r-sr-xr-x 4 root wheel 28528 Jan 16 22:41:00 2014 /usr/bin/at > > - 672 -r-sr-xr-x 4 root wheel 28528 Jan 16 22:41:00 2014 /usr/bin/atq > > --- snip --- > > > > I did not see those messages before, but I do read normally those mails. > > How come those messages are today in the security output? Are those > > permissions correct? Should I be worried about an intruder? > Is it possible someone modified or deleted the files that the security > script uses to keep track of what files are setuid? If one of your other > support people didn't know what something was they may have deleted it or > otherwise messed with it. Hello, I will check this out, thank you. Is there any way to make sure that these permissions are correct? Is there some place where the standard permissions for all those tools are documented? best Ray