Date: Sun, 29 Sep 1996 15:01:24 -0700 (PDT) From: Doug White <dwhite@gdi.uoregon.edu> To: Paul Walsh <paul@nation-net.com> Cc: questions@FreeBSD.ORG Subject: Re: mysterious setuid changes Message-ID: <Pine.BSI.3.94.960929145730.911I-100000@gdi.uoregon.edu> In-Reply-To: <324E502B.10B5@nation-net.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 29 Sep 1996, Paul Walsh wrote: > Can anyone explain why I would get this in my daily security run ouput, when > I've not been messing with the permissions? > > I only have 3 valid users on the system , so if someone's been fiddling I > should soon find out who. Take a look at the differences here: > checking setuid files and devices: > www setuid/device diffs: > 66a67,68 > > -rwsr-xr-x 1 uucp bin 495616 Nov 2 08:14:57 1995 /usr/local/sbin/faxgetty > > -rwsr-xr-x 1 uucp bin 360448 Nov 2 08:14:54 1995 /usr/local/sbin/faxq79,80d80 These files were removed from the system... > < drwxr-sr-x 2 root wheel 512 Oct 12 02:08:15 1995 > /usr/local/src/Python-1.3/Nt/Python > < drwxr-sr-x 2 root wheel 1024 Jul 18 17:03:21 1996 > /usr/local/src/Python-1.3/Objects These were added. in diff, < = inserted, > = removed. > < -r-sr-sr-x 3 root kmem 180224 Nov 16 09:59:26 1995 /usr/sbin/sendmail > < -r-sr-xr-x 1 root bin 12288 Nov 16 09:57:25 1995 /usr/sbin/sliplogin These were added to the file. Not quite sure why. > > drwxr-sr-x 2 root wheel 512 Oct 12 02:08:15 1995 /usr/local/src/Python-1.3/Nt/Python > > drwxr-sr-x 2 root wheel 1024 Jul 18 17:03:21 1996 /usr/local/src/Python-1.3/Objects These were removed from the file (probably exchanged for the two above) > > -r-sr-sr-x 3 root kmem 180224 Nov 16 09:59:26 1995 /usr/sbin/sendmail > > -r-sr-xr-x 1 root bin 12288 Nov 16 09:57:25 1995 /usr/sbin/sliplogin This looks like a tabbing problem. I have the same thing happen to mine -- odd files will suddenly appear in the diffs. (note the space after the 'kmem' word in sendmail's entries...it's longer) Only worry if the actual permissions change or the owner changes. > checking for uids of 0: > root 0 > toor 0 This should never change. If you see one of your user's names appear here...well, you're in trouble. Doug White | University of Oregon Internet: dwhite@resnet.uoregon.edu | Residence Networking Assistant http://gladstone.uoregon.edu/~dwhite | Computer Science Major
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.94.960929145730.911I-100000>