Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 08 Jan 1998 12:28:54 -0800
From:      Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
To:        Adam Shostack <adam@homeport.org>
Cc:        lhartfor@mtghouse.com, freebsd-security@freebsd.org
Subject:   Re: /usr/bin/su modification time changing 
Message-ID:  <199801082029.MAA18652@passer.osg.gov.bc.ca>
In-Reply-To: Your message of "Thu, 08 Jan 1998 12:32:35 EST." <199801081732.MAA09060@homeport.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

> Suggest using md5, not sum.  Script kiddies have had tools since 1990
> or so to fake out sum.
> 
> diff is also useful. :)
> 
> Also, I seem to recall that theres a problem with FreeBSD where the OS
> randomly updates the mod time, but nothing else, of a file.

The modification time of a file can be changed if breakpoints are set during a 
gdb session, if a file gets paged out and in some circumstances when mmap() is 
used.  The problem can be reproduced on 2.2.x systems 100% of the time when 
restore is run.  Restore's mod time always gets updated whenever it is run.

The problem was more prevelant in 2.0 and 2.1.  I understand that fixes to VM 
and procfs in -current may have fixed this.

> 
> 
> Adam
> 
> 
> Lance Hartford wrote:
> | 
> | I just installed 2.2.5 on a PC and I received the following portion of
> | message in a security mail that was sent out last night:
> | 
> | xyz setuid diffs:
> | 152c152
> | < -r-sr-xr-x  1 root  bin      16384 Oct 21 10:19:25 1997 /usr/bin/su
> | ---
> | > -r-sr-xr-x  1 root  bin      16384 Jan  7 19:40:28 1998 /usr/bin/su
> | 
> | I did a "sum" on the /usr/bin/su on another system onsite, and found
> | that there was no difference compared to the one on this system.  Does
> | this imply that there is a security problem at my site?
> | 
> | Thanks.
> | 
> | 	Lance
> | 
> 
> 
> -- 
> <123> stargate /export/home/adam% passwd
> passwd:  Changing password for adam
> passwd:  adam does not exist



Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
UNIX Support                   OV/VM:  BCSC02(CSCHUBER)
ITSD                          BITNET:  CSCHUBER@BCSC02.BITNET
Government of BC            Internet:  cschuber@uumail.gov.bc.ca
                                       Cy.Schubert@gems8.gov.bc.ca

		"Quit spooling around, JES do it."

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199801082029.MAA18652>