From owner-freebsd-security Thu Jan 8 12:30:47 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA25965 for security-outgoing; Thu, 8 Jan 1998 12:30:47 -0800 (PST) (envelope-from owner-freebsd-security) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA25957 for ; Thu, 8 Jan 1998 12:30:37 -0800 (PST) (envelope-from cschuber@passer.osg.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id MAA18652; Thu, 8 Jan 1998 12:29:11 -0800 (PST) Message-Id: <199801082029.MAA18652@passer.osg.gov.bc.ca> Received: from localhost(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost, id smtpdaatkCa; Thu Jan 8 12:29:04 1998 X-Mailer: exmh version 2.0gamma 1/27/96 Reply-to: Cy Schubert - ITSD Open Systems Group X-Sender: cschuber To: Adam Shostack cc: lhartfor@mtghouse.com, freebsd-security@freebsd.org Subject: Re: /usr/bin/su modification time changing In-reply-to: Your message of "Thu, 08 Jan 1998 12:32:35 EST." <199801081732.MAA09060@homeport.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 08 Jan 1998 12:28:54 -0800 From: Cy Schubert - ITSD Open Systems Group Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Suggest using md5, not sum. Script kiddies have had tools since 1990 > or so to fake out sum. > > diff is also useful. :) > > Also, I seem to recall that theres a problem with FreeBSD where the OS > randomly updates the mod time, but nothing else, of a file. The modification time of a file can be changed if breakpoints are set during a gdb session, if a file gets paged out and in some circumstances when mmap() is used. The problem can be reproduced on 2.2.x systems 100% of the time when restore is run. Restore's mod time always gets updated whenever it is run. The problem was more prevelant in 2.0 and 2.1. I understand that fixes to VM and procfs in -current may have fixed this. > > > Adam > > > Lance Hartford wrote: > | > | I just installed 2.2.5 on a PC and I received the following portion of > | message in a security mail that was sent out last night: > | > | xyz setuid diffs: > | 152c152 > | < -r-sr-xr-x 1 root bin 16384 Oct 21 10:19:25 1997 /usr/bin/su > | --- > | > -r-sr-xr-x 1 root bin 16384 Jan 7 19:40:28 1998 /usr/bin/su > | > | I did a "sum" on the /usr/bin/su on another system onsite, and found > | that there was no difference compared to the one on this system. Does > | this imply that there is a security problem at my site? > | > | Thanks. > | > | Lance > | > > > -- > <123> stargate /export/home/adam% passwd > passwd: Changing password for adam > passwd: adam does not exist Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca Cy.Schubert@gems8.gov.bc.ca "Quit spooling around, JES do it."