Date: Thu, 08 Jan 1998 12:28:54 -0800 From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> To: Adam Shostack <adam@homeport.org> Cc: lhartfor@mtghouse.com, freebsd-security@freebsd.org Subject: Re: /usr/bin/su modification time changing Message-ID: <199801082029.MAA18652@passer.osg.gov.bc.ca> In-Reply-To: Your message of "Thu, 08 Jan 1998 12:32:35 EST." <199801081732.MAA09060@homeport.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Suggest using md5, not sum. Script kiddies have had tools since 1990 > or so to fake out sum. > > diff is also useful. :) > > Also, I seem to recall that theres a problem with FreeBSD where the OS > randomly updates the mod time, but nothing else, of a file. The modification time of a file can be changed if breakpoints are set during a gdb session, if a file gets paged out and in some circumstances when mmap() is used. The problem can be reproduced on 2.2.x systems 100% of the time when restore is run. Restore's mod time always gets updated whenever it is run. The problem was more prevelant in 2.0 and 2.1. I understand that fixes to VM and procfs in -current may have fixed this. > > > Adam > > > Lance Hartford wrote: > | > | I just installed 2.2.5 on a PC and I received the following portion of > | message in a security mail that was sent out last night: > | > | xyz setuid diffs: > | 152c152 > | < -r-sr-xr-x 1 root bin 16384 Oct 21 10:19:25 1997 /usr/bin/su > | --- > | > -r-sr-xr-x 1 root bin 16384 Jan 7 19:40:28 1998 /usr/bin/su > | > | I did a "sum" on the /usr/bin/su on another system onsite, and found > | that there was no difference compared to the one on this system. Does > | this imply that there is a security problem at my site? > | > | Thanks. > | > | Lance > | > > > -- > <123> stargate /export/home/adam% passwd > passwd: Changing password for adam > passwd: adam does not exist Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca Cy.Schubert@gems8.gov.bc.ca "Quit spooling around, JES do it."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199801082029.MAA18652>