Date: Tue, 5 Jun 2007 16:11:24 -0700 (PDT) From: Peter Pluta <peter@placidpublishing.net> To: freebsd-questions@freebsd.org Subject: Re: Security Run Output Setuid Differences Message-ID: <10979516.post@talk.nabble.com> In-Reply-To: <20070521200212.GA95817@slackbox.xs4all.nl> References: <10724342.post@talk.nabble.com> <20070521144544.09ec771b.wmoran@potentialtech.com> <10724835.post@talk.nabble.com> <20070521200212.GA95817@slackbox.xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Roland Smith wrote: > > On Mon, May 21, 2007 at 11:59:33AM -0700, PeterPluta wrote: > <snip> >> > Looks like you were portupgrading around with postfix, screen and >> xterm. >> > >> > The output is diff(1). See the man page for details, but it's >> basically >> > showing you the difference between last night's directory listing, and >> > that >> > of the previous day. >> > >> > For more gory details, see the scripts in /etc/periodic/security, which >> > are >> > run every night from cron. Some of the ports you changed resulted in >> > changes to setuid/setgid programs installed on the system. As a >> security- >> > concious administrator, you should be interested in the programs on >> your >> > system that have elevated privilidges, so this script is provided to >> give >> > you a daily report on that. >> >> I see, so basically after reinstalling the default uid/gid of some >> programs >> changed? Is that a problem or anything? > > It's not a problem. It's just something that you should be aware of from > a security standpoint. > > In this case you caused it because you upgraded some ports, which is OK. > > But if the size, date, ownership or permissions of a binary change > without any apparent cause, it _could_ be the work of an intruder or > rootkit trying to backdoor your system. That's why the system checks it. > > In /etc/defaults/periodic.conf you see which settings there are > concerning security, and what the defaults are. If you want to disable > some of them, put the settings in /etc/periodic.conf with a "NO" value > instead of "YES". But I would recommend to leave them as they are. > > Roland > -- > R.F.Smith http://www.xs4all.nl/~rsmith/ > [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] > pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) > > > mail.***********.net setuid diffs: --- /var/log/setuid.today Mon May 21 03:02:30 2007 +++ /tmp/security.wq6BsVcr Sun Jun 3 03:01:48 2007 @@ -20,7 +20,7 @@ 377398 -r-sr-xr-x 2 root wheel 5828 Jul 30 16:19:57 2006 /usr/bin/yppasswd 71112 -rwsr-xr-x 1 root wheel 285580 May 20 18:23:48 2007 /usr/local/bin/screen 70971 -rwxr-sr-x 1 root kmem 112708 May 20 18:23:03 2007 /usr/local/sbin/lsof -73170 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 /usr/local/sbin/postdrop -73204 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 /usr/local/sbin/postqueue +71432 -rwxr-sr-x 1 root maildrop 142559 Jun 2 15:47:54 2007 /usr/local/sbin/postdrop +71433 -rwxr-sr-x 1 root maildrop 152477 Jun 2 15:47:54 2007 /usr/local/sbin/postqueue 923168 -rwxr-sr-x 1 root smmsp 5236 Jul 30 16:20:07 2006 /usr/sbin/mailwrapper 923264 -r-sr-x--- 1 root network 11636 Jul 30 16:20:07 2006 /usr/sbin/sliplogin I have some more, I'm starting to understand it a bit better. Basically the user:group id number has changed and the security run is letting me know. Good deal, but im still confused as to what the @@ -20,7 + 20,7 @@ and + - mean. Can anyone explain those? I'm curious, also why would yppasswd change to userid 2? I changed roots name yesterday, could that be the cause of it? -- View this message in context: http://www.nabble.com/Security-Run-Output-Setuid-Differences-tf3792025.html#a10979516 Sent from the freebsd-questions mailing list archive at Nabble.com.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10979516.post>