From owner-freebsd-questions@FreeBSD.ORG Wed Oct 8 09:05:50 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDE3916A4B3 for ; Wed, 8 Oct 2003 09:05:50 -0700 (PDT) Received: from mail3.panix.com (mail3.panix.com [166.84.1.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9670A43FD7 for ; Wed, 8 Oct 2003 09:05:49 -0700 (PDT) (envelope-from fj@panix.com) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail3.panix.com (Postfix) with ESMTP id B11D1983BE; Wed, 8 Oct 2003 12:05:48 -0400 (EDT) Received: (from fj@localhost) by panix5.panix.com (8.11.6p2-a/8.8.8/PanixN1.1) id h98G5m504944; Wed, 8 Oct 2003 12:05:48 -0400 (EDT) Date: Wed, 8 Oct 2003 12:05:48 -0400 From: Joe Altman To: Mike Maltese Message-ID: <20031008160548.GA2781@panix.com> References: <20031008040013.GA14912@panix.com> <001801c38d52$8bb4ea30$f4f0a8c0@pcmedx.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001801c38d52$8bb4ea30$f4f0a8c0@pcmedx.com> User-Agent: Mutt/1.4.1i cc: questions@freebsd.org Subject: Re: Setting the sticky bit on /var/mail... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2003 16:05:51 -0000 On Tue, Oct 07, 2003 at 09:13:36PM -0700, Mike Maltese wrote: > > Absolutely you are correct, and the crowd goes wild with > > applause...thank you. > > > > Glad it helped. =) > > > I suppose it would be nice to know what set all of the following on > > /var/mail: > > > > opaque nodump uappnd uchg uunlnk > > > > because it sure wasn't me. > > > > Removing them allowed me to set the appropriate bit. Thanks again. > > That strikes me as really strange. Any chance another user did this or that > the box was compromised? It seems to be no small coincidence that all the > flags you listed are the ones that don't require root privileges. I never give accounts on my personal machines to people; it is possible, I suppose, that the box was compromised; but the compromiser would have to have worked his way in through a LinkSys NAT box that doesnt' forward anything to that box; additionally, no services are listening on it: no sshd, no MTA, no inetd, nothing. I dont' even log in over my LAN...to get to the console or use X, I use a KVM. The only other account in /var/mail was gdm...it was set to user:group 92. Shrug; I don't know....until last night and your email, I had mentally glossed over the entry in the chflags and ls man pages referencing ls -lo...so I don't see any way I could have set those flags.