Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 14 Sep 2000 20:43:49 -0400
From:      Mike <mike@mikesweb.com>
To:        Bill Fumerola <billf@chimesnet.com>
Cc:        freebsd-isp@FreeBSD.ORG
Subject:   Re: make is suid?
Message-ID:  <4.3.2.7.2.20000914204109.00b80868@mail.mikesweb.com>
In-Reply-To: <20000914203550.M47559@jade.chc-chimes.com>
References:  <4.3.2.7.2.20000914203236.00ba1c10@mail.mikesweb.com> <4.3.2.7.2.20000914203236.00ba1c10@mail.mikesweb.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Just set up that box not too long ago, and was just going through taking 
out all the suid stuff.. I'm the only person with access to the box, so I'm 
doubting compromise.
This is what I had for "find / -perm -2000 -ls" after a fresh install and 
cvsup.

   8027  190 -r-sr-sr-x    1 uucp             dialer              96540 Jul 
30 00:46 /usr/bin/uustat
   8073   26 -r-xr-s---    1 root             kmem                12900 Jul 
30 00:49 /usr/bin/fstat
   8088   20 -r-xr-s---    1 root             kmem                 9624 Jul 
30 00:49 /usr/bin/ipcs
   8135  166 -r-xr-s---    1 root             kmem                84448 Jul 
30 00:49 /usr/bin/netstat
   8137   20 -r-xr-s---    1 root             kmem                 9660 Jul 
30 00:49 /usr/bin/nfsstat
   8172  112 -r-xr-s---    1 root             kmem                56392 Jul 
30 00:49 /usr/bin/systat
   8182   64 -r-xr-s---    1 root             kmem                32136 Jul 
30 00:49 /usr/bin/top
   8204   34 -r-xr-s---    1 root             kmem                16392 Jul 
30 00:49 /usr/bin/vmstat
   8214   16 -r-xr-s---    1 root             tty                  7288 Jul 
30 00:49 /usr/bin/write
3190413  448 -r-sr-sr-x    1 uucp             dialer             220460 Jul 
30 00:46 /usr/libexec/uucp/uucico
3190414  224 -r-sr-s---    1 uucp             uucp                99340 Jul 
30 00:46 /usr/libexec/uucp/uuxqt
6317475  896 -rwxr-sr-x    1 root             kmem               442384 Aug 
25 05:51 /usr/local/bin/make

At 08:35 PM 9/14/2000 -0400, Bill Fumerola wrote:
>On Thu, Sep 14, 2000 at 08:33:28PM -0400, Mike wrote:
> > I noticed that make is suid root.
> > -rwxr-sr-x    1 root             kmem               442384 Aug 25 05:51
> > /usr/local/bin/make
>
>[hawk-billf] /home/billf/postfix-current > ls -l =make
>-r-xr-xr-x  1 root  wheel  97120 Jul 14 00:17 /usr/bin/make*
>
> > Is that supposed to be? Would it still work for users if it wasn't?
>
>No, it shouldn't be.
>Yes, it does.
>
>I'd suspect that your machine has had a compromise, if I were you.
>
>--
>Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
>                 billf@chimesnet.com / billf@FreeBSD.org
>
>
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-isp" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20000914204109.00b80868>