Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 14 Sep 2000 20:45:30 -0400
From:      Mike <mike@mikesweb.com>
To:        Bill Fumerola <billf@chimesnet.com>
Cc:        freebsd-isp@FreeBSD.ORG
Subject:   Re: make is suid?
Message-ID:  <4.3.2.7.2.20000914204506.0f6eb548@mail.mikesweb.com>
In-Reply-To: <4.3.2.7.2.20000914204109.00b80868@mail.mikesweb.com>
References:  <20000914203550.M47559@jade.chc-chimes.com> <4.3.2.7.2.20000914203236.00ba1c10@mail.mikesweb.com> <4.3.2.7.2.20000914203236.00ba1c10@mail.mikesweb.com>

next in thread | previous in thread | raw e-mail | index | archive | help
(forgot to mention that I had taken out the user exec permissions before 
doing the listing)

At 08:43 PM 9/14/2000 -0400, Mike wrote:
>Just set up that box not too long ago, and was just going through taking 
>out all the suid stuff.. I'm the only person with access to the box, so 
>I'm doubting compromise.
>This is what I had for "find / -perm -2000 -ls" after a fresh install and 
>cvsup.
>
>   8027  190 -r-sr-sr-x    1 uucp             dialer              96540 
> Jul 30 00:46 /usr/bin/uustat
>   8073   26 -r-xr-s---    1 root             kmem                12900 
> Jul 30 00:49 /usr/bin/fstat
>   8088   20 -r-xr-s---    1 root             kmem                 9624 
> Jul 30 00:49 /usr/bin/ipcs
>   8135  166 -r-xr-s---    1 root             kmem                84448 
> Jul 30 00:49 /usr/bin/netstat
>   8137   20 -r-xr-s---    1 root             kmem                 9660 
> Jul 30 00:49 /usr/bin/nfsstat
>   8172  112 -r-xr-s---    1 root             kmem                56392 
> Jul 30 00:49 /usr/bin/systat
>   8182   64 -r-xr-s---    1 root             kmem                32136 
> Jul 30 00:49 /usr/bin/top
>   8204   34 -r-xr-s---    1 root             kmem                16392 
> Jul 30 00:49 /usr/bin/vmstat
>   8214   16 -r-xr-s---    1 root             tty                  7288 
> Jul 30 00:49 /usr/bin/write
>3190413  448 -r-sr-sr-x    1 uucp             dialer             220460 
>Jul 30 00:46 /usr/libexec/uucp/uucico
>3190414  224 -r-sr-s---    1 uucp             uucp                99340 
>Jul 30 00:46 /usr/libexec/uucp/uuxqt
>6317475  896 -rwxr-sr-x    1 root             kmem               442384 
>Aug 25 05:51 /usr/local/bin/make
>
>At 08:35 PM 9/14/2000 -0400, Bill Fumerola wrote:
>>On Thu, Sep 14, 2000 at 08:33:28PM -0400, Mike wrote:
>> > I noticed that make is suid root.
>> > -rwxr-sr-x    1 root             kmem               442384 Aug 25 05:51
>> > /usr/local/bin/make
>>
>>[hawk-billf] /home/billf/postfix-current > ls -l =make
>>-r-xr-xr-x  1 root  wheel  97120 Jul 14 00:17 /usr/bin/make*
>>
>> > Is that supposed to be? Would it still work for users if it wasn't?
>>
>>No, it shouldn't be.
>>Yes, it does.
>>
>>I'd suspect that your machine has had a compromise, if I were you.
>>
>>--
>>Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
>>                 billf@chimesnet.com / billf@FreeBSD.org
>>
>>
>>
>>
>>
>>To Unsubscribe: send mail to majordomo@FreeBSD.org
>>with "unsubscribe freebsd-isp" in the body of the message
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-isp" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20000914204506.0f6eb548>