From owner-freebsd-security  Wed Aug 29  6:59:42 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (discworld.nanolink.com [217.75.135.248])
	by hub.freebsd.org (Postfix) with SMTP id D1F2D37B405
	for <freebsd-security@freebsd.org>; Wed, 29 Aug 2001 06:59:33 -0700 (PDT)
	(envelope-from roam@ringlet.net)
Received: (qmail 2635 invoked by uid 1000); 29 Aug 2001 13:59:06 -0000
Date: Wed, 29 Aug 2001 16:59:06 +0300
From: Peter Pentchev <roam@ringlet.net>
To: Fernan Aguero <fernan@iib.unsam.edu.ar>
Cc: FreeBSD Security <freebsd-security@freebsd.org>
Subject: Re: changed /dev/ttys is this normal?
Message-ID: <20010829165906.D780@ringworld.oblivion.bg>
Mail-Followup-To: Fernan Aguero <fernan@iib.unsam.edu.ar>,
	FreeBSD Security <freebsd-security@freebsd.org>
References: <20010829102031.A22076@iib005.iib.unsam.edu.ar>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010829102031.A22076@iib005.iib.unsam.edu.ar>; from fernan@iib.unsam.edu.ar on Wed, Aug 29, 2001 at 10:20:31AM -0300
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Aug 29, 2001 at 10:20:31AM -0300, Fernan Aguero wrote:
> Hi
> 
> I started using tripwire to monitor for changed files on my system.
> I noticed that /dev/console and /dev/ttys were changed and the
> tripwire report showed the following:
> 
> [...]
> 
>  Modified object name:  /dev/console
>  
>   Property:            Expected                    Observed
>   -------------        -----------                 -----------
>   Object Type          Character Device            Character Device
>   Device Number        160768                      160768
>   Inode Number         7208                        7208
>   Mode                 crw--w--w-                  crw--w--w-
>   Num Links            1                           1
> * UID                  fernan (1001)               root (0)
>   GID                  wheel (0)                   wheel (0)
[snip]
> 
> Is this normal? If so, is it safe to change tripwire's policy to
> ignore this changes?

Yes, this is normal - the owner of a terminal device is always
set to the user who has logged in, so he can open it and perform
reads/writes/ioctls on it.

I believe that it should be safe to have tripwire ignore terminal
devices :)

G'luck,
Peter

-- 
"yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message