Date: Wed, 29 Aug 2001 16:59:06 +0300 From: Peter Pentchev <roam@ringlet.net> To: Fernan Aguero <fernan@iib.unsam.edu.ar> Cc: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: changed /dev/ttys is this normal? Message-ID: <20010829165906.D780@ringworld.oblivion.bg> In-Reply-To: <20010829102031.A22076@iib005.iib.unsam.edu.ar>; from fernan@iib.unsam.edu.ar on Wed, Aug 29, 2001 at 10:20:31AM -0300 References: <20010829102031.A22076@iib005.iib.unsam.edu.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 29, 2001 at 10:20:31AM -0300, Fernan Aguero wrote: > Hi > > I started using tripwire to monitor for changed files on my system. > I noticed that /dev/console and /dev/ttys were changed and the > tripwire report showed the following: > > [...] > > Modified object name: /dev/console > > Property: Expected Observed > ------------- ----------- ----------- > Object Type Character Device Character Device > Device Number 160768 160768 > Inode Number 7208 7208 > Mode crw--w--w- crw--w--w- > Num Links 1 1 > * UID fernan (1001) root (0) > GID wheel (0) wheel (0) [snip] > > Is this normal? If so, is it safe to change tripwire's policy to > ignore this changes? Yes, this is normal - the owner of a terminal device is always set to the user who has logged in, so he can open it and perform reads/writes/ioctls on it. I believe that it should be safe to have tripwire ignore terminal devices :) G'luck, Peter -- "yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010829165906.D780>