Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Aug 2001 17:11:25 +0300
From:      Peter Pentchev <roam@ringlet.net>
To:        Fernan Aguero <fernan@iib.unsam.edu.ar>
Cc:        FreeBSD Security <freebsd-security@freebsd.org>
Subject:   Re: changed /dev/ttys is this normal?
Message-ID:  <20010829171125.G780@ringworld.oblivion.bg>
In-Reply-To: <20010829165906.D780@ringworld.oblivion.bg>; from roam@ringlet.net on Wed, Aug 29, 2001 at 04:59:06PM %2B0300
References:  <20010829102031.A22076@iib005.iib.unsam.edu.ar> <20010829165906.D780@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Aug 29, 2001 at 04:59:06PM +0300, Peter Pentchev wrote:
> On Wed, Aug 29, 2001 at 10:20:31AM -0300, Fernan Aguero wrote:
> > Hi
> > 
> > I started using tripwire to monitor for changed files on my system.
> > I noticed that /dev/console and /dev/ttys were changed and the
> > tripwire report showed the following:
> > 
> > [...]
> > 
> >  Modified object name:  /dev/console
> >  
> >   Property:            Expected                    Observed
> >   -------------        -----------                 -----------
> >   Object Type          Character Device            Character Device
> >   Device Number        160768                      160768
> >   Inode Number         7208                        7208
> >   Mode                 crw--w--w-                  crw--w--w-
> >   Num Links            1                           1
> > * UID                  fernan (1001)               root (0)
> >   GID                  wheel (0)                   wheel (0)
> [snip]
> > 
> > Is this normal? If so, is it safe to change tripwire's policy to
> > ignore this changes?
> 
> Yes, this is normal - the owner of a terminal device is always
> set to the user who has logged in, so he can open it and perform
> reads/writes/ioctls on it.
> 
> I believe that it should be safe to have tripwire ignore terminal
> devices :)

..but actually, it might be wise if Tripwire would warn you about
changes in *anything* but the owner on terminal devices.  Also,
it would be wise to have it warn you for the appearance of *new*
files looking like terminal devices.  I've seen more than one
rootkit which installed a setuid shell or a config file or whatever
as /dev/ttySomething, or as a replacement for one of the higher-numbered
tty devices (in the hope that those are reached only very rarely,
and this would go unnoticed for quite some time).

G'luck,
Peter

-- 
This sentence claims to be an Epimenides paradox, but it is lying.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010829171125.G780>