From owner-freebsd-security Wed Aug 29 7:11:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (discworld.nanolink.com [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id 3345037B401 for ; Wed, 29 Aug 2001 07:11:42 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 2826 invoked by uid 1000); 29 Aug 2001 14:11:25 -0000 Date: Wed, 29 Aug 2001 17:11:25 +0300 From: Peter Pentchev To: Fernan Aguero Cc: FreeBSD Security Subject: Re: changed /dev/ttys is this normal? Message-ID: <20010829171125.G780@ringworld.oblivion.bg> Mail-Followup-To: Fernan Aguero , FreeBSD Security References: <20010829102031.A22076@iib005.iib.unsam.edu.ar> <20010829165906.D780@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010829165906.D780@ringworld.oblivion.bg>; from roam@ringlet.net on Wed, Aug 29, 2001 at 04:59:06PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Aug 29, 2001 at 04:59:06PM +0300, Peter Pentchev wrote: > On Wed, Aug 29, 2001 at 10:20:31AM -0300, Fernan Aguero wrote: > > Hi > > > > I started using tripwire to monitor for changed files on my system. > > I noticed that /dev/console and /dev/ttys were changed and the > > tripwire report showed the following: > > > > [...] > > > > Modified object name: /dev/console > > > > Property: Expected Observed > > ------------- ----------- ----------- > > Object Type Character Device Character Device > > Device Number 160768 160768 > > Inode Number 7208 7208 > > Mode crw--w--w- crw--w--w- > > Num Links 1 1 > > * UID fernan (1001) root (0) > > GID wheel (0) wheel (0) > [snip] > > > > Is this normal? If so, is it safe to change tripwire's policy to > > ignore this changes? > > Yes, this is normal - the owner of a terminal device is always > set to the user who has logged in, so he can open it and perform > reads/writes/ioctls on it. > > I believe that it should be safe to have tripwire ignore terminal > devices :) ..but actually, it might be wise if Tripwire would warn you about changes in *anything* but the owner on terminal devices. Also, it would be wise to have it warn you for the appearance of *new* files looking like terminal devices. I've seen more than one rootkit which installed a setuid shell or a config file or whatever as /dev/ttySomething, or as a replacement for one of the higher-numbered tty devices (in the hope that those are reached only very rarely, and this would go unnoticed for quite some time). G'luck, Peter -- This sentence claims to be an Epimenides paradox, but it is lying. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message