From owner-freebsd-security  Thu Jan  8 14:53:47 1998
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id OAA12885
          for security-outgoing; Thu, 8 Jan 1998 14:53:47 -0800 (PST)
          (envelope-from owner-freebsd-security)
Received: from word.smith.net.au (ppp8.portal.net.au [202.12.71.108])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA12873
          for <freebsd-security@freebsd.org>; Thu, 8 Jan 1998 14:53:35 -0800 (PST)
          (envelope-from mike@word.smith.net.au)
Received: from word (localhost [127.0.0.1])
	by word.smith.net.au (8.8.8/8.8.5) with ESMTP id JAA01042;
	Fri, 9 Jan 1998 09:17:12 +1030 (CST)
Message-Id: <199801082247.JAA01042@word.smith.net.au>
X-Mailer: exmh version 2.0zeta 7/24/97
To: Lance Hartford <lhartfor@mtghouse.com>
cc: freebsd-security@freebsd.org
Subject: Re: /usr/bin/su modification time changing 
In-reply-to: Your message of "Thu, 08 Jan 1998 09:40:30 CDT."
             <Pine.BSF.3.95.980108093729.14685B-100000@larry> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 09 Jan 1998 09:17:11 +1030
From: Mike Smith <mike@smith.net.au>
Sender: owner-freebsd-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> 
> I just installed 2.2.5 on a PC and I received the following portion of
> message in a security mail that was sent out last night:
> 
> xyz setuid diffs:
> 152c152
> < -r-sr-xr-x  1 root  bin      16384 Oct 21 10:19:25 1997 /usr/bin/su
> ---
> > -r-sr-xr-x  1 root  bin      16384 Jan  7 19:40:28 1998 /usr/bin/su
> 
> I did a "sum" on the /usr/bin/su on another system onsite, and found
> that there was no difference compared to the one on this system.  Does
> this imply that there is a security problem at my site?

This is a known quirk in 2.x systems.  If you are concerned about this 
sort of thing (ie. you have shell accounts on your system), you might 
want to look at a tool that uses stronger checksumming (esp. MD5) for 
verification.

Also, you would be *much* better off using the "Live Filesystem" CD for 
reference rather than another system, as both may have been compromised.

-- 
\\  Sometimes you're ahead,       \\  Mike Smith
\\  sometimes you're behind.      \\  mike@smith.net.au
\\  The race is long, and in the  \\  msmith@freebsd.org
\\  end it's only with yourself.  \\