From owner-freebsd-security Thu Aug 30 7:40:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id E5E1C37B403 for ; Thu, 30 Aug 2001 07:40:33 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA24123; Thu, 30 Aug 2001 07:39:31 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda24121; Thu Aug 30 07:39:17 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f7UEd2k10250; Thu, 30 Aug 2001 07:39:02 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdp10248; Thu Aug 30 07:38:48 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f7UEcVd10501; Thu, 30 Aug 2001 07:38:31 -0700 (PDT) Message-Id: <200108301438.f7UEcVd10501@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdu10495; Thu Aug 30 07:38:08 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Peter Pentchev Cc: Fernan Aguero , FreeBSD Security Subject: Re: changed /dev/ttys is this normal? In-reply-to: Your message of "Wed, 29 Aug 2001 17:11:25 +0300." <20010829171125.G780@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 30 Aug 2001 07:38:08 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20010829171125.G780@ringworld.oblivion.bg>, Peter Pentchev writes: > On Wed, Aug 29, 2001 at 04:59:06PM +0300, Peter Pentchev wrote: > > On Wed, Aug 29, 2001 at 10:20:31AM -0300, Fernan Aguero wrote: > > > Hi > > > > > > I started using tripwire to monitor for changed files on my system. > > > I noticed that /dev/console and /dev/ttys were changed and the > > > tripwire report showed the following: > > > > > > [...] > > > > > > Modified object name: /dev/console > > > > > > Property: Expected Observed > > > ------------- ----------- ----------- > > > Object Type Character Device Character Device > > > Device Number 160768 160768 > > > Inode Number 7208 7208 > > > Mode crw--w--w- crw--w--w- > > > Num Links 1 1 > > > * UID fernan (1001) root (0) > > > GID wheel (0) wheel (0) > > [snip] > > > > > > Is this normal? If so, is it safe to change tripwire's policy to > > > ignore this changes? > > > > Yes, this is normal - the owner of a terminal device is always > > set to the user who has logged in, so he can open it and perform > > reads/writes/ioctls on it. > > > > I believe that it should be safe to have tripwire ignore terminal > > devices :) > > ..but actually, it might be wise if Tripwire would warn you about > changes in *anything* but the owner on terminal devices. Also, > it would be wise to have it warn you for the appearance of *new* > files looking like terminal devices. I've seen more than one > rootkit which installed a setuid shell or a config file or whatever > as /dev/ttySomething, or as a replacement for one of the higher-numbered > tty devices (in the hope that those are reached only very rarely, > and this would go unnoticed for quite some time). The upcoming Tripwire 2.3.1 port (PR is in but not committed yet) actually does this. E.g., /dev/console -> $(SEC_TTY) ; /dev/ttyv0 -> $(SEC_TTY) ; ... Where SEC_TTY is defined as, SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message