From owner-freebsd-questions  Thu Oct 31 21:50: 3 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A488937B401
	for <freebsd-questions@freebsd.org>; Thu, 31 Oct 2002 21:50:01 -0800 (PST)
Received: from mail.au.darkbluesea.com (mail.au.darkbluesea.com [203.185.208.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 11EF443E3B
	for <freebsd-questions@freebsd.org>; Thu, 31 Oct 2002 21:50:00 -0800 (PST)
	(envelope-from d.anker@au.darkbluesea.com)
Received: (qmail 71980 invoked by uid 82); 1 Nov 2002 05:48:42 -0000
Received: from unknown (HELO ?10.0.0.188?) (10.0.0.188)
  by mail.au.darkbluesea.com with SMTP; 1 Nov 2002 05:48:42 -0000
Subject: Re: After make world, periodic sends me suid diffs
From: Duncan Anker <d.anker@au.darkbluesea.com>
To: Andrew Boring <andrew.boring@millerzell.com>
Cc: freebsd-questions@freebsd.org
In-Reply-To: <Pine.WNT.4.44.0210301601190.1024-100000@netgod>
References: <Pine.WNT.4.44.0210301601190.1024-100000@netgod>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Ximian Evolution 1.0.8 
Date: 01 Nov 2002 15:49:48 +1000
Message-Id: <1036129788.21009.2.camel@duncan>
Mime-Version: 1.0
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Thu, 2002-10-31 at 07:02, Andrew Boring wrote:
> I upgraded a box from 4.6 to 4.7 that is not in production yet. This was
> my first time upgrading via CVS and make world and everything appeared to
> go smoothly with no issues.
> 
> However, the following day I received mail from the daily periodic scripts
> Security Run Output:
> 
>  Checking setuid files and devices:
>  setuid diffs:
>  1,50c1,50
>  < 11 -r-sr-xr-x  1 root  wheel     321100 Oct  8 11:12:48 2002 /bin/rcp
>  < 2761 -r-xr-sr-x  1 root  kmem       65944 Oct  9 12:45:20 2002
> /sbin/ccdconfig
>  < 153 -r-sr-xr-x  1 root  wheel     201836 Oct  9 12:45:27 2002
> /sbin/ping
>  < 154 -r-sr-xr-x  1 root  wheel     202816 Oct  9 12:45:27 2002
> /sbin/ping6
>  [...]
> 
> Looking through the 100.chksetuid script, I am guessing that the security
> script is warning me that the binaries have changed (as a result of the
> source upgrade) and NOT that the permissions have changed or that more
> have been added. Am I correct? I don't have a record or snapshot of the
> permissions on all the binaries listed in the email to verify.

permissions, owner, group, filesize, date, filename ... anything that's
different between the directory snapshot from the previous run and the
current one.

It's just a diff between two ls commands, but it's pretty effective for
catching unusual goings on


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message