Date: Wed, 11 Apr 2001 10:28:16 PST From: Jason DiCioccio <geniusj@bluenugget.net> To: rjm@Wilshire.Net Cc: freebsd-security@freebsd.org Subject: Re: How to interpret Security Check Message-ID: <20010411182816.EE8831363D@bluenugget.net>
next in thread | raw e-mail | index | archive | help
On Wed, 11 Apr 2001 09:34:30 -0700 "Riley J. McIntire" wrote: > Greetings: Hello! > > The second time it dumped, it was powered off, then on, went into single > user. The onsite operator did a fsck, and brought it back to multiuser. > She reported lots of file errors. Which I'm assuming caused the > following in the security check output. But sometimes I assume too > much! I'd like to make sure I'm not missing a security issue. > > Comments are welcome. [snip] > > checking setuid files and devices: > USER=root > host=mail.somebiz.com > c=? > HOME=/root > rc=0 > PS1=# > OPTIND=1 > PS2=> > LOGNAME=root > PATH=/sbin:/bin:/usr/bin > ignore= > MP= > sflag=FALSE > TMP=/var/run/_secure.7644 > SHELL=/bin/sh > IFS= > > LC_ALL=C > yesterday=Apr 10 > LOG=/var/log > cmp: EOF on /var/run/_secure.7644 > My guess here is that the fsck damaged /etc/security? > > mail.somebiz.com setuid diffs: > 1,71d0 > < 14989 -r-xr-sr-x 1 root operator 57076 Nov 20 03:59:17 2000 > /bin/df > < 15002 -r-sr-xr-x 1 root wheel 319548 Nov 20 04:06:07 2000 > /bin/rcp > < 15051 -r-xr-sr-x 1 root kmem 62944 Nov 20 04:00:57 2000 > /sbin/ccdconfig [...] > Segmentation fault - core dumped > It looks here as if you lost /var/*/setuid.today/yesterday (forget which one).. Did you have to do a fsck -y? I'm assuming yes.. Also, were softupdates enabled? If not, that could've prevented this data loss (assuming it's not a bad drive.) > > mail.somebiz.com changes in mounted filesystems: > 1,4d0 > < /dev/ad0s1a / ufs rw 1 1 > < /dev/ad0s1e /usr ufs rw 2 2 > < /dev/ad0s1f /var ufs rw 2 2 > < procfs /proc procfs rw 0 0 > again, something lost in /var (perhaps /var/backups) > > checking for uids of 0: > root 0 > toor 0 > > > checking for passwordless accounts: > > > mail.somebiz.com denied packets: > > > mail.somebiz.com kernel log messages: > > pid 7665 (mount), uid 0: exited on signal 11 (core dumped) > > > mail.somebiz.com login failures: > > > mail.somebiz.com refused connections: > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Cheers, -JD- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010411182816.EE8831363D>