Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 29 Sep 1996 15:01:24 -0700 (PDT)
From:      Doug White <dwhite@gdi.uoregon.edu>
To:        Paul Walsh <paul@nation-net.com>
Cc:        questions@FreeBSD.ORG
Subject:   Re: mysterious setuid changes
Message-ID:  <Pine.BSI.3.94.960929145730.911I-100000@gdi.uoregon.edu>
In-Reply-To: <324E502B.10B5@nation-net.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, 29 Sep 1996, Paul Walsh wrote:

> Can anyone explain why I would get this in my daily security run ouput, when 
> I've not been messing with the permissions?
> 
> I only have 3 valid users on the system , so if someone's been fiddling I 
> should soon find out who.

Take a look at the differences here:

> checking setuid files and devices:
> www setuid/device diffs:
> 66a67,68
> > -rwsr-xr-x  1 uucp  bin    495616 Nov  2 08:14:57 1995 /usr/local/sbin/faxgetty
> > -rwsr-xr-x  1 uucp  bin    360448 Nov  2 08:14:54 1995 /usr/local/sbin/faxq79,80d80

These files were removed from the system...
                                                    
> < drwxr-sr-x  2 root  wheel     512 Oct 12 02:08:15 1995 
> /usr/local/src/Python-1.3/Nt/Python
> < drwxr-sr-x  2 root  wheel    1024 Jul 18 17:03:21 1996 
> /usr/local/src/Python-1.3/Objects

These were added.

in diff, < = inserted, > = removed.

> < -r-sr-sr-x  3 root  kmem    180224 Nov 16 09:59:26 1995 /usr/sbin/sendmail
> < -r-sr-xr-x  1 root  bin      12288 Nov 16 09:57:25 1995 /usr/sbin/sliplogin

These were added to the file.  Not quite sure why.

> > drwxr-sr-x  2 root  wheel     512 Oct 12 02:08:15 1995 /usr/local/src/Python-1.3/Nt/Python
> > drwxr-sr-x  2 root  wheel    1024 Jul 18 17:03:21 1996 /usr/local/src/Python-1.3/Objects

These were removed from the file (probably exchanged for the two above)

> > -r-sr-sr-x  3 root  kmem  180224 Nov 16 09:59:26 1995 /usr/sbin/sendmail
> > -r-sr-xr-x  1 root  bin    12288 Nov 16 09:57:25 1995 /usr/sbin/sliplogin

This looks like a tabbing problem.  I have the same thing happen to mine
-- odd files will suddenly appear in the diffs.  (note the space after the
'kmem' word in sendmail's entries...it's longer)

Only worry if the actual permissions change or the owner changes.

> checking for uids of 0:
> root 0
> toor 0

This should never change.  If you see one of your user's names appear
here...well, you're in trouble.

Doug White                              | University of Oregon  
Internet:  dwhite@resnet.uoregon.edu    | Residence Networking Assistant
http://gladstone.uoregon.edu/~dwhite    | Computer Science Major

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.94.960929145730.911I-100000>