From owner-freebsd-questions  Sun Sep 29 15:03:55 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id PAA25883
          for questions-outgoing; Sun, 29 Sep 1996 15:03:55 -0700 (PDT)
Received: from gdi.uoregon.edu (gdi.uoregon.edu [128.223.170.30])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA25864
          for <questions@FreeBSD.ORG>; Sun, 29 Sep 1996 15:03:50 -0700 (PDT)
Received: from localhost (dwhite@localhost) by gdi.uoregon.edu (8.7.5/8.6.12) with SMTP id PAA01166; Sun, 29 Sep 1996 15:01:24 -0700 (PDT)
Date: Sun, 29 Sep 1996 15:01:24 -0700 (PDT)
From: Doug White <dwhite@gdi.uoregon.edu>
Reply-To: dwhite@resnet.uoregon.edu
To: Paul Walsh <paul@nation-net.com>
cc: questions@FreeBSD.ORG
Subject: Re: mysterious setuid changes
In-Reply-To: <324E502B.10B5@nation-net.com>
Message-ID: <Pine.BSI.3.94.960929145730.911I-100000@gdi.uoregon.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Sun, 29 Sep 1996, Paul Walsh wrote:

> Can anyone explain why I would get this in my daily security run ouput, when 
> I've not been messing with the permissions?
> 
> I only have 3 valid users on the system , so if someone's been fiddling I 
> should soon find out who.

Take a look at the differences here:

> checking setuid files and devices:
> www setuid/device diffs:
> 66a67,68
> > -rwsr-xr-x  1 uucp  bin    495616 Nov  2 08:14:57 1995 /usr/local/sbin/faxgetty
> > -rwsr-xr-x  1 uucp  bin    360448 Nov  2 08:14:54 1995 /usr/local/sbin/faxq79,80d80

These files were removed from the system...
                                                    
> < drwxr-sr-x  2 root  wheel     512 Oct 12 02:08:15 1995 
> /usr/local/src/Python-1.3/Nt/Python
> < drwxr-sr-x  2 root  wheel    1024 Jul 18 17:03:21 1996 
> /usr/local/src/Python-1.3/Objects

These were added.

in diff, < = inserted, > = removed.

> < -r-sr-sr-x  3 root  kmem    180224 Nov 16 09:59:26 1995 /usr/sbin/sendmail
> < -r-sr-xr-x  1 root  bin      12288 Nov 16 09:57:25 1995 /usr/sbin/sliplogin

These were added to the file.  Not quite sure why.

> > drwxr-sr-x  2 root  wheel     512 Oct 12 02:08:15 1995 /usr/local/src/Python-1.3/Nt/Python
> > drwxr-sr-x  2 root  wheel    1024 Jul 18 17:03:21 1996 /usr/local/src/Python-1.3/Objects

These were removed from the file (probably exchanged for the two above)

> > -r-sr-sr-x  3 root  kmem  180224 Nov 16 09:59:26 1995 /usr/sbin/sendmail
> > -r-sr-xr-x  1 root  bin    12288 Nov 16 09:57:25 1995 /usr/sbin/sliplogin

This looks like a tabbing problem.  I have the same thing happen to mine
-- odd files will suddenly appear in the diffs.  (note the space after the
'kmem' word in sendmail's entries...it's longer)

Only worry if the actual permissions change or the owner changes.

> checking for uids of 0:
> root 0
> toor 0

This should never change.  If you see one of your user's names appear
here...well, you're in trouble.

Doug White                              | University of Oregon  
Internet:  dwhite@resnet.uoregon.edu    | Residence Networking Assistant
http://gladstone.uoregon.edu/~dwhite    | Computer Science Major