From owner-freebsd-questions  Sat Sep 22 16:49:54 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from topaz.mdcc.cx (topaz.mdcc.cx [212.204.230.141])
	by hub.freebsd.org (Postfix) with ESMTP id 88C9C37B410
	for <freebsd-questions@freebsd.org>; Sat, 22 Sep 2001 16:49:46 -0700 (PDT)
Received: from k7.mavetju.org (topaz.mdcc.cx [212.204.230.141])
	by topaz.mdcc.cx (Postfix) with ESMTP
	id 6B0322B682; Sun, 23 Sep 2001 01:49:41 +0200 (CEST)
Received: by k7.mavetju.org (Postfix, from userid 1001)
	id A3A78179; Sun, 23 Sep 2001 09:49:36 +1000 (EST)
Date: Sun, 23 Sep 2001 09:49:36 +1000
From: Edwin Groothuis <edwin@mavetju.org>
To: Kory Hamzeh <kory@avatar.com>
Cc: freebsd-questions@freebsd.org
Subject: Re: daily security ceck - setuid diffs
Message-ID: <20010923094936.H10641@k7.mavetju.org>
Mail-Followup-To: Edwin Groothuis <edwin@mavetju.org>,
	Kory Hamzeh <kory@avatar.com>, freebsd-questions@freebsd.org
References: <002101c143bd$24564cc0$14ce21c7@avatar.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <002101c143bd$24564cc0$14ce21c7@avatar.com>; from kory@avatar.com on Sat, Sep 22, 2001 at 04:20:18PM -0700
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sat, Sep 22, 2001 at 04:20:18PM -0700, Kory Hamzeh wrote:
> However, the next day in the daily security check e-mail, I receive a bunch
> of these warning:
> 
> ns2.avatar.com setuid diffs:
> 1,86c1,86
> <  95239 -r-xr-sr-x  1 root  operator   56892 Apr 21 02:05:46 2001 /bin/df
> <  95252 -r-sr-xr-x  1 root  wheel     317400 Apr 21 02:13:35 2001 /bin/rcp
> < 269831 -r-xr-sr-x  1 root  kmem       62792 Apr 21 02:08:02 2001
> /sbin/ccdconfig

If these are the only ones, then you have lost the s-bit on the
permissions of these files. If there are however also items like:
>  95239 -r-xr-sr-x  1 root  operator   56892 Xxx XX xx:xx:xx 2001 /bin/df
>  95252 -r-sr-xr-x  1 root  wheel     317400 Xxx XX xx:xx:xx 2001 /bin/rcp

where Xxx XX xx:xx:xx is the new time, then it's because of the
restore which changed the times on the files.
Maybe you should compare the md5 checksums of the old file and the
new files, but honestly I don't think its something to worry about
(based on your story).

Edwin

-- 
Edwin Groothuis   |              Personal website: http://www.MavEtJu.org
edwin@mavetju.org |           Interested in MUDs? Visit Fatal Dimensions:
------------------+                       http://www.FatalDimensions.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message