From owner-freebsd-security Fri Nov 6 09:06:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA26416 for freebsd-security-outgoing; Fri, 6 Nov 1998 09:06:00 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mercury.webnology.com (mercury.webnology.com [209.155.51.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA26410 for ; Fri, 6 Nov 1998 09:05:57 -0800 (PST) (envelope-from jooji@webnology.com) Received: from localhost (jooji@localhost) by mercury.webnology.com (8.9.1/8.8.8) with SMTP id LAA30847 for ; Fri, 6 Nov 1998 11:13:36 -0600 (envelope-from jooji@webnology.com) Date: Fri, 6 Nov 1998 11:13:36 -0600 (CST) From: "Jasper O'Malley" To: security@FreeBSD.ORG Subject: Re: *huge* setuid diffs In-Reply-To: <199811061419.RAA01848@enterprise.sl.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I just got /etc/security mail from two 2.2.6 servers I administer. The > setuid diffs list every setuid program on the server as having been > removed and replaced. > > We haven't done a make world. We haven't touched much of anything. > > Is this normal, or should I be worried? My guess is that the files just got old enough so that the ls -l "last modified" information shows the year instead of the time, which is reflected in the diff between /var/log/setuid.today and /var/log/setuid.yesterday (which is what shows up in the mail /etc/security sends to you). Freaked me out the first time it happened to me, too. If that's indeed what's happened, it's completely harmless. Cheers, Mick The Reverend Jasper P. O'Malley dotdot:jooji@webnology.com Systems Administrator ringring:asktheadmiral Webnology, LLC woowoo:http://www.webnology.com/~jooji To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message