Date: Mon, 21 May 2007 14:45:44 -0400 From: Bill Moran <wmoran@potentialtech.com> To: PeterPluta <peter@placidpublishing.net> Cc: freebsd-questions@freebsd.org Subject: Re: Security Run Output Setuid Differences Message-ID: <20070521144544.09ec771b.wmoran@potentialtech.com> In-Reply-To: <10724342.post@talk.nabble.com> References: <10724342.post@talk.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 21 May 2007 11:34:25 -0700 (PDT) PeterPluta <peter@placidpublishing.net> wrote: > > I did a lot of port hacking yesterday. By that I mean screwing up and redoing > lots of things. Anyway, I woke up today to find this email in my inbox. > > Checking setuid files and devices: > > mail.placidpublishing.net setuid diffs: > --- /var/log/setuid.today Fri May 18 03:02:47 2007 > +++ /tmp/security.207RUJmY Mon May 21 03:02:30 2007 > @@ -3,7 +3,6 @@ > 70745 -r-sr-xr-x 1 root wheel 21792 Jul 30 16:19:55 2006 /sbin/ping > 70746 -r-sr-xr-x 1 root wheel 28660 Jul 30 16:19:55 2006 /sbin/ping6 > 70721 -r-sr-x--- 1 root operator 10148 Jul 30 16:19:56 2006 > /sbin/shutdown > -165583 -rws--x--x 1 root wheel 268432 Apr 14 14:05:10 2007 > /usr/X11R6/bin/xterm > 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 > /usr/bin/chfn > 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 > /usr/bin/chpass > 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 > /usr/bin/chsh > @@ -19,9 +18,9 @@ > 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 > /usr/bin/ypchpass > 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 > /usr/bin/ypchsh > 377398 -r-sr-xr-x 2 root wheel 5828 Jul 30 16:19:57 2006 > /usr/bin/yppasswd > -72750 -rwsr-xr-x 1 root wheel 285580 Nov 2 01:21:29 2006 > /usr/local/bin/screen > -71569 -rwxr-sr-x 1 root kmem 112708 Feb 3 17:17:26 2007 > /usr/local/sbin/lsof > -71923 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 > /usr/local/sbin/postdrop > -71924 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 > /usr/local/sbin/postqueue > +71112 -rwsr-xr-x 1 root wheel 285580 May 20 18:23:48 2007 > /usr/local/bin/screen > +70971 -rwxr-sr-x 1 root kmem 112708 May 20 18:23:03 2007 > /usr/local/sbin/lsof > +73170 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 > /usr/local/sbin/postdrop > +73204 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 > /usr/local/sbin/postqueue > 923168 -rwxr-sr-x 1 root smmsp 5236 Jul 30 16:20:07 2006 > /usr/sbin/mailwrapper > 923264 -r-sr-x--- 1 root network 11636 Jul 30 16:20:07 2006 > /usr/sbin/sliplogin > > > What exactly does this all mean? Specifically the @@ -19,9 +18,9 @@ stuff. > Also, why did this all of a sudden appear? Looks like you were portupgrading around with postfix, screen and xterm. The output is diff(1). See the man page for details, but it's basically showing you the difference between last night's directory listing, and that of the previous day. For more gory details, see the scripts in /etc/periodic/security, which are run every night from cron. Some of the ports you changed resulted in changes to setuid/setgid programs installed on the system. As a security- concious administrator, you should be interested in the programs on your system that have elevated privilidges, so this script is provided to give you a daily report on that. -- Bill Moran Potential Technologies http://www.potentialtech.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070521144544.09ec771b.wmoran>