From owner-freebsd-questions@FreeBSD.ORG  Mon May 21 18:44:25 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 9F0FC16A41F
	for <freebsd-questions@freebsd.org>;
	Mon, 21 May 2007 18:44:25 +0000 (UTC)
	(envelope-from wmoran@potentialtech.com)
Received: from mail.potentialtech.com (internet.potentialtech.com
	[66.167.251.6])
	by mx1.freebsd.org (Postfix) with ESMTP id 6FD9713C48A
	for <freebsd-questions@freebsd.org>;
	Mon, 21 May 2007 18:44:25 +0000 (UTC)
	(envelope-from wmoran@potentialtech.com)
Received: from localhost (unknown [137.122.39.10])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.potentialtech.com (Postfix) with ESMTP id 66DF5EBC7F;
	Mon, 21 May 2007 14:44:24 -0400 (EDT)
Date: Mon, 21 May 2007 14:45:44 -0400
From: Bill Moran <wmoran@potentialtech.com>
To: PeterPluta <peter@placidpublishing.net>
Message-Id: <20070521144544.09ec771b.wmoran@potentialtech.com>
In-Reply-To: <10724342.post@talk.nabble.com>
References: <10724342.post@talk.nabble.com>
Organization: Potential Technologies
X-Mailer: Sylpheed 2.4.0 (GTK+ 2.10.12; i386-portbld-freebsd6.2)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: Security Run Output Setuid Differences
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 May 2007 18:44:25 -0000

On Mon, 21 May 2007 11:34:25 -0700 (PDT)
PeterPluta <peter@placidpublishing.net> wrote:

> 
> I did a lot of port hacking yesterday. By that I mean screwing up and redoing
> lots of things. Anyway, I woke up today to find this email in my inbox. 
> 
> Checking setuid files and devices:
> 
> mail.placidpublishing.net setuid diffs:
> --- /var/log/setuid.today	Fri May 18 03:02:47 2007
> +++ /tmp/security.207RUJmY	Mon May 21 03:02:30 2007
> @@ -3,7 +3,6 @@
>  70745 -r-sr-xr-x  1 root  wheel     21792 Jul 30 16:19:55 2006 /sbin/ping
>  70746 -r-sr-xr-x  1 root  wheel     28660 Jul 30 16:19:55 2006 /sbin/ping6
>  70721 -r-sr-x---  1 root  operator  10148 Jul 30 16:19:56 2006
> /sbin/shutdown
> -165583 -rws--x--x  1 root  wheel     268432 Apr 14 14:05:10 2007
> /usr/X11R6/bin/xterm
>  377219 -r-sr-xr-x  6 root  wheel     17532 Jul 30 16:19:56 2006
> /usr/bin/chfn
>  377219 -r-sr-xr-x  6 root  wheel     17532 Jul 30 16:19:56 2006
> /usr/bin/chpass
>  377219 -r-sr-xr-x  6 root  wheel     17532 Jul 30 16:19:56 2006
> /usr/bin/chsh
> @@ -19,9 +18,9 @@
>  377219 -r-sr-xr-x  6 root  wheel     17532 Jul 30 16:19:56 2006
> /usr/bin/ypchpass
>  377219 -r-sr-xr-x  6 root  wheel     17532 Jul 30 16:19:56 2006
> /usr/bin/ypchsh
>  377398 -r-sr-xr-x  2 root  wheel      5828 Jul 30 16:19:57 2006
> /usr/bin/yppasswd
> -72750 -rwsr-xr-x  1 root  wheel     285580 Nov  2 01:21:29 2006
> /usr/local/bin/screen
> -71569 -rwxr-sr-x  1 root  kmem      112708 Feb  3 17:17:26 2007
> /usr/local/sbin/lsof
> -71923 -rwxr-sr-x  1 root  maildrop  142559 May 17 14:41:47 2007
> /usr/local/sbin/postdrop
> -71924 -rwxr-sr-x  1 root  maildrop  152477 May 17 14:41:47 2007
> /usr/local/sbin/postqueue
> +71112 -rwsr-xr-x  1 root  wheel     285580 May 20 18:23:48 2007
> /usr/local/bin/screen
> +70971 -rwxr-sr-x  1 root  kmem      112708 May 20 18:23:03 2007
> /usr/local/sbin/lsof
> +73170 -rwxr-sr-x  1 root  maildrop  142559 May 17 14:41:47 2007
> /usr/local/sbin/postdrop
> +73204 -rwxr-sr-x  1 root  maildrop  152477 May 17 14:41:47 2007
> /usr/local/sbin/postqueue
>  923168 -rwxr-sr-x  1 root  smmsp       5236 Jul 30 16:20:07 2006
> /usr/sbin/mailwrapper
>  923264 -r-sr-x---  1 root  network    11636 Jul 30 16:20:07 2006
> /usr/sbin/sliplogin
> 
> 
> What exactly does this all mean? Specifically the @@ -19,9 +18,9 @@ stuff.
> Also, why did this all of a sudden appear?

Looks like you were portupgrading around with postfix, screen and xterm.

The output is diff(1).  See the man page for details, but it's basically
showing you the difference between last night's directory listing, and that
of the previous day.

For more gory details, see the scripts in /etc/periodic/security, which are
run every night from cron.  Some of the ports you changed resulted in
changes to setuid/setgid programs installed on the system.  As a security-
concious administrator, you should be interested in the programs on your
system that have elevated privilidges, so this script is provided to give
you a daily report on that.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com