From owner-freebsd-questions  Wed May  7 06:12:51 1997
Return-Path: <owner-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id GAA21354
          for questions-outgoing; Wed, 7 May 1997 06:12:51 -0700 (PDT)
Received: from cs.iastate.edu (cs.iastate.edu [129.186.3.1])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA21349
          for <freebsd-questions@FreeBSD.ORG>; Wed, 7 May 1997 06:12:46 -0700 (PDT)
Received: from sunfire.cs.iastate.edu (sunfire.cs.iastate.edu [129.186.3.46]) by cs.iastate.edu (8.7.4/8.7.1) with ESMTP id IAA23131; Wed, 7 May 1997 08:12:41 -0500 (CDT)
Received: from localhost (ghelmer@localhost) by sunfire.cs.iastate.edu (8.7.4/8.7.1) with SMTP id IAA22231; Wed, 7 May 1997 08:12:40 -0500 (CDT)
X-Authentication-Warning: sunfire.cs.iastate.edu: ghelmer owned process doing -bs
Date: Wed, 7 May 1997 08:12:39 -0500 (CDT)
From: Guy Helmer <ghelmer@cs.iastate.edu>
To: "Jay L. West" <jlwest@tseinc.com>
cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Question on security check output...
In-Reply-To: <199705071219.HAA06809@gatekeeper.tseinc.com>
Message-ID: <Pine.HPP.3.96.970507080224.22179A-100000@sunfire.cs.iastate.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Wed, 7 May 1997, Jay L. West wrote:

> This just popped up in my daily security check output email to
> root. I've never seen this one before and wanted to see what it
> meant. Can anyone offer an explanation?
> 
> ---start snip---
> 80a80
> > -r-xr-sr-x  1 bin   kmem     12288 Jul 16 21:34:55 1996 /usr/sbin/trpt
> 83d82
> < -r-xr-sr-x  1 bin   kmem   12288 Jul 16 21:34:55 1996 /usr/sbin/trpt
> ---end snip---
> 
> This is definitely new. Any ideas?

It's an artifact of the way xargs breaks up lists of files and feeds them
to ls, and then ls arbitrarily defines column widths as needed for a
particular list of files.  In this case, /usr/sbin/trpt apparently is in a
different group of files (thanks to xargs) than it previously was, and ls
apparently didn't need as much space for the file size field (due to some
other "large" file) as it did before.

Current /etc/security scripts have a "-b" in the diff command line which
should ignore this change in whitespace.  However, it may be even more
disconcerting to an administrator because, despite the "-b" option, the
administrator will see a message "$host setuid diffs:" followed by no
output when this effect occurs :-(

Guy

Guy Helmer, Computer Science Grad Student, Iowa State - ghelmer@cs.iastate.edu
http://www.cs.iastate.edu/~ghelmer