Skip site navigation (1)Skip section navigation (2) 
Date:      07 Aug 1998 12:21:57 +0900
From:      Just Another Perl Hacker <japh@gol.com>
To:        FreeBSD-security@FreeBSD.ORG
Subject:   Re: Does this mean we have another breakin?
Message-ID:  <o1zqteasq.fsf@mew.gol.com>
In-Reply-To: Ollivier Robert's message of "Thu, 6 Aug 1998 13:10:45 %2B0200"
References:  <199808051643.KAA04281@lariat.lariat.org> <19980805234700.A23220@keltia.freenix.fr> <o90l2bshu.fsf@mew.gol.com> <19980806131045.A28059@keltia.freenix.fr>
next in thread | previous in thread | raw e-mail | index | archive | help 

Just for the record,

>>>>> "O" == Ollivier Robert <roberto@keltia.freenix.fr> writes:

    >> If you or anyone on the list have a pointer to the problem,
    >> please let me know.  Thank you in advance.

    O> You should be able to find many references about this in the
    O> mailing-lists archives, the problem has been known for a long
    O> time.

I managed to dig out Mike Smith's nice comment on this subject, which
he posted to freebsd-hackers.

I assume that this spontaneous writebacks *could* occur not only to
setuid(2)'d executables such as sendmail(8), but to arbitrary command
as a file on the filesystem.

We thank you for the helpful message, Mike!

--------begin quote--------

Date:      Wed, 26 Mar 1997 13:51:06 +1030 (CST)
From:      Michael Smith <msmith@atrad.adelaide.edu.au>
To:        smc@servtech.com (Shawn Carey)
Cc:        freebsd-hackers@FreeBSD.ORG
Subject:   Re: Anyone else seen this?
Message-ID:  <199703260321.NAA24228@genesis.atrad.adelaide.edu.au>
In-Reply-To: <33388927.41C67EA6@servtech.com>
                from Shawn Carey at "Mar 25, 97 09:25:43 pm"

Shawn Carey stands accused of saying:
> 
> Now that we are running 2.2-RELEASE, this anomaly appears to be
> something more serious than I originally thought, as gdb now stops the
> program with the message "Process killed due to text file modification",
> and sure enough, the file's date is changing but a diff between an idle
> copy and the "modified" executable is nil.  Furthermore, I have recently
> discovered that if I link the program with -static, the problem goes
> away.

This looks very much like a problem that has been reported many times
before, where one or more pages from a process' text are written back
to the file.  The pages aren't actually changed, but the file's timestamp
is obviously updated.

(snip)

--------end quote--------

-- 
Junichi Kurokawa <japh@gol.com>
Global Online Japan Corporation, Tokyo

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?o1zqteasq.fsf>