From owner-freebsd-security Thu Aug 6 20:22:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA12604 for freebsd-security-outgoing; Thu, 6 Aug 1998 20:22:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mew.gol.com (mew.gol.com [203.216.0.88]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA12474 for ; Thu, 6 Aug 1998 20:22:15 -0700 (PDT) (envelope-from jun@mew.gol.com) Received: (from jun@localhost) by mew.gol.com (8.9.0/8.9.0) id MAA03907; Fri, 7 Aug 1998 12:21:58 +0900 (JST) To: FreeBSD-security@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? References: <199808051643.KAA04281@lariat.lariat.org> <19980805234700.A23220@keltia.freenix.fr> <19980806131045.A28059@keltia.freenix.fr> Mime-Version: 1.0 (generated by tm-edit 7.108) Content-Type: text/plain; charset=US-ASCII From: Just Another Perl Hacker Date: 07 Aug 1998 12:21:57 +0900 In-Reply-To: Ollivier Robert's message of "Thu, 6 Aug 1998 13:10:45 +0200" Message-ID: Lines: 53 X-Mailer: Gnus v5.6.24/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just for the record, >>>>> "O" == Ollivier Robert writes: >> If you or anyone on the list have a pointer to the problem, >> please let me know. Thank you in advance. O> You should be able to find many references about this in the O> mailing-lists archives, the problem has been known for a long O> time. I managed to dig out Mike Smith's nice comment on this subject, which he posted to freebsd-hackers. I assume that this spontaneous writebacks *could* occur not only to setuid(2)'d executables such as sendmail(8), but to arbitrary command as a file on the filesystem. We thank you for the helpful message, Mike! --------begin quote-------- Date: Wed, 26 Mar 1997 13:51:06 +1030 (CST) From: Michael Smith To: smc@servtech.com (Shawn Carey) Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Anyone else seen this? Message-ID: <199703260321.NAA24228@genesis.atrad.adelaide.edu.au> In-Reply-To: <33388927.41C67EA6@servtech.com> from Shawn Carey at "Mar 25, 97 09:25:43 pm" Shawn Carey stands accused of saying: > > Now that we are running 2.2-RELEASE, this anomaly appears to be > something more serious than I originally thought, as gdb now stops the > program with the message "Process killed due to text file modification", > and sure enough, the file's date is changing but a diff between an idle > copy and the "modified" executable is nil. Furthermore, I have recently > discovered that if I link the program with -static, the problem goes > away. This looks very much like a problem that has been reported many times before, where one or more pages from a process' text are written back to the file. The pages aren't actually changed, but the file's timestamp is obviously updated. (snip) --------end quote-------- -- Junichi Kurokawa Global Online Japan Corporation, Tokyo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message