From owner-freebsd-security  Fri Aug  7 03:44:04 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA16669
          for freebsd-security-outgoing; Fri, 7 Aug 1998 03:44:04 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA16563
          for <FreeBSD-security@FreeBSD.ORG>; Fri, 7 Aug 1998 03:43:56 -0700 (PDT)
          (envelope-from roberto@keltia.freenix.fr)
Received: (from uucp@localhost)
	by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id MAA29824
	for FreeBSD-security@FreeBSD.ORG; Fri, 7 Aug 1998 12:43:38 +0200 (CEST)
	(envelope-from roberto@keltia.freenix.fr)
Received: by keltia.freenix.fr (VMailer, from userid 101)
	id D7AA51527; Fri,  7 Aug 1998 12:20:35 +0200 (CEST)
Message-ID: <19980807122035.A4145@keltia.freenix.fr>
Date: Fri, 7 Aug 1998 12:20:35 +0200
From: Ollivier Robert <roberto@keltia.freenix.fr>
To: FreeBSD-security@FreeBSD.ORG
Subject: Re: Does this mean we have another breakin?
Mail-Followup-To: FreeBSD-security@FreeBSD.ORG
References: <199808051643.KAA04281@lariat.lariat.org> <19980805234700.A23220@keltia.freenix.fr> <o90l2bshu.fsf@mew.gol.com> <19980806131045.A28059@keltia.freenix.fr> <o1zqteasq.fsf@mew.gol.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93i
In-Reply-To: <o1zqteasq.fsf@mew.gol.com>; from Just Another Perl Hacker on Fri, Aug 07, 1998 at 12:21:57PM +0900
X-Operating-System: FreeBSD 3.0-CURRENT ctm#4527 AMD-K6 MMX @ 200 MHz
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

According to Just Another Perl Hacker:
> I assume that this spontaneous writebacks *could* occur not only to
> setuid(2)'d executables such as sendmail(8), but to arbitrary command
> as a file on the filesystem.

Of course but unless you run Tripwire, the /etc/security script will detect 
changes only on setuid/setgid ones.
-- 
Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr
FreeBSD keltia.freenix.fr 3.0-CURRENT #62: Mon Jul 27 20:47:08 CEST 1998


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message