From owner-freebsd-security Thu Jan 8 09:35:29 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA05753 for security-outgoing; Thu, 8 Jan 1998 09:35:29 -0800 (PST) (envelope-from owner-freebsd-security) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA05722 for ; Thu, 8 Jan 1998 09:35:13 -0800 (PST) (envelope-from adam@homeport.org) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id MAA09060; Thu, 8 Jan 1998 12:32:36 -0500 (EST) From: Adam Shostack Message-Id: <199801081732.MAA09060@homeport.org> Subject: Re: /usr/bin/su modification time changing In-Reply-To: from Lance Hartford at "Jan 8, 98 09:40:30 am" To: lhartfor@mtghouse.com Date: Thu, 8 Jan 1998 12:32:35 -0500 (EST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Suggest using md5, not sum. Script kiddies have had tools since 1990 or so to fake out sum. diff is also useful. :) Also, I seem to recall that theres a problem with FreeBSD where the OS randomly updates the mod time, but nothing else, of a file. Adam Lance Hartford wrote: | | I just installed 2.2.5 on a PC and I received the following portion of | message in a security mail that was sent out last night: | | xyz setuid diffs: | 152c152 | < -r-sr-xr-x 1 root bin 16384 Oct 21 10:19:25 1997 /usr/bin/su | --- | > -r-sr-xr-x 1 root bin 16384 Jan 7 19:40:28 1998 /usr/bin/su | | I did a "sum" on the /usr/bin/su on another system onsite, and found | that there was no difference compared to the one on this system. Does | this imply that there is a security problem at my site? | | Thanks. | | Lance | -- <123> stargate /export/home/adam% passwd passwd: Changing password for adam passwd: adam does not exist