From owner-freebsd-security Thu Jan 8 10:26:39 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA11360 for security-outgoing; Thu, 8 Jan 1998 10:26:39 -0800 (PST) (envelope-from owner-freebsd-security) Received: from megaweapon.zigg.com (tcgr-64.dialup.alliance.net [207.74.43.64]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA11336 for ; Thu, 8 Jan 1998 10:26:33 -0800 (PST) (envelope-from matt@megaweapon.zigg.com) Received: from varda.local (varda.local [192.168.0.2]) by megaweapon.zigg.com (8.8.8/8.8.7) with ESMTP id NAA23334; Thu, 8 Jan 1998 13:26:17 -0500 (EST) (envelope-from matt@megaweapon.zigg.com) Received: from localhost (matt@localhost) by varda.local (8.8.8/8.8.7) with SMTP id NAA00267; Thu, 8 Jan 1998 13:25:50 -0500 (EST) (envelope-from matt@megaweapon.zigg.com) X-Authentication-Warning: varda.local: matt owned process doing -bs Date: Thu, 8 Jan 1998 13:25:50 -0500 (EST) From: Matt Behrens X-Sender: matt@varda.local To: Bryan Swann cc: Lance Hartford , freebsd-security@freebsd.org Subject: Re: /usr/bin/su modification time changing In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Thu, 8 Jan 1998, Bryan Swann wrote: > I believe there are three different times associated with each file, > creation time, last access time, last modification time. I assume your > message came from tripwire or a similar tool. You can use options to the > ls command to determine which of the times have changed. You may find > that you need to alter the 'time' your security check monitors for. Lance's message came from the nightly setuid diff check, which comes standard on all versions of FreeBSD I've used, at least. He should probably check into it, someone might be toying with it. (Alternatively, a make world might have updated it...) Matt Behrens | Support the anti-spam amendment! http://www.zigg.com/ | Visit http://www.cauce.org/