Security Run Output Setuid Differences

Roland Smith rsmith at xs4all.nl
Wed Jun 6 17:44:33 UTC 2007 

On Tue, Jun 05, 2007 at 04:11:24PM -0700, Peter Pluta wrote:
> mail.***********.net setuid diffs:
> --- /var/log/setuid.today	Mon May 21 03:02:30 2007
> +++ /tmp/security.wq6BsVcr	Sun Jun  3 03:01:48 2007
> @@ -20,7 +20,7 @@
>  377398 -r-sr-xr-x  2 root  wheel      5828 Jul 30 16:19:57 2006
> /usr/bin/yppasswd
>  71112 -rwsr-xr-x  1 root  wheel     285580 May 20 18:23:48 2007
> /usr/local/bin/screen
>  70971 -rwxr-sr-x  1 root  kmem      112708 May 20 18:23:03 2007
> /usr/local/sbin/lsof
> -73170 -rwxr-sr-x  1 root  maildrop  142559 May 17 14:41:47 2007
> /usr/local/sbin/postdrop
> -73204 -rwxr-sr-x  1 root  maildrop  152477 May 17 14:41:47 2007
> /usr/local/sbin/postqueue
> +71432 -rwxr-sr-x  1 root  maildrop  142559 Jun  2 15:47:54 2007
> /usr/local/sbin/postdrop
> +71433 -rwxr-sr-x  1 root  maildrop  152477 Jun  2 15:47:54 2007
> /usr/local/sbin/postqueue
>  923168 -rwxr-sr-x  1 root  smmsp       5236 Jul 30 16:20:07 2006
> /usr/sbin/mailwrapper
>  923264 -r-sr-x---  1 root  network    11636 Jul 30 16:20:07 2006
> /usr/sbin/sliplogin
> 
> I have some more, I'm starting to understand it a bit better. Basically the
> user:group id number has changed and the security run is letting me know.
> Good deal, but im still confused as to what the @@ -20,7 + 20,7 @@ and + -
> mean. Can anyone explain those? I'm curious, also why would yppasswd change
> to userid 2? I changed roots name yesterday, could that be the cause of it?

Those are a normal part of the output of the diff(1) program that generates
this.

Basically, the script /etc/periodic/security/100.chksetuid makes a list
of all setiud or setgid binaries. This list is compared with the
previous list by the diff(1) program, which shows the differences.

If you have a text file lying around, make a copy of it and change a
couple of lines in the copy. Then do 'diff -u originalfile newfile' and
you'll see how it works.

Roland
-- 
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20070606/ace1d795/attachment.pgp

More information about the freebsd-questions mailing list