Security Run Output Setuid Differences
Bill Moran
wmoran at potentialtech.com
Mon May 21 18:44:25 UTC 2007
On Mon, 21 May 2007 11:34:25 -0700 (PDT)
PeterPluta <peter at placidpublishing.net> wrote:
>
> I did a lot of port hacking yesterday. By that I mean screwing up and redoing
> lots of things. Anyway, I woke up today to find this email in my inbox.
>
> Checking setuid files and devices:
>
> mail.placidpublishing.net setuid diffs:
> --- /var/log/setuid.today Fri May 18 03:02:47 2007
> +++ /tmp/security.207RUJmY Mon May 21 03:02:30 2007
> @@ -3,7 +3,6 @@
> 70745 -r-sr-xr-x 1 root wheel 21792 Jul 30 16:19:55 2006 /sbin/ping
> 70746 -r-sr-xr-x 1 root wheel 28660 Jul 30 16:19:55 2006 /sbin/ping6
> 70721 -r-sr-x--- 1 root operator 10148 Jul 30 16:19:56 2006
> /sbin/shutdown
> -165583 -rws--x--x 1 root wheel 268432 Apr 14 14:05:10 2007
> /usr/X11R6/bin/xterm
> 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006
> /usr/bin/chfn
> 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006
> /usr/bin/chpass
> 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006
> /usr/bin/chsh
> @@ -19,9 +18,9 @@
> 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006
> /usr/bin/ypchpass
> 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006
> /usr/bin/ypchsh
> 377398 -r-sr-xr-x 2 root wheel 5828 Jul 30 16:19:57 2006
> /usr/bin/yppasswd
> -72750 -rwsr-xr-x 1 root wheel 285580 Nov 2 01:21:29 2006
> /usr/local/bin/screen
> -71569 -rwxr-sr-x 1 root kmem 112708 Feb 3 17:17:26 2007
> /usr/local/sbin/lsof
> -71923 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007
> /usr/local/sbin/postdrop
> -71924 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007
> /usr/local/sbin/postqueue
> +71112 -rwsr-xr-x 1 root wheel 285580 May 20 18:23:48 2007
> /usr/local/bin/screen
> +70971 -rwxr-sr-x 1 root kmem 112708 May 20 18:23:03 2007
> /usr/local/sbin/lsof
> +73170 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007
> /usr/local/sbin/postdrop
> +73204 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007
> /usr/local/sbin/postqueue
> 923168 -rwxr-sr-x 1 root smmsp 5236 Jul 30 16:20:07 2006
> /usr/sbin/mailwrapper
> 923264 -r-sr-x--- 1 root network 11636 Jul 30 16:20:07 2006
> /usr/sbin/sliplogin
>
>
> What exactly does this all mean? Specifically the @@ -19,9 +18,9 @@ stuff.
> Also, why did this all of a sudden appear?
Looks like you were portupgrading around with postfix, screen and xterm.
The output is diff(1). See the man page for details, but it's basically
showing you the difference between last night's directory listing, and that
of the previous day.
For more gory details, see the scripts in /etc/periodic/security, which are
run every night from cron. Some of the ports you changed resulted in
changes to setuid/setgid programs installed on the system. As a security-
concious administrator, you should be interested in the programs on your
system that have elevated privilidges, so this script is provided to give
you a daily report on that.
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
More information about the freebsd-questions
mailing list