Security Run Output Setuid Differences

Bill Moran wmoran at potentialtech.com
Mon May 21 18:44:25 UTC 2007 

On Mon, 21 May 2007 11:34:25 -0700 (PDT)
PeterPluta <peter at placidpublishing.net> wrote:

> 
> I did a lot of port hacking yesterday. By that I mean screwing up and redoing
> lots of things. Anyway, I woke up today to find this email in my inbox. 
> 
> Checking setuid files and devices:
> 
> mail.placidpublishing.net setuid diffs:
> --- /var/log/setuid.today	Fri May 18 03:02:47 2007
> +++ /tmp/security.207RUJmY	Mon May 21 03:02:30 2007
> @@ -3,7 +3,6 @@
>  70745 -r-sr-xr-x  1 root  wheel     21792 Jul 30 16:19:55 2006 /sbin/ping
>  70746 -r-sr-xr-x  1 root  wheel     28660 Jul 30 16:19:55 2006 /sbin/ping6
>  70721 -r-sr-x---  1 root  operator  10148 Jul 30 16:19:56 2006
> /sbin/shutdown
> -165583 -rws--x--x  1 root  wheel     268432 Apr 14 14:05:10 2007
> /usr/X11R6/bin/xterm
>  377219 -r-sr-xr-x  6 root  wheel     17532 Jul 30 16:19:56 2006
> /usr/bin/chfn
>  377219 -r-sr-xr-x  6 root  wheel     17532 Jul 30 16:19:56 2006
> /usr/bin/chpass
>  377219 -r-sr-xr-x  6 root  wheel     17532 Jul 30 16:19:56 2006
> /usr/bin/chsh
> @@ -19,9 +18,9 @@
>  377219 -r-sr-xr-x  6 root  wheel     17532 Jul 30 16:19:56 2006
> /usr/bin/ypchpass
>  377219 -r-sr-xr-x  6 root  wheel     17532 Jul 30 16:19:56 2006
> /usr/bin/ypchsh
>  377398 -r-sr-xr-x  2 root  wheel      5828 Jul 30 16:19:57 2006
> /usr/bin/yppasswd
> -72750 -rwsr-xr-x  1 root  wheel     285580 Nov  2 01:21:29 2006
> /usr/local/bin/screen
> -71569 -rwxr-sr-x  1 root  kmem      112708 Feb  3 17:17:26 2007
> /usr/local/sbin/lsof
> -71923 -rwxr-sr-x  1 root  maildrop  142559 May 17 14:41:47 2007
> /usr/local/sbin/postdrop
> -71924 -rwxr-sr-x  1 root  maildrop  152477 May 17 14:41:47 2007
> /usr/local/sbin/postqueue
> +71112 -rwsr-xr-x  1 root  wheel     285580 May 20 18:23:48 2007
> /usr/local/bin/screen
> +70971 -rwxr-sr-x  1 root  kmem      112708 May 20 18:23:03 2007
> /usr/local/sbin/lsof
> +73170 -rwxr-sr-x  1 root  maildrop  142559 May 17 14:41:47 2007
> /usr/local/sbin/postdrop
> +73204 -rwxr-sr-x  1 root  maildrop  152477 May 17 14:41:47 2007
> /usr/local/sbin/postqueue
>  923168 -rwxr-sr-x  1 root  smmsp       5236 Jul 30 16:20:07 2006
> /usr/sbin/mailwrapper
>  923264 -r-sr-x---  1 root  network    11636 Jul 30 16:20:07 2006
> /usr/sbin/sliplogin
> 
> 
> What exactly does this all mean? Specifically the @@ -19,9 +18,9 @@ stuff.
> Also, why did this all of a sudden appear?

Looks like you were portupgrading around with postfix, screen and xterm.

The output is diff(1).  See the man page for details, but it's basically
showing you the difference between last night's directory listing, and that
of the previous day.

For more gory details, see the scripts in /etc/periodic/security, which are
run every night from cron.  Some of the ports you changed resulted in
changes to setuid/setgid programs installed on the system.  As a security-
concious administrator, you should be interested in the programs on your
system that have elevated privilidges, so this script is provided to give
you a daily report on that.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com

More information about the freebsd-questions mailing list