Security Run Output Setuid Differences

Mon May 21 18:59:34 UTC 2007

Bill Moran wrote:
> 
> On Mon, 21 May 2007 11:34:25 -0700 (PDT)
> PeterPluta <peter at placidpublishing.net> wrote:
> 
>> 
>> I did a lot of port hacking yesterday. By that I mean screwing up and
>> redoing
>> lots of things. Anyway, I woke up today to find this email in my inbox. 
>> 
>> Checking setuid files and devices:
>> 
>> mail.placidpublishing.net setuid diffs:
>> --- /var/log/setuid.today	Fri May 18 03:02:47 2007
>> +++ /tmp/security.207RUJmY	Mon May 21 03:02:30 2007
>> @@ -3,7 +3,6 @@
>>  70745 -r-sr-xr-x  1 root  wheel     21792 Jul 30 16:19:55 2006
>> /sbin/ping
>>  70746 -r-sr-xr-x  1 root  wheel     28660 Jul 30 16:19:55 2006
>> /sbin/ping6
>>  70721 -r-sr-x---  1 root  operator  10148 Jul 30 16:19:56 2006
>> /sbin/shutdown
>> -165583 -rws--x--x  1 root  wheel     268432 Apr 14 14:05:10 2007
>> /usr/X11R6/bin/xterm
>>  377219 -r-sr-xr-x  6 root  wheel     17532 Jul 30 16:19:56 2006
>> /usr/bin/chfn
>>  377219 -r-sr-xr-x  6 root  wheel     17532 Jul 30 16:19:56 2006
>> /usr/bin/chpass
>>  377219 -r-sr-xr-x  6 root  wheel     17532 Jul 30 16:19:56 2006
>> /usr/bin/chsh
>> @@ -19,9 +18,9 @@
>>  377219 -r-sr-xr-x  6 root  wheel     17532 Jul 30 16:19:56 2006
>> /usr/bin/ypchpass
>>  377219 -r-sr-xr-x  6 root  wheel     17532 Jul 30 16:19:56 2006
>> /usr/bin/ypchsh
>>  377398 -r-sr-xr-x  2 root  wheel      5828 Jul 30 16:19:57 2006
>> /usr/bin/yppasswd
>> -72750 -rwsr-xr-x  1 root  wheel     285580 Nov  2 01:21:29 2006
>> /usr/local/bin/screen
>> -71569 -rwxr-sr-x  1 root  kmem      112708 Feb  3 17:17:26 2007
>> /usr/local/sbin/lsof
>> -71923 -rwxr-sr-x  1 root  maildrop  142559 May 17 14:41:47 2007
>> /usr/local/sbin/postdrop
>> -71924 -rwxr-sr-x  1 root  maildrop  152477 May 17 14:41:47 2007
>> /usr/local/sbin/postqueue
>> +71112 -rwsr-xr-x  1 root  wheel     285580 May 20 18:23:48 2007
>> /usr/local/bin/screen
>> +70971 -rwxr-sr-x  1 root  kmem      112708 May 20 18:23:03 2007
>> /usr/local/sbin/lsof
>> +73170 -rwxr-sr-x  1 root  maildrop  142559 May 17 14:41:47 2007
>> /usr/local/sbin/postdrop
>> +73204 -rwxr-sr-x  1 root  maildrop  152477 May 17 14:41:47 2007
>> /usr/local/sbin/postqueue
>>  923168 -rwxr-sr-x  1 root  smmsp       5236 Jul 30 16:20:07 2006
>> /usr/sbin/mailwrapper
>>  923264 -r-sr-x---  1 root  network    11636 Jul 30 16:20:07 2006
>> /usr/sbin/sliplogin
>> 
>> 
>> What exactly does this all mean? Specifically the @@ -19,9 +18,9 @@
>> stuff.
>> Also, why did this all of a sudden appear?
> 
> Looks like you were portupgrading around with postfix, screen and xterm.
> 
> The output is diff(1).  See the man page for details, but it's basically
> showing you the difference between last night's directory listing, and
> that
> of the previous day.
> 
> For more gory details, see the scripts in /etc/periodic/security, which
> are
> run every night from cron.  Some of the ports you changed resulted in
> changes to setuid/setgid programs installed on the system.  As a security-
> concious administrator, you should be interested in the programs on your
> system that have elevated privilidges, so this script is provided to give
> you a daily report on that.
> 
> -- 
> Bill Moran
> Potential Technologies
> http://www.potentialtech.com
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
> 
> 

I see, so basically after reinstalling the default uid/gid of some programs
changed? Is that a problem or anything? 

-- 
View this message in context: http://www.nabble.com/Security-Run-Output-Setuid-Differences-tf3792025.html#a10724835
Sent from the freebsd-questions mailing list archive at Nabble.com.