daily security run output - Checking setuid

Matthew Seaman matthew at FreeBSD.org
Tue Apr 19 14:26:02 UTC 2016

On 2016/04/19 13:23, Ernie Luzar wrote:
> This morning the "daily security run output" lists a lot of files under
> the heading of Checking setuid files & devices. I have never seen this
> before.
> What does this mean?
> Has my system been breached?
> Where is the "daily security run output" documented?

The output usually shows any changes to the lists of setuid or setgid
files on your system.  Take note of the leading '+' or '-' characters in
that output.  Suddenly adding one or a few new setuid files is
suspicious.  Adding write permissions to those files is frequently
suspicious.  However adding or removing /lots/ of setuid or setgid files
all at once is more likely to be down to operator error.

The daily script depends on keeping a list of all the known setuid /
setgid files in (by default) /var/log/setuid.today and
/var/log/setuid.yesterday.  If one or both of those files get deleted or
modified, or that partition fills up while the security/100.chksetuid
script is running, you'll get spurious output.

Setuid programs are often viewed as a security problem by inexperienced
administrators, and some even go as far as turning off the setuid
functionality.  That, however, is one of those mistakes you only make
once.  Properly implemented, setuid and setgid *improves* your system
security, and it's necessary for the system to function normally.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160419/d9c719cb/attachment.sig>

More information about the freebsd-questions mailing list