daily security run output (setuid)

Matthew Seaman matthew at FreeBSD.org
Fri Mar 10 17:04:46 UTC 2017 

On 2017/03/10 16:42, James B. Byrne via freebsd-questions wrote:
> Following a recent update we began to see this report:
> 
> Checking setuid files and devices:
> 
> setuid diffs:
> --- /var/log/setuid.today        2017-01-18 03:01:01.000000000 -0500
> +++ /tmp/security.saU3IUZT        2017-03-08 03:01:01.006331628 -0500
> @@ -36,9 +36,9 @@
> . . .
> 
> - 70217 -rwsr-xr-x  1 root  wheel         22416 Jan 12 00:09:17 2017
> /usr/local/bin/pkexec
> . . .
> + 30527 -rwsr-xr-x  1 root  wheel         22416 Feb 25 00:04:40 2017
> /usr/local/bin/pkexec
> 
> pkg which /usr/local/bin/pkexec
> /usr/local/bin/pkexec was installed by package polkit-0.113_3
> 
> pkg info polkit-0.113_3
> polkit-0.113_3
> Name           : polkit
> Version        : 0.113_3
> Installed on   : Tue Mar  7 15:31:14 2017 EST
> 
> 
> This was a legitimate update as far as I can see. I can see that the
> mtime value has changed but why does the update not account for this
> with the security system?

The security system?  That makes it sound *way* more sophisticated than
it really is.

All that the setuid daily script does is run find(1) to locate all of
the setuid files on the system, creates a sorted list, and then diffs
that against the previous day's list.  It tells you when there have been
any changes to setuid files.  It doesn't say anything about whether
those changes are legitimate or not -- that's down to the (supposedly)
intelligent administrators who read the email reports.

The beauty of it is that it is so simple it is very hard to bamboozle.

In this case, since it is a file from a pkg that you can verify was
re-installed during the right timeframe then you can be pretty sure that
nothing untoward is going on.  Also running 'pkg check -s polkit' to
verify that none of the checksums on the package's files have changed
might provide additional peace of mind.

	Cheers,

	Matthew



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170310/0d5e6e9a/attachment.sig>

More information about the freebsd-questions mailing list