From owner-freebsd-security Wed Apr 11 11:27: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (skin-flute.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id 76CCA37B422 for ; Wed, 11 Apr 2001 11:26:57 -0700 (PDT) (envelope-from geniusj@bluenugget.net) Received: from bluenugget.net (localhost.com [127.0.0.1]) by bluenugget.net (Postfix) with ESMTP id EE8831363D; Wed, 11 Apr 2001 11:28:16 -0700 (PDT) Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary To: rjm@Wilshire.Net From: Jason DiCioccio Cc: freebsd-security@freebsd.org X-Originating-Ip: 63.93.9.98 MIME-Version: 1.0 Reply-To: Jason DiCioccio Date: Wed, 11 Apr 2001 10:28:16 PST X-Mailer: EMUmail 4.5 Subject: Re: How to interpret Security Check X-Webmail-User: geniusj@bluenugget.net Message-Id: <20010411182816.EE8831363D@bluenugget.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 11 Apr 2001 09:34:30 -0700 "Riley J. McIntire" wrote: > Greetings: Hello! > > The second time it dumped, it was powered off, then on, went into single > user. The onsite operator did a fsck, and brought it back to multiuser. > She reported lots of file errors. Which I'm assuming caused the > following in the security check output. But sometimes I assume too > much! I'd like to make sure I'm not missing a security issue. > > Comments are welcome. [snip] > > checking setuid files and devices: > USER=root > host=mail.somebiz.com > c=? > HOME=/root > rc=0 > PS1=# > OPTIND=1 > PS2=> > LOGNAME=root > PATH=/sbin:/bin:/usr/bin > ignore= > MP= > sflag=FALSE > TMP=/var/run/_secure.7644 > SHELL=/bin/sh > IFS= > > LC_ALL=C > yesterday=Apr 10 > LOG=/var/log > cmp: EOF on /var/run/_secure.7644 > My guess here is that the fsck damaged /etc/security? > > mail.somebiz.com setuid diffs: > 1,71d0 > < 14989 -r-xr-sr-x 1 root operator 57076 Nov 20 03:59:17 2000 > /bin/df > < 15002 -r-sr-xr-x 1 root wheel 319548 Nov 20 04:06:07 2000 > /bin/rcp > < 15051 -r-xr-sr-x 1 root kmem 62944 Nov 20 04:00:57 2000 > /sbin/ccdconfig [...] > Segmentation fault - core dumped > It looks here as if you lost /var/*/setuid.today/yesterday (forget which one).. Did you have to do a fsck -y? I'm assuming yes.. Also, were softupdates enabled? If not, that could've prevented this data loss (assuming it's not a bad drive.) > > mail.somebiz.com changes in mounted filesystems: > 1,4d0 > < /dev/ad0s1a / ufs rw 1 1 > < /dev/ad0s1e /usr ufs rw 2 2 > < /dev/ad0s1f /var ufs rw 2 2 > < procfs /proc procfs rw 0 0 > again, something lost in /var (perhaps /var/backups) > > checking for uids of 0: > root 0 > toor 0 > > > checking for passwordless accounts: > > > mail.somebiz.com denied packets: > > > mail.somebiz.com kernel log messages: > > pid 7665 (mount), uid 0: exited on signal 11 (core dumped) > > > mail.somebiz.com login failures: > > > mail.somebiz.com refused connections: > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Cheers, -JD- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message