Date: Wed, 30 Aug 2006 09:47:25 +0200 From: nicky <nicky@valuecare.nl> To: dick hoogendijk <dick@nagual.nl> Cc: freebsd-questions@freebsd.org Subject: Re: Fw: lothlorien.nagual.nl security run output Message-ID: <44F5428D.20202@valuecare.nl> In-Reply-To: <20060827114817.5b5124dd.dick@nagual.nl> References: <20060827114817.5b5124dd.dick@nagual.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
My guess is that there is nothing to be worried about, however i could be wrong. Let me explain.. This morning i received the same kind of message in my security run output (yesterday i've updated all my ports): Checking setuid files and devices: nlp setuid diffs: --- /var/log/setuid.today Fri Aug 25 08:12:19 2006 +++ /tmp/security.Ia2whJjb Wed Aug 30 08:15:56 2006 @@ -3,8 +3,8 @@ 49434 -r-sr-xr-x 1 root wheel 23648 Aug 22 11:05:26 2006 /sbin/ping 49435 -r-sr-xr-x 1 root wheel 31924 Aug 22 11:05:26 2006 /sbin/ping6 49448 -r-sr-x--- 1 root operator 10308 Aug 22 11:05:27 2006 /sbin/shutdown -7795756 -rws--x--x 1 root wheel 2069783 Aug 24 09:17:07 2006 /usr/X11R6/bin/Xorg -7795717 -rws--x--x 1 root wheel 303748 Aug 24 09:03:51 2006 /usr/X11R6/bin/xterm +7795722 -rws--x--x 1 root wheel 2069783 Aug 29 13:08:10 2006 /usr/X11R6/bin/Xorg +7796599 -rws--x--x 1 root wheel 305764 Aug 29 12:57:30 2006 /usr/X11R6/bin/xterm 1625095 -r-sr-xr-x 4 root wheel 22260 Aug 22 11:05:50 2006 /usr/bin/at 1625095 -r-sr-xr-x 4 root wheel 22260 Aug 22 11:05:50 2006 /usr/bin/atq 1625095 -r-sr-xr-x 4 root wheel 22260 Aug 22 11:05:50 2006 /usr/bin/atrm If i look at my message, i see that lines between 3 to 8 have been changed. After a manual diff between /var/log/setuid.today/yesterday i only get the xorg related lines. Which is correct, since i remember seeing some xorg ports being updated. In your message you state, "Begin forwarded message [some Xorg update warnings deleted]:" Isn't it so that in your message, lines 3 to 12 are just port related binaries? (i assume xorg related). Meaning that ping/ping6, etc aren't updated at all. At least i don't see the +/- signs infront of your ping/ping6 ones. My guess. Greets. Nick dick hoogendijk wrote: > I'm a little worried after reading the security output this morning. > It seems some files [ping, ping6, shutdown, at, atq and atrm] have > setuid diffs. I really don't know why this could have happened. > I updated some ports yesterday, but I don't think any port writes > in /sbin (?) > Could someboddy advice me on what can have happened? > > Begin forwarded message [some Xorg update warnings deleted]: > > Checking setuid files and devices: > Checking setuid files and devices: > > lothlorien.nagual.nl setuid diffs: > --- /var/log/setuid.today Mon Aug 14 03:03:25 2006 > +++ /tmp/security.aJbHsCR6 Sun Aug 27 03:03:22 2006 > @@ -3,12 +3,12 @@ > 23637 -r-sr-xr-x 1 root wheel 21792 May 12 21:47:15 > 2006 /sbin/ping > 23638 -r-sr-xr-x 1 root wheel 28660 May 12 > 21:47:15 2006 /sbin/ping6 > 23651 -r-sr-x--- 1 root operator 10148 > May 12 21:47:17 2006 /sbin/shutdown > 7042059 -r-sr-xr-x 4 root wheel 20948 > May 12 21:48:10 2006 /usr/bin/at > 7042059 -r-sr-xr-x 4 root > wheel 20948 May 12 21:48:10 2006 /usr/bin/atq > 7042059 -r-sr-xr-x 4 > root wheel 20948 May 12 21:48:10 2006 /usr/bin/atrm > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44F5428D.20202>