From owner-freebsd-questions@FreeBSD.ORG  Wed Aug 30 07:47:25 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B15FA16A4DA
	for <freebsd-questions@freebsd.org>;
	Wed, 30 Aug 2006 07:47:25 +0000 (UTC)
	(envelope-from nicky@valuecare.nl)
Received: from smtp-vbr5.xs4all.nl (smtp-vbr5.xs4all.nl [194.109.24.25])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E93AF43D7D
	for <freebsd-questions@freebsd.org>;
	Wed, 30 Aug 2006 07:47:17 +0000 (GMT)
	(envelope-from nicky@valuecare.nl)
Received: from [10.0.0.12] (a80-126-182-198.adsl.xs4all.nl [80.126.182.198])
	(authenticated bits=0)
	by smtp-vbr5.xs4all.nl (8.13.6/8.13.6) with ESMTP id k7U7lG12051649;
	Wed, 30 Aug 2006 09:47:16 +0200 (CEST)
	(envelope-from nicky@valuecare.nl)
Message-ID: <44F5428D.20202@valuecare.nl>
Date: Wed, 30 Aug 2006 09:47:25 +0200
From: nicky <nicky@valuecare.nl>
User-Agent: Thunderbird 1.5.0.5 (X11/20060822)
MIME-Version: 1.0
To: dick hoogendijk <dick@nagual.nl>
References: <20060827114817.5b5124dd.dick@nagual.nl>
In-Reply-To: <20060827114817.5b5124dd.dick@nagual.nl>
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by XS4ALL Virus Scanner
Cc: freebsd-questions@freebsd.org
Subject: Re: Fw: lothlorien.nagual.nl security run output
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Aug 2006 07:47:25 -0000

My guess is that there is nothing to be worried about, however i could 
be wrong. Let me explain..

This morning i received the same kind of message in my security run 
output (yesterday i've updated all my ports):

Checking setuid files and devices:

nlp setuid diffs:
--- /var/log/setuid.today	Fri Aug 25 08:12:19 2006
+++ /tmp/security.Ia2whJjb	Wed Aug 30 08:15:56 2006
@@ -3,8 +3,8 @@
 49434 -r-sr-xr-x  1 root  wheel      23648 Aug 22 11:05:26 2006 /sbin/ping
 49435 -r-sr-xr-x  1 root  wheel      31924 Aug 22 11:05:26 2006 /sbin/ping6
 49448 -r-sr-x---  1 root  operator   10308 Aug 22 11:05:27 2006 /sbin/shutdown
-7795756 -rws--x--x  1 root  wheel  2069783 Aug 24 09:17:07 2006 /usr/X11R6/bin/Xorg
-7795717 -rws--x--x  1 root  wheel   303748 Aug 24 09:03:51 2006 /usr/X11R6/bin/xterm
+7795722 -rws--x--x  1 root  wheel  2069783 Aug 29 13:08:10 2006 /usr/X11R6/bin/Xorg
+7796599 -rws--x--x  1 root  wheel   305764 Aug 29 12:57:30 2006 /usr/X11R6/bin/xterm
 1625095 -r-sr-xr-x  4 root  wheel      22260 Aug 22 11:05:50 2006 /usr/bin/at
 1625095 -r-sr-xr-x  4 root  wheel      22260 Aug 22 11:05:50 2006 /usr/bin/atq
 1625095 -r-sr-xr-x  4 root  wheel      22260 Aug 22 11:05:50 2006 /usr/bin/atrm

If i look at my message, i see that lines between 3 to 8 have been changed. After a manual diff between /var/log/setuid.today/yesterday i only get the xorg related lines. Which is correct, since i remember seeing some xorg ports  being updated.

In your message you state, "Begin forwarded message [some Xorg update warnings deleted]:"

Isn't it so that in your message, lines 3 to 12 are just port related binaries? (i assume xorg related). Meaning that ping/ping6, etc aren't updated at all. At least i don't see the +/- signs infront of your ping/ping6 ones. 

My guess. 

Greets.
Nick



dick hoogendijk wrote:
> I'm a little worried after reading the security output this morning.
> It seems some files [ping, ping6, shutdown, at, atq and atrm] have
> setuid diffs. I really don't know why this could have happened.
> I updated some ports yesterday, but I don't think any port writes
> in /sbin (?)
> Could someboddy advice me on what can have happened?
>
> Begin forwarded message [some Xorg update warnings deleted]:
>
> Checking setuid files and devices:
> Checking setuid files and devices:
>
> lothlorien.nagual.nl setuid diffs:
> --- /var/log/setuid.today	Mon Aug 14 03:03:25 2006
> +++ /tmp/security.aJbHsCR6	Sun Aug 27 03:03:22 2006
> @@ -3,12 +3,12 @@
> 23637 -r-sr-xr-x  1 root  wheel      21792 May 12 21:47:15
> 2006 /sbin/ping
> 23638 -r-sr-xr-x  1 root  wheel      28660 May 12
> 21:47:15 2006 /sbin/ping6
> 23651 -r-sr-x---  1 root  operator   10148
> May 12 21:47:17 2006 /sbin/shutdown
> 7042059 -r-sr-xr-x  4 root  wheel      20948
> May 12 21:48:10 2006 /usr/bin/at
> 7042059 -r-sr-xr-x  4 root
> wheel     20948 May 12 21:48:10 2006 /usr/bin/atq
> 7042059 -r-sr-xr-x  4
> root     wheel     20948 May 12 21:48:10 2006 /usr/bin/atrm
>
>