From owner-freebsd-security Sun Feb 11 03:48:25 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id DAA02947 for security-outgoing; Sun, 11 Feb 1996 03:48:25 -0800 (PST) Received: from tulpi.interconnect.com.au (root@tulpi.interconnect.com.au [192.189.54.18]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id DAA02940 for ; Sun, 11 Feb 1996 03:48:09 -0800 (PST) Received: (from ahill@localhost) by tulpi.interconnect.com.au id WAA06893 (8.6.11/IDA-1.6); Sun, 11 Feb 1996 22:47:31 +1100 Date: Sun, 11 Feb 1996 22:47:30 +1100 (EST) From: Anthony Hill To: Brian Tao cc: freebsd-security@freebsd.org Subject: Re: User creating root-owned directories? In-Reply-To: <199602101945.MAA12583@terra.aros.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk Lo and behold, Brian Tao once said: > > I'll perform a more detailed scan for setuid and setgid programs > > today then. A lot of our users run setuid CGI scripts (PHP tools, a > > Web page logging package)... the hacker may have named a setuid > > program after one of the PHP scripts to hide it from scrutiny. Letting users have setuid scripts is pretty deadly stuff - you might want to checkout sudo. If you must run setuid CGI scripts, the taint features in PERL are a real help. You might want to have a look at the "No you cant have root document" on our "chief security bastard"s home page. > > Probably a good time to compare MD5 signatures on the system binaries > > too... *sigh*. If I suspect root has been compromised on my system, I do a complete reinstall then recreate the user stuff from backups - you never know where the little turds may have left a surprise for you.