From owner-freebsd-isp Thu Sep 14 17:44:57 2000 Delivered-To: freebsd-isp@freebsd.org Received: from saturn.mikesweb.com (saturn.mikesweb.com [216.91.66.1]) by hub.freebsd.org (Postfix) with SMTP id 7F7FE37B422 for ; Thu, 14 Sep 2000 17:44:54 -0700 (PDT) Received: (qmail 85064 invoked from network); 15 Sep 2000 00:44:53 -0000 Received: from delta.mikesweb.com (HELO SUN.mikesweb.com) (@216.91.66.252) by saturn.mikesweb.com with SMTP; 15 Sep 2000 00:44:53 -0000 Message-Id: <4.3.2.7.2.20000914204109.00b80868@mail.mikesweb.com> X-Sender: sturdee@mail.mikesweb.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 14 Sep 2000 20:43:49 -0400 To: Bill Fumerola From: Mike Subject: Re: make is suid? Cc: freebsd-isp@FreeBSD.ORG In-Reply-To: <20000914203550.M47559@jade.chc-chimes.com> References: <4.3.2.7.2.20000914203236.00ba1c10@mail.mikesweb.com> <4.3.2.7.2.20000914203236.00ba1c10@mail.mikesweb.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just set up that box not too long ago, and was just going through taking out all the suid stuff.. I'm the only person with access to the box, so I'm doubting compromise. This is what I had for "find / -perm -2000 -ls" after a fresh install and cvsup. 8027 190 -r-sr-sr-x 1 uucp dialer 96540 Jul 30 00:46 /usr/bin/uustat 8073 26 -r-xr-s--- 1 root kmem 12900 Jul 30 00:49 /usr/bin/fstat 8088 20 -r-xr-s--- 1 root kmem 9624 Jul 30 00:49 /usr/bin/ipcs 8135 166 -r-xr-s--- 1 root kmem 84448 Jul 30 00:49 /usr/bin/netstat 8137 20 -r-xr-s--- 1 root kmem 9660 Jul 30 00:49 /usr/bin/nfsstat 8172 112 -r-xr-s--- 1 root kmem 56392 Jul 30 00:49 /usr/bin/systat 8182 64 -r-xr-s--- 1 root kmem 32136 Jul 30 00:49 /usr/bin/top 8204 34 -r-xr-s--- 1 root kmem 16392 Jul 30 00:49 /usr/bin/vmstat 8214 16 -r-xr-s--- 1 root tty 7288 Jul 30 00:49 /usr/bin/write 3190413 448 -r-sr-sr-x 1 uucp dialer 220460 Jul 30 00:46 /usr/libexec/uucp/uucico 3190414 224 -r-sr-s--- 1 uucp uucp 99340 Jul 30 00:46 /usr/libexec/uucp/uuxqt 6317475 896 -rwxr-sr-x 1 root kmem 442384 Aug 25 05:51 /usr/local/bin/make At 08:35 PM 9/14/2000 -0400, Bill Fumerola wrote: >On Thu, Sep 14, 2000 at 08:33:28PM -0400, Mike wrote: > > I noticed that make is suid root. > > -rwxr-sr-x 1 root kmem 442384 Aug 25 05:51 > > /usr/local/bin/make > >[hawk-billf] /home/billf/postfix-current > ls -l =make >-r-xr-xr-x 1 root wheel 97120 Jul 14 00:17 /usr/bin/make* > > > Is that supposed to be? Would it still work for users if it wasn't? > >No, it shouldn't be. >Yes, it does. > >I'd suspect that your machine has had a compromise, if I were you. > >-- >Bill Fumerola - Network Architect, BOFH / Chimes, Inc. > billf@chimesnet.com / billf@FreeBSD.org > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message