Date: Sun, 29 Sep 1996 20:13:30 -0700 (PDT) From: "Bryan K. Ogawa" <bkogawa@primenet.com> To: dwhite@resnet.uoregon.edu Cc: questions@FreeBSD.ORG, Paul Walsh <paul@nation-net.com> Subject: Re: mysterious setuid changes Message-ID: <199609300313.UAA27460@foo.primenet.com> References: <> <Pine.BSI.3.94.960929145730.911I-100000@gdi.uoregon.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
In localhost.freebsd.questions you write: >On Sun, 29 Sep 1996, Paul Walsh wrote: >> Can anyone explain why I would get this in my daily security run ouput, when >> I've not been messing with the permissions? >> >> I only have 3 valid users on the system , so if someone's been fiddling I >> should soon find out who. >Take a look at the differences here: >> checking setuid files and devices: >> www setuid/device diffs: >> 66a67,68 >> > -rwsr-xr-x 1 uucp bin 495616 Nov 2 08:14:57 1995 /usr/local/sbin/faxgetty >> > -rwsr-xr-x 1 uucp bin 360448 Nov 2 08:14:54 1995 /usr/local/sbin/faxq79,80d80 >These files were removed from the system... Hm... I think these were actually added...? These look like parts of hylafax. >in diff, < = inserted, > = removed. I always thought it was the other way around, but I know it depends on which order the diff is done in (e.g. "diff file1 file2" and "diff file2 file1" produce similar output, but the < and > are switched (and possibly other differences)). [...] >> checking for uids of 0: >> root 0 >> toor 0 >This should never change. If you see one of your user's names appear >here...well, you're in trouble. Yup... :) -- bryan k ogawa <bkogawa@primenet.com> http://www.primenet.com/~bkogawa/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609300313.UAA27460>