Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 29 Sep 1996 20:13:30 -0700 (PDT)
From:      "Bryan K. Ogawa" <bkogawa@primenet.com>
To:        dwhite@resnet.uoregon.edu
Cc:        questions@FreeBSD.ORG, Paul Walsh <paul@nation-net.com>
Subject:   Re: mysterious setuid changes
Message-ID:  <199609300313.UAA27460@foo.primenet.com>
References:  <> <Pine.BSI.3.94.960929145730.911I-100000@gdi.uoregon.edu>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

In localhost.freebsd.questions you write:

>On Sun, 29 Sep 1996, Paul Walsh wrote:

>> Can anyone explain why I would get this in my daily security run ouput, when 
>> I've not been messing with the permissions?
>> 
>> I only have 3 valid users on the system , so if someone's been fiddling I 
>> should soon find out who.

>Take a look at the differences here:

>> checking setuid files and devices:
>> www setuid/device diffs:
>> 66a67,68
>> > -rwsr-xr-x  1 uucp  bin    495616 Nov  2 08:14:57 1995 /usr/local/sbin/faxgetty
>> > -rwsr-xr-x  1 uucp  bin    360448 Nov  2 08:14:54 1995 /usr/local/sbin/faxq79,80d80

>These files were removed from the system...

Hm... I think these were actually added...?  These look like parts of
hylafax.

>in diff, < = inserted, > = removed.

I always thought it was the other way around, but I know it depends on
which order the diff is done in (e.g. "diff file1 file2" and "diff
file2 file1" produce similar output, but the < and > are switched (and
possibly other differences)).

[...]
>> checking for uids of 0:
>> root 0
>> toor 0

>This should never change.  If you see one of your user's names appear
>here...well, you're in trouble.

Yup... :)
-- 
bryan k ogawa  <bkogawa@primenet.com>   http://www.primenet.com/~bkogawa/



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?199609300313.UAA27460>