From owner-freebsd-questions Mon Sep 30 04:26:00 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA17440 for questions-outgoing; Mon, 30 Sep 1996 03:48:56 -0700 (PDT) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA17307 for ; Mon, 30 Sep 1996 03:48:44 -0700 (PDT) Received: from foo.primenet.com (ip080.lax.primenet.com [204.212.59.80]) by who.cdrom.com (8.7.5/8.6.11) with ESMTP id WAA19164 for ; Sun, 29 Sep 1996 22:46:49 -0700 (PDT) Received: (from bkogawa@localhost) by foo.primenet.com (8.7.5/8.6.12) id UAA27460; Sun, 29 Sep 1996 20:13:30 -0700 (PDT) Date: Sun, 29 Sep 1996 20:13:30 -0700 (PDT) Message-Id: <199609300313.UAA27460@foo.primenet.com> To: dwhite@resnet.uoregon.edu Subject: Re: mysterious setuid changes Newsgroups: localhost.freebsd.questions References: <> From: "Bryan K. Ogawa" Cc: questions@FreeBSD.ORG, Paul Walsh X-Newsreader: NN version 6.5.0 #1 (NOV) Sender: owner-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In localhost.freebsd.questions you write: >On Sun, 29 Sep 1996, Paul Walsh wrote: >> Can anyone explain why I would get this in my daily security run ouput, when >> I've not been messing with the permissions? >> >> I only have 3 valid users on the system , so if someone's been fiddling I >> should soon find out who. >Take a look at the differences here: >> checking setuid files and devices: >> www setuid/device diffs: >> 66a67,68 >> > -rwsr-xr-x 1 uucp bin 495616 Nov 2 08:14:57 1995 /usr/local/sbin/faxgetty >> > -rwsr-xr-x 1 uucp bin 360448 Nov 2 08:14:54 1995 /usr/local/sbin/faxq79,80d80 >These files were removed from the system... Hm... I think these were actually added...? These look like parts of hylafax. >in diff, < = inserted, > = removed. I always thought it was the other way around, but I know it depends on which order the diff is done in (e.g. "diff file1 file2" and "diff file2 file1" produce similar output, but the < and > are switched (and possibly other differences)). [...] >> checking for uids of 0: >> root 0 >> toor 0 >This should never change. If you see one of your user's names appear >here...well, you're in trouble. Yup... :) -- bryan k ogawa http://www.primenet.com/~bkogawa/