From owner-freebsd-isp Thu Sep 14 17:46:37 2000 Delivered-To: freebsd-isp@freebsd.org Received: from saturn.mikesweb.com (saturn.mikesweb.com [216.91.66.1]) by hub.freebsd.org (Postfix) with SMTP id 9D80037B422 for ; Thu, 14 Sep 2000 17:46:34 -0700 (PDT) Received: (qmail 85199 invoked from network); 15 Sep 2000 00:46:33 -0000 Received: from delta.mikesweb.com (HELO SUN.mikesweb.com) (@216.91.66.252) by saturn.mikesweb.com with SMTP; 15 Sep 2000 00:46:33 -0000 Message-Id: <4.3.2.7.2.20000914204506.0f6eb548@mail.mikesweb.com> X-Sender: sturdee@mail.mikesweb.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 14 Sep 2000 20:45:30 -0400 To: Bill Fumerola From: Mike Subject: Re: make is suid? Cc: freebsd-isp@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20000914204109.00b80868@mail.mikesweb.com> References: <20000914203550.M47559@jade.chc-chimes.com> <4.3.2.7.2.20000914203236.00ba1c10@mail.mikesweb.com> <4.3.2.7.2.20000914203236.00ba1c10@mail.mikesweb.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (forgot to mention that I had taken out the user exec permissions before doing the listing) At 08:43 PM 9/14/2000 -0400, Mike wrote: >Just set up that box not too long ago, and was just going through taking >out all the suid stuff.. I'm the only person with access to the box, so >I'm doubting compromise. >This is what I had for "find / -perm -2000 -ls" after a fresh install and >cvsup. > > 8027 190 -r-sr-sr-x 1 uucp dialer 96540 > Jul 30 00:46 /usr/bin/uustat > 8073 26 -r-xr-s--- 1 root kmem 12900 > Jul 30 00:49 /usr/bin/fstat > 8088 20 -r-xr-s--- 1 root kmem 9624 > Jul 30 00:49 /usr/bin/ipcs > 8135 166 -r-xr-s--- 1 root kmem 84448 > Jul 30 00:49 /usr/bin/netstat > 8137 20 -r-xr-s--- 1 root kmem 9660 > Jul 30 00:49 /usr/bin/nfsstat > 8172 112 -r-xr-s--- 1 root kmem 56392 > Jul 30 00:49 /usr/bin/systat > 8182 64 -r-xr-s--- 1 root kmem 32136 > Jul 30 00:49 /usr/bin/top > 8204 34 -r-xr-s--- 1 root kmem 16392 > Jul 30 00:49 /usr/bin/vmstat > 8214 16 -r-xr-s--- 1 root tty 7288 > Jul 30 00:49 /usr/bin/write >3190413 448 -r-sr-sr-x 1 uucp dialer 220460 >Jul 30 00:46 /usr/libexec/uucp/uucico >3190414 224 -r-sr-s--- 1 uucp uucp 99340 >Jul 30 00:46 /usr/libexec/uucp/uuxqt >6317475 896 -rwxr-sr-x 1 root kmem 442384 >Aug 25 05:51 /usr/local/bin/make > >At 08:35 PM 9/14/2000 -0400, Bill Fumerola wrote: >>On Thu, Sep 14, 2000 at 08:33:28PM -0400, Mike wrote: >> > I noticed that make is suid root. >> > -rwxr-sr-x 1 root kmem 442384 Aug 25 05:51 >> > /usr/local/bin/make >> >>[hawk-billf] /home/billf/postfix-current > ls -l =make >>-r-xr-xr-x 1 root wheel 97120 Jul 14 00:17 /usr/bin/make* >> >> > Is that supposed to be? Would it still work for users if it wasn't? >> >>No, it shouldn't be. >>Yes, it does. >> >>I'd suspect that your machine has had a compromise, if I were you. >> >>-- >>Bill Fumerola - Network Architect, BOFH / Chimes, Inc. >> billf@chimesnet.com / billf@FreeBSD.org >> >> >> >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-isp" in the body of the message > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message