From owner-freebsd-isp Thu Sep 14 18:50:26 2000 Delivered-To: freebsd-isp@freebsd.org Received: from mail.alpha1.net (megatron.alpha1.net [216.88.112.9]) by hub.freebsd.org (Postfix) with ESMTP id 7131337B423 for ; Thu, 14 Sep 2000 18:50:22 -0700 (PDT) Received: from marius.org (marius.org [216.88.115.170]) by mail.alpha1.net (8.10.1/8.10.1) with ESMTP id e8F1nsn50865; Thu, 14 Sep 2000 20:49:54 -0500 (CDT) Date: Thu, 14 Sep 2000 20:53:45 -0500 (CDT) From: Marius Strom X-Sender: marius@marius.org To: Mike Cc: freebsd-isp@freebsd.org Subject: Re: make is suid? In-Reply-To: <4.3.2.7.2.20000914204109.00b80868@mail.mikesweb.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org After "fresh install and cvsup" you shouldn't have anything in /usr/local, IITC (If I'm Thinking Correctly) -- Marius Strom Professional Geek/Unix System Administrator Alpha1 Internet http://www.marius.org/marius.pgp 0x55DE53E4 Turn off the faucet? We're too busy mopping up the floor! On Thu, 14 Sep 2000, Mike wrote: > Just set up that box not too long ago, and was just going through taking > out all the suid stuff.. I'm the only person with access to the box, so I'm > doubting compromise. > This is what I had for "find / -perm -2000 -ls" after a fresh install and > cvsup. > > 8027 190 -r-sr-sr-x 1 uucp dialer 96540 Jul > 30 00:46 /usr/bin/uustat > 8073 26 -r-xr-s--- 1 root kmem 12900 Jul > 30 00:49 /usr/bin/fstat > 8088 20 -r-xr-s--- 1 root kmem 9624 Jul > 30 00:49 /usr/bin/ipcs > 8135 166 -r-xr-s--- 1 root kmem 84448 Jul > 30 00:49 /usr/bin/netstat > 8137 20 -r-xr-s--- 1 root kmem 9660 Jul > 30 00:49 /usr/bin/nfsstat > 8172 112 -r-xr-s--- 1 root kmem 56392 Jul > 30 00:49 /usr/bin/systat > 8182 64 -r-xr-s--- 1 root kmem 32136 Jul > 30 00:49 /usr/bin/top > 8204 34 -r-xr-s--- 1 root kmem 16392 Jul > 30 00:49 /usr/bin/vmstat > 8214 16 -r-xr-s--- 1 root tty 7288 Jul > 30 00:49 /usr/bin/write > 3190413 448 -r-sr-sr-x 1 uucp dialer 220460 Jul > 30 00:46 /usr/libexec/uucp/uucico > 3190414 224 -r-sr-s--- 1 uucp uucp 99340 Jul > 30 00:46 /usr/libexec/uucp/uuxqt > 6317475 896 -rwxr-sr-x 1 root kmem 442384 Aug > 25 05:51 /usr/local/bin/make > > At 08:35 PM 9/14/2000 -0400, Bill Fumerola wrote: > >On Thu, Sep 14, 2000 at 08:33:28PM -0400, Mike wrote: > > > I noticed that make is suid root. > > > -rwxr-sr-x 1 root kmem 442384 Aug 25 05:51 > > > /usr/local/bin/make > > > >[hawk-billf] /home/billf/postfix-current > ls -l =make > >-r-xr-xr-x 1 root wheel 97120 Jul 14 00:17 /usr/bin/make* > > > > > Is that supposed to be? Would it still work for users if it wasn't? > > > >No, it shouldn't be. > >Yes, it does. > > > >I'd suspect that your machine has had a compromise, if I were you. > > > >-- > >Bill Fumerola - Network Architect, BOFH / Chimes, Inc. > > billf@chimesnet.com / billf@FreeBSD.org > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-isp" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message