Date: Fri, 10 Mar 2017 17:04:34 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: daily security run output (setuid) Message-ID: <c9d3a981-0c3e-142c-817b-ab8c6cc5cec8@FreeBSD.org> In-Reply-To: <0a9bbc9664cdeacc27dacadbd575ea1d.squirrel@webmail.harte-lyne.ca> References: <0a9bbc9664cdeacc27dacadbd575ea1d.squirrel@webmail.harte-lyne.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --fS7ffJkEFS5pAtncQnUShaadtnGI9nQr1 Content-Type: multipart/mixed; boundary="26IFhB7q8GWtp6G0paWsHBU1E47URuQ1L"; protected-headers="v1" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Message-ID: <c9d3a981-0c3e-142c-817b-ab8c6cc5cec8@FreeBSD.org> Subject: Re: daily security run output (setuid) References: <0a9bbc9664cdeacc27dacadbd575ea1d.squirrel@webmail.harte-lyne.ca> In-Reply-To: <0a9bbc9664cdeacc27dacadbd575ea1d.squirrel@webmail.harte-lyne.ca> --26IFhB7q8GWtp6G0paWsHBU1E47URuQ1L Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2017/03/10 16:42, James B. Byrne via freebsd-questions wrote: > Following a recent update we began to see this report: >=20 > Checking setuid files and devices: >=20 > setuid diffs: > --- /var/log/setuid.today 2017-01-18 03:01:01.000000000 -0500 > +++ /tmp/security.saU3IUZT 2017-03-08 03:01:01.006331628 -0500 > @@ -36,9 +36,9 @@ > . . . >=20 > - 70217 -rwsr-xr-x 1 root wheel 22416 Jan 12 00:09:17 2017 > /usr/local/bin/pkexec > . . . > + 30527 -rwsr-xr-x 1 root wheel 22416 Feb 25 00:04:40 2017 > /usr/local/bin/pkexec >=20 > pkg which /usr/local/bin/pkexec > /usr/local/bin/pkexec was installed by package polkit-0.113_3 >=20 > pkg info polkit-0.113_3 > polkit-0.113_3 > Name : polkit > Version : 0.113_3 > Installed on : Tue Mar 7 15:31:14 2017 EST >=20 >=20 > This was a legitimate update as far as I can see. I can see that the > mtime value has changed but why does the update not account for this > with the security system? The security system? That makes it sound *way* more sophisticated than it really is. All that the setuid daily script does is run find(1) to locate all of the setuid files on the system, creates a sorted list, and then diffs that against the previous day's list. It tells you when there have been any changes to setuid files. It doesn't say anything about whether those changes are legitimate or not -- that's down to the (supposedly) intelligent administrators who read the email reports. The beauty of it is that it is so simple it is very hard to bamboozle. In this case, since it is a file from a pkg that you can verify was re-installed during the right timeframe then you can be pretty sure that nothing untoward is going on. Also running 'pkg check -s polkit' to verify that none of the checksums on the package's files have changed might provide additional peace of mind. Cheers, Matthew --26IFhB7q8GWtp6G0paWsHBU1E47URuQ1L-- --fS7ffJkEFS5pAtncQnUShaadtnGI9nQr1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJYwtyoXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnsFEQAIh2nILP2YF3sgH/3Ks8gxpc E4cxr7rKbbuq6aHOkvGJqJEqmq4xHMNv3s0ojFkRQ1qQ9LPhMPbpGxEVCuWxfRAm dr58Ru/wy81/6dLkfZcsESMnXh+z63bkvzp3qksa7SOIz5I9xmhlgTCFyPqsod/t h/PzdhU+lCj8wX5yIcPFYBWlUGzFQtwtRhGw3DZ1KtwfOydrbHGlgbHfiIPswq3n rTF+8ApYB+99JK5Daqp4q3fnbaYA/dGCGX8tJ/rF+rOpuUY3dqV2AZCBYDe+wh3O tSHS/K7SN5ODSWUk4PWMCyySZGeiXUwQ7Q2ztf/MnzP5+SpGY5lXiyl6n42vcj/e YD0pnissh+nIdu8UPFr0sxG3tkFC3JM/wGJN/mHLoQLvR11WUXDuoXJmiJA+hWK/ 5JbUsLhbfbgBG05NUT00pYZo5+qgJ1YWaSOjEeggI+vwu4XhyJkm28tP+X3uEwCe 0JzBrTsufB7QNh09zfBFV+NS+vxWfFGRcxMCujHvmqqqO8GYBp9zT4Rz1x6uaZmv NDijNPlBFFe7XyqBqIGiBQU10NorRxxkE0vj54T0ZA7R5H9BhCDAX+td29jhMlLY W7qJRkYOeuyguqPFXkxiYUL9NIrP1LB+9FjiChwVrw70TnYMOFzTgT/buEL15u9u hVrJwYLWClYw4n0Lg6XQ =mQ7F -----END PGP SIGNATURE----- --fS7ffJkEFS5pAtncQnUShaadtnGI9nQr1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c9d3a981-0c3e-142c-817b-ab8c6cc5cec8>