Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 10 Mar 2017 17:04:34 +0000
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: daily security run output (setuid)
Message-ID:  <c9d3a981-0c3e-142c-817b-ab8c6cc5cec8@FreeBSD.org>
In-Reply-To: <0a9bbc9664cdeacc27dacadbd575ea1d.squirrel@webmail.harte-lyne.ca>
References:  <0a9bbc9664cdeacc27dacadbd575ea1d.squirrel@webmail.harte-lyne.ca>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--fS7ffJkEFS5pAtncQnUShaadtnGI9nQr1
Content-Type: multipart/mixed; boundary="26IFhB7q8GWtp6G0paWsHBU1E47URuQ1L";
 protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: freebsd-questions@freebsd.org
Message-ID: <c9d3a981-0c3e-142c-817b-ab8c6cc5cec8@FreeBSD.org>
Subject: Re: daily security run output (setuid)
References: <0a9bbc9664cdeacc27dacadbd575ea1d.squirrel@webmail.harte-lyne.ca>
In-Reply-To: <0a9bbc9664cdeacc27dacadbd575ea1d.squirrel@webmail.harte-lyne.ca>

--26IFhB7q8GWtp6G0paWsHBU1E47URuQ1L
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 2017/03/10 16:42, James B. Byrne via freebsd-questions wrote:
> Following a recent update we began to see this report:
>=20
> Checking setuid files and devices:
>=20
> setuid diffs:
> --- /var/log/setuid.today        2017-01-18 03:01:01.000000000 -0500
> +++ /tmp/security.saU3IUZT        2017-03-08 03:01:01.006331628 -0500
> @@ -36,9 +36,9 @@
> . . .
>=20
> - 70217 -rwsr-xr-x  1 root  wheel         22416 Jan 12 00:09:17 2017
> /usr/local/bin/pkexec
> . . .
> + 30527 -rwsr-xr-x  1 root  wheel         22416 Feb 25 00:04:40 2017
> /usr/local/bin/pkexec
>=20
> pkg which /usr/local/bin/pkexec
> /usr/local/bin/pkexec was installed by package polkit-0.113_3
>=20
> pkg info polkit-0.113_3
> polkit-0.113_3
> Name           : polkit
> Version        : 0.113_3
> Installed on   : Tue Mar  7 15:31:14 2017 EST
>=20
>=20
> This was a legitimate update as far as I can see. I can see that the
> mtime value has changed but why does the update not account for this
> with the security system?

The security system?  That makes it sound *way* more sophisticated than
it really is.

All that the setuid daily script does is run find(1) to locate all of
the setuid files on the system, creates a sorted list, and then diffs
that against the previous day's list.  It tells you when there have been
any changes to setuid files.  It doesn't say anything about whether
those changes are legitimate or not -- that's down to the (supposedly)
intelligent administrators who read the email reports.

The beauty of it is that it is so simple it is very hard to bamboozle.

In this case, since it is a file from a pkg that you can verify was
re-installed during the right timeframe then you can be pretty sure that
nothing untoward is going on.  Also running 'pkg check -s polkit' to
verify that none of the checksums on the package's files have changed
might provide additional peace of mind.

	Cheers,

	Matthew




--26IFhB7q8GWtp6G0paWsHBU1E47URuQ1L--

--fS7ffJkEFS5pAtncQnUShaadtnGI9nQr1
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQJ8BAEBCgBmBQJYwtyoXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnsFEQAIh2nILP2YF3sgH/3Ks8gxpc
E4cxr7rKbbuq6aHOkvGJqJEqmq4xHMNv3s0ojFkRQ1qQ9LPhMPbpGxEVCuWxfRAm
dr58Ru/wy81/6dLkfZcsESMnXh+z63bkvzp3qksa7SOIz5I9xmhlgTCFyPqsod/t
h/PzdhU+lCj8wX5yIcPFYBWlUGzFQtwtRhGw3DZ1KtwfOydrbHGlgbHfiIPswq3n
rTF+8ApYB+99JK5Daqp4q3fnbaYA/dGCGX8tJ/rF+rOpuUY3dqV2AZCBYDe+wh3O
tSHS/K7SN5ODSWUk4PWMCyySZGeiXUwQ7Q2ztf/MnzP5+SpGY5lXiyl6n42vcj/e
YD0pnissh+nIdu8UPFr0sxG3tkFC3JM/wGJN/mHLoQLvR11WUXDuoXJmiJA+hWK/
5JbUsLhbfbgBG05NUT00pYZo5+qgJ1YWaSOjEeggI+vwu4XhyJkm28tP+X3uEwCe
0JzBrTsufB7QNh09zfBFV+NS+vxWfFGRcxMCujHvmqqqO8GYBp9zT4Rz1x6uaZmv
NDijNPlBFFe7XyqBqIGiBQU10NorRxxkE0vj54T0ZA7R5H9BhCDAX+td29jhMlLY
W7qJRkYOeuyguqPFXkxiYUL9NIrP1LB+9FjiChwVrw70TnYMOFzTgT/buEL15u9u
hVrJwYLWClYw4n0Lg6XQ
=mQ7F
-----END PGP SIGNATURE-----

--fS7ffJkEFS5pAtncQnUShaadtnGI9nQr1--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?c9d3a981-0c3e-142c-817b-ab8c6cc5cec8>