Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 19 Feb 2015 09:11:22 +0100 (CET)
From:      Raimund Sacherer <rs@logitravel.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: setuid diffs in daily security run output
Message-ID:  <920286937.89617878.1424333482970.JavaMail.zimbra@logitravel.com>
In-Reply-To: <20150218215912.GB267@neutralgood.org>
References:  <1630133808.88787292.1424250372563.JavaMail.zimbra@logitravel.com> <535737942.88794111.1424250825035.JavaMail.zimbra@logitravel.com> <20150218190200.GD26575@neutralgood.org> <28505455.89479949.1424291118283.JavaMail.zimbra@logitravel.com> <20150218215912.GB267@neutralgood.org>

next in thread | previous in thread | raw e-mail | index | archive | help

----- Original Message ----- 

> From: kpneal@pobox.com
> To: "Raimund Sacherer" <rs@logitravel.com>
> Cc: freebsd-questions@freebsd.org
> Sent: Wednesday, February 18, 2015 10:59:12 PM
> Subject: Re: setuid diffs in daily security run output

> On Wed, Feb 18, 2015 at 09:25:18PM +0100, Raimund Sacherer wrote:
> > ----- Original Message -----
> >
> > > From: kpneal@pobox.com
> > > To: "Raimund Sacherer" <rs@logitravel.com>
> > > Cc: freebsd-questions@freebsd.org
> > > Sent: Wednesday, February 18, 2015 8:02:00 PM
> > > Subject: Re: setuid diffs in daily security run output
> >
> > > On Wed, Feb 18, 2015 at 10:13:45AM +0100, Raimund Sacherer wrote:
> > > > Hello,
> > > >
> > > > This is one of our first FreeBSD servers we use, and I be rather safe
> > > > than
> > > > sorry, we put in production a FreeBSD 10.0 system and it is running (in
> > > > production) a couple of weeks now. Reading the security run emails
> > > > today i
> > > > noticed a lot of those:
> > > >
> > > > --- snip ---
> > > > - 587 -r-sr-xr-x 1 root wheel 19912 Jan 16 22:40:07 2014 /bin/rcp

> > > > --- snip ---
> > > >
> > > > I did not see those messages before, but I do read normally those
> > > > mails.
> >
> > > > How come those messages are today in the security output? Are those
> > > > permissions correct? Should I be worried about an intruder?
> >
> > > Is it possible someone modified or deleted the files that the security
> > > script uses to keep track of what files are setuid? If one of your other
> > > support people didn't know what something was they may have deleted it or
> > > otherwise messed with it.

> > I will check this out, thank you. Is there any way to make sure that these
> > permissions are correct? Is there some place where the standard
> > permissions for all those tools are documented?

> The 'mtree' utility is used to check, set, and compare permissions and
> ownerships of files. It can also be used to get hashes of files so you can
> see what files have actually changed. It creates and consumes basically a
> manifest of at least one file.

> On my system the base system manifest files are in /etc/mtree, but you can
> use the 'locate' command to find them if they've moved. You will also find
> them if you have /usr/src installed.

> The only thing mtree lacks is support for extended attributes.

Thank you very much! 

Best 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?920286937.89617878.1424333482970.JavaMail.zimbra>