>I never said the restore CDs were doing it. I >don't know that they are. I don't think they are. >I originally thought it was the latest kernel >patches or the latest updates, but I'm not sure >now. An associate tells me he thinks it's just >RUNNING CMU. We don't know yet. Everything else >is premature.
I know what did it, it's that damn Neomail program! It's the same damn issue that I fumbled onto back in Nov when it became clear that Neomail v1.2.3 (the first or second release of the pkg) was changing suidperl so it had the S bit set on the file (which was exploitable by the P-trace bug): -rws--x--x 2 root root 517916 Apr 6 1999 suidperl http://list.cobalt.com/pipermail/cobalt-users/2001-November/056752.html I bet you ANYTHING it's that damn Neomail program that changed these permissions... And if that's the case, then there's literally hundreds (or more) of RaQ users who's shadow passwd file has been changed to the same ugly permissions! The two RaQ3's that I mentioned reinstalled back in Feb last year (after the BIND hack), they both had the first or second release of Neomail installed off http://pkg.nl.cobalt.com/. -rw-r--r-- 1 root root 3230 Feb 4 22:39 shadow -rw-r--r-- 1 root root 3274 Feb 4 22:38 shadow- While the third RaQ I just setup (with a fresh OS install) has only had the newest release of Neomail installed (1.2.5 or something), and it has (had) the following permissions on shadow: -rw-r--r-- 1 root root 1931 Jan 25 17:48 shadow -r-------- 1 root root 1931 Jan 12 00:52 shadow- I changed those puppys on all my machines back to 400 and have started changing passwords - but I'm telling you guys, it's Neomail. I'll bet there's a good number of users who installed earlier versions of the program (as I had) and have some VERY UGLY permissions set on their shadow password files... __________________________________________________ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
