Roland Smith wrote:
>
> On Mon, May 21, 2007 at 11:59:33AM -0700, PeterPluta wrote:
> <snip>
>> > Looks like you were portupgrading around with postfix, screen and
>> xterm.
>> >
>> > The output is diff(1). See the man page for details, but it's
>> basically
>> > showing you the difference between last night's directory listing, and
>> > that
>> > of the previous day.
>> >
>> > For more gory details, see the scripts in /etc/periodic/security, which
>> > are
>> > run every night from cron. Some of the ports you changed resulted in
>> > changes to setuid/setgid programs installed on the system. As a
>> security-
>> > concious administrator, you should be interested in the programs on
>> your
>> > system that have elevated privilidges, so this script is provided to
>> give
>> > you a daily report on that.
>>
>> I see, so basically after reinstalling the default uid/gid of some
>> programs
>> changed? Is that a problem or anything?
>
> It's not a problem. It's just something that you should be aware of from
> a security standpoint.
>
> In this case you caused it because you upgraded some ports, which is OK.
>
> But if the size, date, ownership or permissions of a binary change
> without any apparent cause, it _could_ be the work of an intruder or
> rootkit trying to backdoor your system. That's why the system checks it.
>
> In /etc/defaults/periodic.conf you see which settings there are
> concerning security, and what the defaults are. If you want to disable
> some of them, put the settings in /etc/periodic.conf with a "NO" value
> instead of "YES". But I would recommend to leave them as they are.
>
> Roland
> --
> R.F.Smith http://www.xs4all.nl/~rsmith/
> [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
> pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
>
>
>
mail.***********.net setuid diffs:
--- /var/log/setuid.today Mon May 21 03:02:30 2007
+++ /tmp/security.wq6BsVcr Sun Jun 3 03:01:48 2007
@@ -20,7 +20,7 @@
377398 -r-sr-xr-x 2 root wheel 5828 Jul 30 16:19:57 2006
/usr/bin/yppasswd
71112 -rwsr-xr-x 1 root wheel 285580 May 20 18:23:48 2007
/usr/local/bin/screen
70971 -rwxr-sr-x 1 root kmem 112708 May 20 18:23:03 2007
/usr/local/sbin/lsof
-73170 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007
/usr/local/sbin/postdrop
-73204 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007
/usr/local/sbin/postqueue
+71432 -rwxr-sr-x 1 root maildrop 142559 Jun 2 15:47:54 2007
/usr/local/sbin/postdrop
+71433 -rwxr-sr-x 1 root maildrop 152477 Jun 2 15:47:54 2007
/usr/local/sbin/postqueue
923168 -rwxr-sr-x 1 root smmsp 5236 Jul 30 16:20:07 2006
/usr/sbin/mailwrapper
923264 -r-sr-x--- 1 root network 11636 Jul 30 16:20:07 2006
/usr/sbin/sliplogin
I have some more, I'm starting to understand it a bit better. Basically the
user:group id number has changed and the security run is letting me know.
Good deal, but im still confused as to what the @@ -20,7 + 20,7 @@ and + -
mean. Can anyone explain those? I'm curious, also why would yppasswd change
to userid 2? I changed roots name yesterday, could that be the cause of it?
--
View this message in context:
http://www.nabble.com/Security-Run-Output-Setuid-Differences-tf3792025.html#a10979516
Sent from the freebsd-questions mailing list archive at Nabble.com.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
