More: Re: crontab reports: ....
Allright, so what about the following? Do programs sometimes need to be unregistered as well? Is the following a security problem on my system? /etc/cron.daily/suidmanager: suidregister: /var/list/.bin/multigram registered but not installed suidregister: /usr/lib/emacs/19.34/i386-debian-linux/movemail registered but not installed Hmmm...will be reading-up on this suidregister stuff. Art On Sat, Oct 09, 1999 at 02:19:11AM -0700, Sean 'Shaleh' Perry wrote: On 09-Oct-99 Bruno Van de Casteele wrote: [...] /etc/cron.daily/suidmanager: /usr/sbin/sendmail PERMISSION MISMATCH: was root.root 777 changed to root.root 4755 [...] It is less an error and more of a warning. It you want to setuid a program, use suidregister. [...]
RE: More: Re: crontab reports: ....
On 11-Oct-99 Art Lemasters wrote: Allright, so what about the following? Do programs sometimes need to be unregistered as well? Is the following a security problem on my system? /etc/cron.daily/suidmanager: suidregister: /var/list/.bin/multigram registered but not installed suidregister: /usr/lib/emacs/19.34/i386-debian-linux/movemail registered but not installed I get the same stuff after I upgrade but it goes away. I have not been able to find the script responsible for it. -- Andrew
Re: More: Re: crontab reports: ....
Pollywog wrote: On 11-Oct-99 Art Lemasters wrote: Allright, so what about the following? Do programs sometimes need to be unregistered as well? Is the following a security problem on my system? /etc/cron.daily/suidmanager: suidregister: /var/list/.bin/multigram registered but not installed suidregister: /usr/lib/emacs/19.34/i386-debian-linux/movemail registered but not installed I get the same stuff after I upgrade but it goes away. I have not been able to find the script responsible for it. If I remember correctly, it comes from /etc/suid.conf. It's due the fact that a package was removed but this file haven't been updated. HTH -- Andrew -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
RE: More: Re: crontab reports: ....
see man suidregister, or you can edit the /etc/suid.conf file directly and remove the offending lines. -Todd On Mon, 11 Oct 1999, Pollywog wrote: On 11-Oct-99 Art Lemasters wrote: Allright, so what about the following? Do programs sometimes need to be unregistered as well? Is the following a security problem on my system? /etc/cron.daily/suidmanager: suidregister: /var/list/.bin/multigram registered but not installed suidregister: /usr/lib/emacs/19.34/i386-debian-linux/movemail registered but not installed I get the same stuff after I upgrade but it goes away. I have not been able to find the script responsible for it. -- Andrew -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
crontab reports: ....
- Original Message - From: Cron Daemon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, October 09, 1999 6:35 AM Subject: Cron [EMAIL PROTECTED] run-parts --report /etc/cron.daily /etc/cron.daily/suidmanager: /usr/sbin/sendmail PERMISSION MISMATCH: was root.root 777 changed to root.root 4755 this may sound stupid... but was does this error message means? Bruno Van de Casteele N.P. Puam[ICQ # CA957F] Tune in at http://puam.cjb.net/
Re: crontab reports: ....
/etc/cron.daily/suidmanager: /usr/sbin/sendmail PERMISSION MISMATCH: was root.root 777 changed to root.root 4755 this may sound stupid... but was does this error message means? This means that suidmanager found a problem with the sendmail executable and fixed it. Having permissions of 777 means that ANYONE can read/write/execute the program. The problem is in the WRITE portion - anyone with access to your host can replace (or perhaps already has?) sendmail with their own version. Having permissions of 4755 means that group/other only have read and execute permissions - the leading 4 indicates that the suid bit is set (program runs under the uid of the owner of the program). With an error like this popping up in the log file, I'd start checking the system to see if the security has been compromised -dave -- | oOOooO / --|oOobodoO/ [EMAIL PROTECTED] --| ooOoOo / | II / The wise man tells you where you have fallen | II / and where you may fall - Invaluable secrets.
Re: crontab reports: ....
On Sat, Oct 09, 1999 at 11:54:41AM -0500, Dave Baker wrote: /etc/cron.daily/suidmanager: /usr/sbin/sendmail PERMISSION MISMATCH: was root.root 777 changed to root.root 4755 this may sound stupid... but was does this error message means? This means that suidmanager found a problem with the sendmail executable and fixed it. Having permissions of 777 means that ANYONE can read/write/execute the program. The problem is in the WRITE portion - anyone with access to your host can replace (or perhaps already has?) sendmail with their own version. I'm sure that /usr/sbin/sendmail is a symlink to the real MTA, which is why it keeps showing up (the symlink always has mode 777). This could be considered a bug in suidmanager. IMO, the package should add the correct file to suidmanager rather than setting the symlink (since the symlink might point to another file altogether if the admin set's it up that way). Ben
Re: crontab reports: ....
*- On 9 Oct, Ben Collins wrote about Re: crontab reports: On Sat, Oct 09, 1999 at 11:54:41AM -0500, Dave Baker wrote: /etc/cron.daily/suidmanager: /usr/sbin/sendmail PERMISSION MISMATCH: was root.root 777 changed to root.root 4755 this may sound stupid... but was does this error message means? This means that suidmanager found a problem with the sendmail executable and fixed it. Having permissions of 777 means that ANYONE can read/write/execute the program. The problem is in the WRITE portion - anyone with access to your host can replace (or perhaps already has?) sendmail with their own version. I'm sure that /usr/sbin/sendmail is a symlink to the real MTA, which is why it keeps showing up (the symlink always has mode 777). This could be considered a bug in suidmanager. IMO, the package should add the correct file to suidmanager rather than setting the symlink (since the symlink might point to another file altogether if the admin set's it up that way). Or sendmail(the package) was orginally installed and when it was replaced with another MTA like exim the sendmail.postrm script did not call suidunregister to remove the sendmail line from /etc/suid.conf. Thus a bug in sendmail. For exim, the following was added to my /etc/suid.conf with suidregister: exim /usr/sbin/exim root root 4755 and sendmail is a link to exim. I have never had the sendmail package installed so I can't say for sure if this is the case. Just another scenario. -- Brian Servis -- Mechanical Engineering | Never criticize anybody until you Purdue University | have walked a mile in their shoes, [EMAIL PROTECTED] | because by that time you will be a http://www.ecn.purdue.edu/~servis | mile away and have their shoes.