Subject: Re: Setuid deletions
To: Petar Bogdanovic <p.netbsd@2005.smokva.net>
From: Jeremy C. Reed <reed@reedmedia.net>
List: netbsd-users
Date: 12/15/2005 09:37:02
On Thu, 15 Dec 2005, Petar Bogdanovic wrote:

>>> Checking setuid files and devices:
>>> Setuid/device find errors:
>>> find: ipw: Authentication error
>>>
>>> Setuid deletions:
>>> -r-xr-sr-x 1 root kmem 15252 Nov 21 14:23:06 2005 /sbin/ccdconfig
>>> -r-sr-xr-x 1 root wheel 27334 Nov 21 14:23:14 2005 /sbin/ping
>>> -r-sr-xr-x 1 root wheel 35927 Nov 21 14:23:28 2005 /sbin/ping6
>>> -r-sr-xr-- 1 root operator 14463 Nov 21 14:23:17 2005 /sbin/shutdown

>> I think the Authentication error is probably relevant.  If find stopped
>> after that, it didn't find the other files, and then the script found a
>> diff between the stored list and and the current one.
>>
>> As you state the file are still there.
>>
>
> Thank you, this makes sense.
>
> 's' comes after 'm' and because the smb-share was mounted on /mnt/smb, find 
> couldn't reach /sbin.

find continues when it has some type of errors. It could exit when failing 
to check the filesystem (-fstype) but that would show the directory name.

When you do a find manually, does it stop immediately when it gets to your 
old smbfs share?

> I assume, the security-report of tomorrow will contain 'Setuid additions' of 
> ccdconfig, ping, ping6 and shutdown..

Have a look at /var/backups/work/setuid.current and 
/var/backups//work/setuid.backup (and the revision history at 
/var/backups/work/setuid.current,v).

  Jeremy C. Reed

  	  	 	 Media Relations and Publishing Services
 	  	 	 http://www.reedmedia.net/