Subject: Re: Setuid deletions
To: Petar Bogdanovic <email@example.com>
From: Jeremy C. Reed <firstname.lastname@example.org>
Date: 12/15/2005 09:37:02
On Thu, 15 Dec 2005, Petar Bogdanovic wrote:
>>> Checking setuid files and devices:
>>> Setuid/device find errors:
>>> find: ipw: Authentication error
>>> Setuid deletions:
>>> -r-xr-sr-x 1 root kmem 15252 Nov 21 14:23:06 2005 /sbin/ccdconfig
>>> -r-sr-xr-x 1 root wheel 27334 Nov 21 14:23:14 2005 /sbin/ping
>>> -r-sr-xr-x 1 root wheel 35927 Nov 21 14:23:28 2005 /sbin/ping6
>>> -r-sr-xr-- 1 root operator 14463 Nov 21 14:23:17 2005 /sbin/shutdown
>> I think the Authentication error is probably relevant. If find stopped
>> after that, it didn't find the other files, and then the script found a
>> diff between the stored list and and the current one.
>> As you state the file are still there.
> Thank you, this makes sense.
> 's' comes after 'm' and because the smb-share was mounted on /mnt/smb, find
> couldn't reach /sbin.
find continues when it has some type of errors. It could exit when failing
to check the filesystem (-fstype) but that would show the directory name.
When you do a find manually, does it stop immediately when it gets to your
old smbfs share?
> I assume, the security-report of tomorrow will contain 'Setuid additions' of
> ccdconfig, ping, ping6 and shutdown..
Have a look at /var/backups/work/setuid.current and
/var/backups//work/setuid.backup (and the revision history at
Jeremy C. Reed
Media Relations and Publishing Services