netbsd-users: Re: Setuid deletions

Subject: Re: Setuid deletions
To: Jeremy C. Reed <reed@reedmedia.net>
From: Petar Bogdanovic <p.netbsd@2005.smokva.net>
List: netbsd-users
Date: 12/16/2005 09:33:10
Jeremy C. Reed wrote:
> On Thu, 15 Dec 2005, Petar Bogdanovic wrote:
> 
>>>> Checking setuid files and devices:
>>>> Setuid/device find errors:
>>>> find: ipw: Authentication error
>>>>
>>>> Setuid deletions:
>>>> -r-xr-sr-x 1 root kmem 15252 Nov 21 14:23:06 2005 /sbin/ccdconfig
>>>> -r-sr-xr-x 1 root wheel 27334 Nov 21 14:23:14 2005 /sbin/ping
>>>> -r-sr-xr-x 1 root wheel 35927 Nov 21 14:23:28 2005 /sbin/ping6
>>>> -r-sr-xr-- 1 root operator 14463 Nov 21 14:23:17 2005 /sbin/shutdown
> 
>>> I think the Authentication error is probably relevant.  If find stopped
>>> after that, it didn't find the other files, and then the script found a
>>> diff between the stored list and and the current one.
>>>
>>> As you state the file are still there.
>>>
>>
>> Thank you, this makes sense.
>>
>> 's' comes after 'm' and because the smb-share was mounted on /mnt/smb, 
>> find couldn't reach /sbin.
> 
> find continues when it has some type of errors. It could exit when 
> failing to check the filesystem (-fstype) but that would show the 
> directory name.
> 
> When you do a find manually, does it stop immediately when it gets to 
> your old smbfs share?

Unfortunately, I can't try this because the Server with the share is 
gone. :(

However, with no smbfs mounted, find finishes just fine.


>> I assume, the security-report of tomorrow will contain 'Setuid 
>> additions' of ccdconfig, ping, ping6 and shutdown..
> 
> Have a look at /var/backups/work/setuid.current and 
> /var/backups//work/setuid.backup (and the revision history at 
> /var/backups/work/setuid.current,v).

It seems, that the 'authentication error' really did break find. This is 
the insecurity report of today:

*************************************************
Checking setuid files and devices:
Setuid additions:
-r-xr-sr-x 1 root kmem 15252 Nov 21 14:23:06 2005 /sbin/ccdconfig
-r-sr-xr-x 1 root wheel 27334 Nov 21 14:23:14 2005 /sbin/ping
-r-sr-xr-x 1 root wheel 35927 Nov 21 14:23:28 2005 /sbin/ping6
-r-sr-xr-- 1 root operator 14463 Nov 21 14:23:17 2005 /sbin/shutdown
*************************************************

It's a pity that I can't reproduce this..


Anyway - thank you for your help!

Petar