Subject: Odd setuid additions
To: None <tech-security@netbsd.org>
From: Gavan Fantom <gavan@coolfactor.org>
List: tech-security
Date: 11/05/2001 14:05:53
One of my machines has just given me the following in the daily security
run...

> Checking setuid files and devices:
> Setuid additions:
> -r-xr-sr-x 1 root kmem 109440 Nov 17 01:36:24 2000 /sbin/ccdconfig
> -r-xr-sr-x 2 root tty 314168 Nov 17 01:36:43 2000 /sbin/dump
> -r-xr-sr-x 2 root tty 314776 Nov 17 01:36:49 2000 /sbin/dump_lfs
> -r-sr-xr-x 1 root wheel 228868 Nov 17 01:36:31 2000 /sbin/ping
> -r-sr-xr-x 1 root wheel 237576 Nov 17 01:36:53 2000 /sbin/ping6
> -r-xr-sr-x 2 root tty 314168 Nov 17 01:36:43 2000 /sbin/rdump
> -r-xr-sr-x 2 root tty 314776 Nov 17 01:36:49 2000 /sbin/rdump_lfs
> -r-sr-xr-- 1 root operator 248200 Nov 17 01:36:35 2000 /sbin/shutdown

md5 gives:

bash-2.04$ md5 /sbin/ccdconfig /sbin/dump /sbin/dump_lfs /sbin/ping
/sbin/ping6 /sbin/rdump /sbin/rdump_lfs /sbin/shutdown
MD5 (/sbin/ccdconfig) = e8ffb6ebae221e670794297daa0c9836
MD5 (/sbin/dump) = 5b857d2867d58f25d4417b97429a5858
MD5 (/sbin/dump_lfs) = a1bd1c99f78693466c99a0cae109f454
MD5 (/sbin/ping) = ba4cab5e9a2e1f56ed13b58665b79b23
MD5 (/sbin/ping6) = 159fd7af9da94fe456578dc7471b01b0
MD5 (/sbin/rdump) = 5b857d2867d58f25d4417b97429a5858
MD5 (/sbin/rdump_lfs) = a1bd1c99f78693466c99a0cae109f454
MD5 (/sbin/shutdown) = 568d89bc5ae55f833c2a6472154f791a

This is the same as on another NetBSD 1.5/i386 machine I have, which
didn't show anything abnormal in the security output.

The night before, I got:

> Checking setuid files and devices:
> Setuid/device find errors:
> find: fts_read: No such file or directory

No hint as to which file or directory this refers to, but this rings a
bell:

bash-2.04$ find /mnt >/dev/null
find: fts_read: No such file or directory
bash-2.04$ mount | grep mnt
/dev/cd0d on /mnt type cd9660 (local, read-only)

So I assume that this error was caused by an error on the CD. Is this
related to the setuid additions?

As I understand it, the security script looks only at the file metainfo,
which doesn't appear to have changed. The only thing I've done on this
machine recently is to install the gimp from pkgsrc, which shouldn't be
touching anything in /sbin :)

So, two things... firstly, if somebody has a 1.5/i386 system, would it be
possible to verify these md5 sums, and secondly, is the error on the CD
a plausible cause for these warnings?

-- 
Gillette - the best a man can forget