*BSD News Article 64059


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!nntp.coast.net!howland.reston.ans.net!sol.ctr.columbia.edu!news.mindlink.net!van-bc!unixg.ubc.ca!rover.ucs.ualberta.ca!george
From: george@ee.ualberta.ca (Jason George)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Setuid security problem
Date: 24 Mar 1996 17:25:05 GMT
Organization: University of Alberta Electrical Engineering Department
Lines: 45
Message-ID: <4j40hh$p52@pulp.ucs.ualberta.ca>
NNTP-Posting-Host: nyquist.ee.ualberta.ca
X-Newsreader: TIN [version 1.2 PL2]



I encountered a really wierd setuid problem last night and only now have
a better understanding of extent of the problem.  I'm still at a loss
for an explanation though!

I dialed into the FreeBSD box at work to check on things.  I noticed the
problem as soon as I logged in because tcsh gave me a wierd error: 

tcsh: Undefined error: 0
tcsh: trying to start from "/usr/home/jbg"

tcsh still seems to work fine though.

I then did a du and encountered:

du: .: Undefined error: 0

I then did a find (no arguments) and was shown the info line.
A 'find /' nets me a :

find: /: Undefined error: 0


Not until the security check occured last night did I find out that 126
files were 'setuid modified'.  Mostly in /bin /usr/bin and
/usr/local/bin.  A couple in /usr/libexec and strangely enough,
/usr/ports were also touched.

The only thing I can think of is that I ran COPS late Friday to check on
a couple of modifications I've made in the last few weeks.  I've run
COPS before with no problems.

If need be, I'll move the suspect files offline and replace them with
originals from the CD live filesystem.


Any insights?


Thanks.

--Jason
george@ee.ualberta.ca
jbg@skunkworks.specialty.ab.ca