Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!nntp.coast.net!howland.reston.ans.net!sol.ctr.columbia.edu!news.mindlink.net!van-bc!unixg.ubc.ca!rover.ucs.ualberta.ca!george From: george@ee.ualberta.ca (Jason George) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Setuid security problem Date: 24 Mar 1996 17:25:05 GMT Organization: University of Alberta Electrical Engineering Department Lines: 45 Message-ID: <4j40hh$p52@pulp.ucs.ualberta.ca> NNTP-Posting-Host: nyquist.ee.ualberta.ca X-Newsreader: TIN [version 1.2 PL2] I encountered a really wierd setuid problem last night and only now have a better understanding of extent of the problem. I'm still at a loss for an explanation though! I dialed into the FreeBSD box at work to check on things. I noticed the problem as soon as I logged in because tcsh gave me a wierd error: tcsh: Undefined error: 0 tcsh: trying to start from "/usr/home/jbg" tcsh still seems to work fine though. I then did a du and encountered: du: .: Undefined error: 0 I then did a find (no arguments) and was shown the info line. A 'find /' nets me a : find: /: Undefined error: 0 Not until the security check occured last night did I find out that 126 files were 'setuid modified'. Mostly in /bin /usr/bin and /usr/local/bin. A couple in /usr/libexec and strangely enough, /usr/ports were also touched. The only thing I can think of is that I ran COPS late Friday to check on a couple of modifications I've made in the last few weeks. I've run COPS before with no problems. If need be, I'll move the suspect files offline and replace them with originals from the CD live filesystem. Any insights? Thanks. --Jason george@ee.ualberta.ca jbg@skunkworks.specialty.ab.ca