From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1G0lGV-0005LA-H4 for garchives@archives.gentoo.org; Wed, 12 Jul 2006 20:24:59 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k6CKLHDv030200; Wed, 12 Jul 2006 20:21:17 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k6CK3B2b022120 for ; Wed, 12 Jul 2006 20:03:11 GMT Received: from [128.193.139.183] (128-193-139-183.public.oregonstate.edu [128.193.139.183]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id 99DCC6414B for ; Wed, 12 Jul 2006 20:03:10 +0000 (UTC) Message-ID: <44B55577.5020906@gentoo.org> Date: Wed, 12 Jul 2006 13:03:03 -0700 From: Donnie Berkholz User-Agent: Thunderbird 1.5.0.4 (X11/20060614) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] hardened: setuid References: In-Reply-To: X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigE8FE3365894639D85EC2B32D" X-Archives-Salt: 8ca9c3f1-4305-422d-93ba-725dc48b8e8e X-Archives-Hash: 82bf4106ab29402d300c5b4d7ac6ad3f This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigE8FE3365894639D85EC2B32D Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable James wrote: > Hello >=20 > I was performing a routine security audit using: >=20 > find / -user root -perm -4000 -print >=20 > which found these peculiar files: >=20 > /usr/athena/bin/su > /usr/athena/bin/otp > /usr/athena/bin/rcp > /usr/athena/bin/rsh > /usr/athena/bin/rlogin >=20 >=20 > upon greater inspection this is most troubling: >=20 > -rws--x--x 1 root root 108416 May 4 19:52 /usr/athena/bin/su > -rws--x--x 1 root root 105640 May 4 19:52 /usr/athena/bin/otp > -rws--x--x 1 root root 95840 May 4 19:52 /usr/athena/bin/rlogin >=20 >=20 > Are these part of a normal gentoo system running hardened, or is it=20 > time to re-install this machine? Have you tried checking which (if any) packages own these files? Have you built anything yourself outside of portage that could have installed them? Thanks, Donnie --------------enigE8FE3365894639D85EC2B32D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEtVV3XVaO67S1rtsRAo7HAKDeV2y4MwcxCB+Rae9oud0UtzkDiQCg9CgC wD/ERxL4nwVys+e5e8GZ+os= =YsZS -----END PGP SIGNATURE----- --------------enigE8FE3365894639D85EC2B32D-- -- gentoo-user@gentoo.org mailing list