[gentoo-user] hardened: setuid

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-user]  hardened: setuid
@ 2006-07-12 19:21 James
  2006-07-12 19:39 ` Mark Shields
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: James @ 2006-07-12 19:21 UTC (permalink / raw
  To: gentoo-user

Hello

I was performing a routine security audit using:

find / -user root -perm -4000 -print

which found these peculiar files:

/usr/athena/bin/su
/usr/athena/bin/otp
/usr/athena/bin/rcp
/usr/athena/bin/rsh
/usr/athena/bin/rlogin


upon greater inspection this is most troubling:

-rws--x--x 1 root root 108416 May  4 19:52 /usr/athena/bin/su
-rws--x--x 1 root root 105640 May  4 19:52 /usr/athena/bin/otp
-rws--x--x 1 root root 95840 May  4 19:52 /usr/athena/bin/rlogin


Are these part of a normal gentoo system running hardened, or is it 
time to re-install this machine?


James




-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-user] hardened: setuid
  2006-07-12 19:21 [gentoo-user] hardened: setuid James
@ 2006-07-12 19:39 ` Mark Shields
  2006-07-12 19:53 ` Mick
  2006-07-12 20:03 ` [gentoo-user] " Donnie Berkholz
  2 siblings, 0 replies; 8+ messages in thread
From: Mark Shields @ 2006-07-12 19:39 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 835 bytes --]

n 7/12/06, James <wireless@tampabay.rr.com> wrote:
>
> Hello
>
> I was performing a routine security audit using:
>
> find / -user root -perm -4000 -print
>
> which found these peculiar files:
>
> /usr/athena/bin/su
> /usr/athena/bin/otp
> /usr/athena/bin/rcp
> /usr/athena/bin/rsh
> /usr/athena/bin/rlogin
>
>
> upon greater inspection this is most troubling:
>
> -rws--x--x 1 root root 108416 May  4 19:52 /usr/athena/bin/su
> -rws--x--x 1 root root 105640 May  4 19:52 /usr/athena/bin/otp
> -rws--x--x 1 root root 95840 May  4 19:52 /usr/athena/bin/rlogin
>
>
> Are these part of a normal gentoo system running hardened, or is it
> time to re-install this machine?
>
>
> James
>
>
>
>
> --
> gentoo-user@gentoo.org mailing list
>
>
Not normal.  I use hardened on two seperate servers and don't have those
files.

-- 
- Mark Shields

[-- Attachment #2: Type: text/html, Size: 1258 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-user]  hardened: setuid
  2006-07-12 19:21 [gentoo-user] hardened: setuid James
  2006-07-12 19:39 ` Mark Shields
@ 2006-07-12 19:53 ` Mick
  2006-07-13  0:59   ` [gentoo-user] " James
  2006-07-12 20:03 ` [gentoo-user] " Donnie Berkholz
  2 siblings, 1 reply; 8+ messages in thread
From: Mick @ 2006-07-12 19:53 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 338 bytes --]

On Wednesday 12 July 2006 20:21, James wrote:

> which found these peculiar files:
>
> /usr/athena/bin/su
> /usr/athena/bin/otp
> /usr/athena/bin/rcp
> /usr/athena/bin/rsh
> /usr/athena/bin/rlogin

Did you ever install RedHat, or parts of?  I guess that's what these files 
seem to be, but I am not sure.
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [gentoo-user]  Re: hardened: setuid
  2006-07-12 19:53 ` Mick
@ 2006-07-13  0:59   ` James
  2006-07-13 10:54     ` Mick
  0 siblings, 1 reply; 8+ messages in thread
From: James @ 2006-07-13  0:59 UTC (permalink / raw
  To: gentoo-user

Mick <michaelkintzios <at> gmail.com> writes:

> 
> On Wednesday 12 July 2006 20:21, James wrote:
> 
> > which found these peculiar files:
> >
> > /usr/athena/bin/su
> > /usr/athena/bin/otp
> > /usr/athena/bin/rcp
> > /usr/athena/bin/rsh
> > /usr/athena/bin/rlogin
> 
> Did you ever install RedHat, or parts of?  I guess that's what these files 
> seem to be, but I am not sure.

I have not seen any indication of comprimise.
Yes the system had redhat some years ago. It's entirely possible the same
partition table was used and therefore these residual files are artifacts
of a previous installation. My googling did not find any thing.

Where did you find out they are redhat files?

James

-- 
gentoo-user@gentoo.org mailing list

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [gentoo-user] Re: hardened: setuid
  2006-07-13  0:59   ` [gentoo-user] " James
@ 2006-07-13 10:54     ` Mick
  0 siblings, 0 replies; 8+ messages in thread
From: Mick @ 2006-07-13 10:54 UTC (permalink / raw
  To: gentoo-user

On 12/07/06, James <wireless@tampabay.rr.com> wrote:

> I have not seen any indication of comprimise.
> Yes the system had redhat some years ago. It's entirely possible the same
> partition table was used and therefore these residual files are artifacts
> of a previous installation. My googling did not find any thing.
>
> Where did you find out they are redhat files?

Have a look here:

http://rpmfind.net/linux/RPM/Red_Hat_Contrib-Net__rhcn-bugs_redhat.com_.html
http://web.mit.edu/ist/topics/linux/linux-athena.html
http://web.mit.edu/ist/topics/athena/differences.html

I have found that re-using partitions without zeroing them first,
using e.g. dd, or without making a new fs over them ends up in old
files being suddenly resurrected . . .
-- 
Regards,
Mick
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-user]  hardened: setuid
  2006-07-12 19:21 [gentoo-user] hardened: setuid James
  2006-07-12 19:39 ` Mark Shields
  2006-07-12 19:53 ` Mick
@ 2006-07-12 20:03 ` Donnie Berkholz
  2006-07-13  1:03   ` [gentoo-user] " James
  2 siblings, 1 reply; 8+ messages in thread
From: Donnie Berkholz @ 2006-07-12 20:03 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 838 bytes --]

James wrote:
> Hello
> 
> I was performing a routine security audit using:
> 
> find / -user root -perm -4000 -print
> 
> which found these peculiar files:
> 
> /usr/athena/bin/su
> /usr/athena/bin/otp
> /usr/athena/bin/rcp
> /usr/athena/bin/rsh
> /usr/athena/bin/rlogin
> 
> 
> upon greater inspection this is most troubling:
> 
> -rws--x--x 1 root root 108416 May  4 19:52 /usr/athena/bin/su
> -rws--x--x 1 root root 105640 May  4 19:52 /usr/athena/bin/otp
> -rws--x--x 1 root root 95840 May  4 19:52 /usr/athena/bin/rlogin
> 
> 
> Are these part of a normal gentoo system running hardened, or is it 
> time to re-install this machine?

Have you tried checking which (if any) packages own these files? Have
you built anything yourself outside of portage that could have installed
them?

Thanks,
Donnie


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [gentoo-user]  Re: hardened: setuid
  2006-07-12 20:03 ` [gentoo-user] " Donnie Berkholz
@ 2006-07-13  1:03   ` James
  2006-07-13  2:48     ` Donnie Berkholz
  0 siblings, 1 reply; 8+ messages in thread
From: James @ 2006-07-13  1:03 UTC (permalink / raw
  To: gentoo-user

Donnie Berkholz <dberkholz <at> gentoo.org> writes:


> > /usr/athena/bin/su
> > /usr/athena/bin/otp
> > /usr/athena/bin/rcp
> > /usr/athena/bin/rsh
> > /usr/athena/bin/rlogin

> > upon greater inspection this is most troubling:

> > -rws--x--x 1 root root 108416 May  4 19:52 /usr/athena/bin/su
> > -rws--x--x 1 root root 105640 May  4 19:52 /usr/athena/bin/otp
> > -rws--x--x 1 root root 95840 May  4 19:52 /usr/athena/bin/rlogin

> > Are these part of a normal gentoo system running hardened, or is it 
> > time to re-install this machine?

> Have you tried checking which (if any) packages own these files? Have
> you built anything yourself outside of portage that could have installed
> them?

Well I used --tree and it revealed nothing.

No this system does not have any cvs or portage overlay packages....


James





-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-user]  Re: hardened: setuid
  2006-07-13  1:03   ` [gentoo-user] " James
@ 2006-07-13  2:48     ` Donnie Berkholz
  0 siblings, 0 replies; 8+ messages in thread
From: Donnie Berkholz @ 2006-07-13  2:48 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 424 bytes --]

James wrote:
> Donnie Berkholz <dberkholz <at> gentoo.org> writes:
>> Have you tried checking which (if any) packages own these files? Have
>> you built anything yourself outside of portage that could have installed
>> them?
> 
> Well I used --tree and it revealed nothing.

--tree? How does it tell you what owns these files? Try something like
equery or qfile (gentoolkit or portage-utils).

Thanks,
Donnie


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2006-07-13 11:02 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-07-12 19:21 [gentoo-user] hardened: setuid James
2006-07-12 19:39 ` Mark Shields
2006-07-12 19:53 ` Mick
2006-07-13  0:59   ` [gentoo-user] " James
2006-07-13 10:54     ` Mick
2006-07-12 20:03 ` [gentoo-user] " Donnie Berkholz
2006-07-13  1:03   ` [gentoo-user] " James
2006-07-13  2:48     ` Donnie Berkholz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox