Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Should these files be setuid?



Yesterday, David Kramer gleaned this insight:

> A system change monitoring tool I am using flagged these files as having
> been changed to setuid.  Now this tool often reports false positives, so
> I am not assured of this, but I could not find any docs on these files,
> either.
> 
> -r-sr-xr-x   1 root     root        15752 Jul 21  2000 pwdb_chkpwd
> -r-sr-xr-x   1 root     root        16376 Jul 21  2000 unix_chkpwd
> 
> I checked another (older) machine, which had pwdb_chkpwd with the same
> permissions, but unix_chkpwd
>  was not there.   There were no man pages, but a find/grep on /usr/doc
> showed that pwdb_chkpwd was part of PAM.  unix_chkpwd was not found
> anywhere.
> 
> Any thoughts?

[ddm at sol ddm]$ find /sbin /usr -name "*chkpwd"
/sbin/pwdb_chkpwd
/sbin/unix_chkpwd

[ddm at sol ddm]$ ls -l /sbin/*chkpwd
-r-sr-xr-x    1 root     root        15752 Jul 21  2000 /sbin/pwdb_chkpwd*
-r-sr-xr-x    1 root     root        16376 Jul 21  2000 /sbin/unix_chkpwd*

[ddm at sol ddm]$ rpm -qf /sbin/unix_chkpwd
pam-0.72-20
[ddm at sol ddm]$ rpm -qf /sbin/pwdb_chkpwd
pam-0.72-20


Looks like mine is set up the same as yours, and they're both a part of
PAM, so it's no major surprise they're SUID.  This is RH6.2, BTW.  You can
use RPM (if your system uses RPM) to check whether or not they've been
modified, a la:

  rpm -V pam

which on my system comes back with no mention of these files, indicating
that they haven't been changed (or possibly that my RPM database or the
rpm command itself have been tampered with, but that's extremely unlikely
on this system, and I'd most likely have noticed it if it were).


-- 
You know that everytime I try to go where I really want to be,
It's already where I am, cuz I'm already there...
------------------
Derek D. Martin
Unix/Linux Geek
ddm at pizzashack.org
------------------



-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org