On 2/28/07, Ben Collins <[EMAIL PROTECTED]> wrote:
On Wed, 2007-02-28 at 09:40 -0500, Ari Johnson wrote:
> Package: sxid
> Version: 4.0.5
> Severity: normal
>
> The sxid program e-mails a list of files every day that it claims have
> changed md5sums. The list appears to include every suid or sgid file on
> my system, suggesting that the md5sum comparison performed by sxid
> simply does not work. I chose a sample from the list (/bin/su) and
> manually collected the output of md5sum and stat on it both before and
> after an sxid run. The output of both was identical, other than the
> last-accessed date from stat.
A sample of the email would be helpful.
Pasted in full (hostname redacted) below:
From: [EMAIL PROTECTED]
Subject: List of changed s[ug]id files and folders
Date: February 28, 2007 11:04:24 AM EST
To: [EMAIL PROTECTED]
sXid Vers : 4.0.5
Check run : Wed Feb 28 11:03:28 2007
This host : myhost.example.com
Searching : /
Excluding : /proc /mnt /cdrom /floppy
Ignore Dirs: /home /var/mail
Forbidden : /home /tmp
Checking for any additions or removals:
Checking for changed attributes or sums/inodes:
m /usr/lib/cgi-bin/mailman/private root:list 2755
m /usr/lib/cgi-bin/mailman/options root:list 2755
m /usr/lib/cgi-bin/mailman/roster root:list 2755
m /usr/lib/cgi-bin/mailman/rmlist root:list 2755
m /usr/lib/cgi-bin/mailman/admindb root:list 2755
m /usr/lib/cgi-bin/mailman/subscribe root:list 2755
m /usr/lib/cgi-bin/mailman/create root:list 2755
m /usr/lib/cgi-bin/mailman/admin root:list 2755
m /usr/lib/cgi-bin/mailman/listinfo root:list 2755
m /usr/lib/cgi-bin/mailman/confirm root:list 2755
m /usr/lib/cgi-bin/mailman/edithtml root:list 2755
m /usr/lib/mailman/mail/mailman root:list 2755
m /bin/su root:root 4755
m /bin/ping root:root 4755
m /bin/mount root:root 4755
m /bin/ping6 root:root 4755
m /bin/umount root:root 4755
m /usr/bin/X root:root 6755
m /usr/bin/at daemon:daemon 6755
m /usr/bin/gpg root:root 4755
m /usr/bin/chfn root:root 4755
m /usr/bin/chsh root:root 4755
m /usr/bin/sudo root:root 4755
m /usr/bin/wall root:tty 2755
m /usr/bin/crontab root:crontab 2755
m /usr/bin/chage root:shadow 2755
m /usr/bin/ssh-agent root:ssh 2755
m /usr/bin/dotlockfile root:mail 2755
m /usr/bin/slocate root:slocate 2755
m /usr/bin/expiry root:shadow 2755
m /usr/bin/newgrp root:root 4755
m /usr/bin/passwd root:root 4755
m /usr/bin/gpasswd root:root 4755
m /usr/bin/screen root:utmp 2755
m /usr/bin/traceroute.lbl root:root 4755
m /usr/bin/mutt_dotlock root:mail 2755
m /usr/bin/mail-lock root:mail 2755
m /usr/bin/sudoedit root:root 4755
m /usr/bin/bsd-write root:tty 2755
m /usr/lib/emacs/21.4/x86_64-linux-gnu/movemail
root:mail 2755
m /usr/lib/libfakeroot-tcp.so root:root 4644
m /usr/lib/libfakeroot-sysv.so root:root 4644
m /usr/lib/apache2/suexec root:root 4755
m /usr/lib/openssh/ssh-keysign root:root 4755
m /usr/lib/pt_chown root:root 4755
m /usr/sbin/postdrop root:postdrop 2555
m /usr/sbin/postqueue root:postdrop 2555
m /usr/local/sbin/archivemaildir root:www-data 4750
m /usr/local/sbin/virtual_filter_wrapper root:mail 4750
m /usr/local/sbin/newmaildir root:www-data 4750
m /sbin/unix_chkpwd root:root 4555
Checking for no user/group matches:
Checking for forbidden s[ug]id items:
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
