OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: setuid and setgid
From: Liviu Daia (Liviu.Daiaimar.ro)
Date: Wed Jun 21 2000 - 09:45:32 CDT

On 21 June 2000, Marek Habersack <grendelvip.net.pl> wrote:
> ** On Jun 21, Bennett Todd scribbled:
> >
> > 2000-06-20-21:14:34 erekose:
> > > Sorry for asking this but I notice that my system suddenly
> > > detected that /usr/sbin/sendmail is setuid and segid ... is this
> > > the default permision when postfix installed ??
> >
> > Nope. And it should not be that way. Something has screwed it up.
> >
> > I've seen this happen when a Red Hat Linux system had linuxconf
> > installed (something I never do:-); it has a config file in it,
> > which doesn't get removed when you "rpm -e sendmail", that sets
> > /usr/sbin/sendmail to suid at reboot time.
>
> I don't know about RedHat, don't even know whether the original
> poster uses Linux, but if I were in his shoes then I'd check whether
> the system wasn't compromised by some wannabee hacker thinking that
> /usr/sbin/sendmail *IS* Sendmail and trying to leave himself some
> backdoor.

    Some Linux distributions (f.i. SuSE) have a cron job that monitors
permissions and ownership of certain files, and resets them to (what it
considers to be) the defaults when it finds them changed. You might
want to look into that too.

    Regards,

    Liviu Daia 

-- 
Dr. Liviu Daia               e-mail:   Liviu.Daiaimar.ro
Institute of Mathematics     web page: http://www.imar.ro/~daia
of the Romanian Academy      PGP key:  http://www.imar.ro/~daia/daia.asc