Thank you for clarifying! Yes, I misunderstood what was meant by setuid
change, it makes sense it is checking for any change in a setuid binary.
It may be worth changing the wording in the security(8) message from
Setuid changes:
to
Changed setuid binaries:
as this would eliminate ambiguity. ("is it a change in a setuid bit or a
change in a binary that is already setuid?")
On Tue, Apr 11, 2023 at 08:52:09AM -0600, Theo de Raadt wrote:
the man page says:
o Check for changes in setuid/setgid files and devices.
Those setuid binaries did change. They were replaced. The sizes
are different also. That's because there is a libc.a change and
these are static binaries.
the security script is not not just reporting whether setuid bits
are being turned on or off.
tetrahe...@danwin1210.de wrote:
Hi all,
security(8) sent me an alert that Setuid changed on /sbin/ping and
/sbin/ping6:
Running security(8):
Setuid changes:
-r-sr-xr-x 2 root bin 347728 Sep 27 17:40:01 2022 /sbin/ping
-r-sr-xr-x 1 root bin 347776 Mar 11 19:42:17 2023 /sbin/ping
-r-sr-xr-x 2 root bin 347728 Sep 27 17:40:01 2022 /sbin/ping6
-r-sr-xr-x 1 root bin 347776 Mar 11 19:42:17 2023 /sbin/ping6
This happened after I installed syspatch 022_resolv (and made no other
changes to the system).
I checked the source code of the 022_resolv patch and I don't see
anything that would affect the /sbin/ping binary.
Did I miss something? Or is this setuid change potentially indicative of
a bigger problem?
