Hi!
I just got a daily insecurity output indicating a shitload of setuid
changes. A few setuid deletions and a whole lot of rows where the only
change is that the group name is replaced with the numeric group id.
After examining and carefully entering the server (ssh -xa), I came to
the conclusion that something was eating my file descriptors, since
/var/log/messages is filled with:
/bsd: file: table is full
And yes, httpd was eating file descriptors (or so it seems, I cannot be
sure of much at this point).
After restarting httpd (to fix later), a run of /etc/security gave the
inverted insecurity output (i.e. additions + 'group id' => 'group name').
I can see how not being able to open /etc/groups can cause the
mismatching lines in the output, but could someone please explain the
"missing" setuid files so that I can assume that the server was in fact
not hacked?
If anything of this seems like ancient problems, I am ashamed to admit
that the machine is in a severe need for an upgrade. Without saying more
than so, I hope that the question would still be valid for an up-to-date
system.
I'd rather not post more information than needed on-list, but I can
email it off-list to any dev, if asked
/Alexander
