Replying to myself here; please correct me if I'm wrong... :-d
Alexander Hall wrote:
Hi!
I just got a daily insecurity output indicating a shitload of setuid
changes. A few setuid deletions and a whole lot of rows where the only
change is that the group name is replaced with the numeric group id.
After examining and carefully entering the server (ssh -xa), I came to
the conclusion that something was eating my file descriptors, since
/var/log/messages is filled with:
/bsd: file: table is full
And yes, httpd was eating file descriptors (or so it seems, I cannot be
sure of much at this point).
After restarting httpd (to fix later), a run of /etc/security gave the
inverted insecurity output (i.e. additions + 'group id' => 'group name').
I can see how not being able to open /etc/groups can cause the
mismatching lines in the output, but could someone please explain the
"missing" setuid files so that I can assume that the server was in fact
not hacked?
Ah, I just realized that the missing, and later reappearing, files were
all the set*id files from the directories (/sbin and /usr/X11R6/bin/),
so I suppose find(1) (or so) failed to open those directory while
traversing the file system.
If anything of this seems like ancient problems, I am ashamed to admit
that the machine is in a severe need for an upgrade. Without saying more
than so, I hope that the question would still be valid for an up-to-date
system.
I'd rather not post more information than needed on-list, but I can
email it off-list to any dev, if asked
It all makes sense to me now, but feel free to confirm or reject my
speculations.
Thank you for taking the time to read all the way here. :-)
/Alexander
