Re: changed /dev/ttys is this normal?

From: Peter Pentchev (roam@ringlet.net)
Date: 08/29/01 

Date: Wed, 29 Aug 2001 16:59:06 +0300
From: Peter Pentchev <roam@ringlet.net>
To: Fernan Aguero <fernan@iib.unsam.edu.ar>

On Wed, Aug 29, 2001 at 10:20:31AM -0300, Fernan Aguero wrote:
> Hi
>
> I started using tripwire to monitor for changed files on my system.
> I noticed that /dev/console and /dev/ttys were changed and the
> tripwire report showed the following:
>
> [...]
>
> Modified object name: /dev/console
>
> Property: Expected Observed
> ------------- ----------- -----------
> Object Type Character Device Character Device
> Device Number 160768 160768
> Inode Number 7208 7208
> Mode crw--w--w- crw--w--w-
> Num Links 1 1
> * UID fernan (1001) root (0)
> GID wheel (0) wheel (0)
[snip]
>
> Is this normal? If so, is it safe to change tripwire's policy to
> ignore this changes?

Yes, this is normal - the owner of a terminal device is always
set to the user who has logged in, so he can open it and perform
reads/writes/ioctls on it.

I believe that it should be safe to have tripwire ignore terminal
devices :)

G'luck,
Peter 

-- 
"yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message