Re: changed /dev/ttys is this normal?
From: Peter Pentchev (roam@ringlet.net)
Date: 08/29/01
- Next message: Karsten W. Rohrbach: "Re: changed /dev/ttys is this normal?"
- Previous message: Peter Pentchev: "Re: changed /dev/ttys is this normal?"
- In reply to: Peter Pentchev: "Re: changed /dev/ttys is this normal?"
- Next in thread: Karsten W. Rohrbach: "Re: changed /dev/ttys is this normal?"
- Reply: Karsten W. Rohrbach: "Re: changed /dev/ttys is this normal?"
- Reply: Cy Schubert - ITSD Open Systems Group: "Re: changed /dev/ttys is this normal?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Aug 2001 17:11:25 +0300 From: Peter Pentchev <roam@ringlet.net> To: Fernan Aguero <fernan@iib.unsam.edu.ar>
On Wed, Aug 29, 2001 at 04:59:06PM +0300, Peter Pentchev wrote:
> On Wed, Aug 29, 2001 at 10:20:31AM -0300, Fernan Aguero wrote:
> > Hi
> >
> > I started using tripwire to monitor for changed files on my system.
> > I noticed that /dev/console and /dev/ttys were changed and the
> > tripwire report showed the following:
> >
> > [...]
> >
> > Modified object name: /dev/console
> >
> > Property: Expected Observed
> > ------------- ----------- -----------
> > Object Type Character Device Character Device
> > Device Number 160768 160768
> > Inode Number 7208 7208
> > Mode crw--w--w- crw--w--w-
> > Num Links 1 1
> > * UID fernan (1001) root (0)
> > GID wheel (0) wheel (0)
> [snip]
> >
> > Is this normal? If so, is it safe to change tripwire's policy to
> > ignore this changes?
>
> Yes, this is normal - the owner of a terminal device is always
> set to the user who has logged in, so he can open it and perform
> reads/writes/ioctls on it.
>
> I believe that it should be safe to have tripwire ignore terminal
> devices :)
..but actually, it might be wise if Tripwire would warn you about
changes in *anything* but the owner on terminal devices. Also,
it would be wise to have it warn you for the appearance of *new*
files looking like terminal devices. I've seen more than one
rootkit which installed a setuid shell or a config file or whatever
as /dev/ttySomething, or as a replacement for one of the higher-numbered
tty devices (in the hope that those are reached only very rarely,
and this would go unnoticed for quite some time).
G'luck,
Peter
-- This sentence claims to be an Epimenides paradox, but it is lying. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Next message: Karsten W. Rohrbach: "Re: changed /dev/ttys is this normal?"
- Previous message: Peter Pentchev: "Re: changed /dev/ttys is this normal?"
- In reply to: Peter Pentchev: "Re: changed /dev/ttys is this normal?"
- Next in thread: Karsten W. Rohrbach: "Re: changed /dev/ttys is this normal?"
- Reply: Karsten W. Rohrbach: "Re: changed /dev/ttys is this normal?"
- Reply: Cy Schubert - ITSD Open Systems Group: "Re: changed /dev/ttys is this normal?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
