Re: Things changing overnight
On Sun, Aug 10, 2003 at 01:42:43PM -0500, David wrote: On investigation, I found that when pppd (I think it was) starts up, the permissions for the port are reduced, and are _supposed_ to be restored.. I decided that for some reason, pppd didn't restore the permissions after shutdown.. One possibility for this.. I cannot recall the exact procedure, but I believe that pppd stores the original setting for the permissions.. perhaps I tried to start pppd while I had a pppd session open.. the second pppd may have overwritten the saved permission with the current, which would have been the reduced permission and this would have been what the original pppd would have restored to.. My modem is ttyS1, so I just set the permissions to that of the other ttyS's and the problem hasn't happened again. Sounds like a bug either way. -- Jamin W. Collins This is the typical unix way of doing things: you string together lots of very specific tools to accomplish larger tasks. -- Vineet Kumar -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Things changing overnight
Jamin W. Collins wrote: Sounds like a bug either way. Bugs #22284, #36789, #51974, #62567, #74789, in fact. The first is worth a read. -- see shy jo pgp0.pgp Description: PGP signature
Re: Things changing overnight
On Sat, Aug 09, 2003 at 10:47:27PM -0700, Ken Bloom wrote: Sometime in the past few days, my modem /dev/ttyS4 changed its permissions from 660 to 640 without my intervention. My first question: is there any kind of security package on debian that might have done this as a cronjob? I don't use devfs. When asking on #debian, a user suggested that I check my logs to see if I had been hacked. *sigh* Such a typical #debian knee-jerk response. Why would a cracker want to reduce the permissions on a device, and a fairly innocuous one at that? By a single bit? Don't panic; this is vanishingly unlikely and you definitely shouldn't go off and reinstall on the word of somebody on IRC who gives that answer to everything out of the ordinary. I found in /var/logs/auth.log that the command `su` had been run to switch from user `root` to user `nobody` at 3:35 this morning, That's a standard cron job reducing privileges in a slightly noisy way. Don't worry about it. I have no specific suggestions, unfortunately, but if I were you, I'd start grepping for 'ttyS' in /etc and start there. Assuming you haven't changed the permissions back, you could also install the 'stat' package, type 'stat /dev/ttyS4', and look at the Change: line; that'll tell you when the change happened, and perhaps you could use that time to isolate a particular cron job (or at least a particular class of cron jobs - see /etc/crontab or /etc/anacrontab). If you have changed them back, then wait until it happens again - since it probably will - and start investigating then. please cc: me as I am not subscribed to this high-volume mailing list If you could include an appropriate Mail-Followup-To: header so that some people's mailers will do that automatically, it would be helpful. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Things changing overnight
Sometime in the past few days, my modem /dev/ttyS4 changed its permissions from 660 to 640 without my intervention. My first question: is there any kind of security package on debian that might have done this as a cronjob? I don't use devfs. When asking on #debian, a user suggested that I check my logs to see if I had been hacked. I found in /var/logs/auth.log that the command `su` had been run to switch from user `root` to user `nobody` at 3:35 this morning, a time when I was not connected to the internet (I use ppp to connect through my modem). My second question: any idea what might have done this? (obviously, I'd like to avoid a reinstall) (I can't seem to find any cronjob that would be doing this, but it would help if you had any suggestions) please cc: me as I am not subscribed to this high-volume mailing list -- I usually have a GPG digital signature included as an attachment. If you don't know what it is, either ignore it or visit www.gnupg.org My PGP key was last signed 6/10/2003 please download my key again if it is more recent than your copy. If you use GPG, *please* talk to me to sign it. The key is keyID E2B2CAD1 on pgp.mit.edu pgp0.pgp Description: PGP signature
Re: Things changing overnight
On Sat, Aug 09, 2003 at 10:47:27PM -0700, Ken Bloom wrote: Sometime in the past few days, my modem /dev/ttyS4 changed its permissions from 660 to 640 without my intervention. My first question: is there any kind of security package on debian that might have done this as a cronjob? I don't use devfs. I had this happen a while back. Not sure about the exact permissions, but my permissions for my serial port were reduced and I couldn't access it due to this. On investigation, I found that when pppd (I think it was) starts up, the permissions for the port are reduced, and are _supposed_ to be restored.. I decided that for some reason, pppd didn't restore the permissions after shutdown.. One possibility for this.. I cannot recall the exact procedure, but I believe that pppd stores the original setting for the permissions.. perhaps I tried to start pppd while I had a pppd session open.. the second pppd may have overwritten the saved permission with the current, which would have been the reduced permission and this would have been what the original pppd would have restored to.. My modem is ttyS1, so I just set the permissions to that of the other ttyS's and the problem hasn't happened again. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
