SUMMARY: Question about scary process ownership

From: Alaric S. Haag - IMRlab System Manager and part-time Visigoth <system_at_imr00.me.lsu.edu>
Date: Tue, 09 May 1995 17:54:41 CDT

Hello again!

Original post:

>Can someone more knowlegeable than I tell me from the excerpt of
>(ps -ef) listed below, whether I'm being "hacked" or not? The
>process owner has been wiped out with "??????" to protect the
>innocent (who knows, he might be reading this!). I'm wondering
>about the process line
>
>root 22014 22006 0.0 13:21:16 ?? 0:00.26 /usr/bin/X11/xterm -ls
>
> [...deletia...]

The answer lies in the fact that xterm is a program that is
"suid root" which means, as I understand it, that it is run as
root to gain certain priv's that it needs (see Jim Wright's
response below) It is not cause for alarm. Clearly, it's back to
the Unix books for me...)

Thanks to all who responded, as well as those whose response didn't
get to me before I summarized.

Great group!!!!


Ric
%^{)

----
[ Alaric S. Haag, Computer Manager                      haag_at_imr00.me.lsu.edu ]
[ Louisiana State University, Mech. Engr. Dept.         FAX:   (504) 388-5924 ]
[ Baton Rouge, LA 70803                            Opinions:   (504) 388-5897 ]
                       "I've got dust in my mind's eye!!" - Me
Responses follow:
=================================================================
From:	MX%"orman_at_cnde.iastate.edu"  9-MAY-1995 17:10:09.76
[...deletia...]
hmm could be because xterm is suid root on alphas.
alphaone:X11 5:03pm>ls -l xterm
-rwsr-xr-x   1 root     bin       221184 Feb  3 00:51 xterm*
alphaone:X11 5:03pm>pwd
/usr/bin/X11
-- 
       _______    ___       _________  +------------------------------------+
      /\______\  /\__\     /\________\ |           David L Orman            |
     / /  ___  \/ /  /    / /  ___   / |         orman_at_iastate.edu          |
    / /  /   \  \/  /    / /  /  /  /  |     Systems Administrator CNDE     |
   / /  /   /   /  /___ / /  /  /  /   | ----------- Iowa State ----------- |
  / /  /___/   /  /____\ /  /__/  /    |Center For NonDestructive Evaluation|
  \/__________/_________/________/     |____________________________________|
=================================================================
From:	MX%"jwright_at_phy.ucsf.edu"  9-MAY-1995 17:25:32.89
[...deletia...]
% lsl /usr/bin/X11/xterm
-rwsr-xr-x   1 root     bin       229376 Feb 22  1994 /usr/bin/X11/xterm*
xterm is suid root.  of course it will run as root.  why have such a
bloated, insecure program suid root?  so it can update /var/adm/utmp.
whether this is reasonable is a long argument.
looks like the man page doesn't discuss this, even though it has a
section on "security".
Jim Wright                   Keck Center for Integrative Neuroscience
jwright_at_phy.ucsf.edu         Department of Physiology, Box 0444
voice 415-502-4874           513 Parnassus Ave, Room HSE-811
fax   415-502-4848           UCSF, San Francisco, CA  94143-0444
=================================================================
From:	MX%"SEB_at_LNS62.LNS.CORNELL.EDU"  9-MAY-1995 17:25:59.41
[...deletia...]
Ric,
Well, I'm not saying it isn't something to be concerned about,
but when I did a "ps -ef" from my personal nonpriv'd account
on an Alpha/osf system here, I discovered that the process running 
"ps -ef" was shown as root.
Please be sure to let us know what you learn.
sigh.
Selden
Received on Tue May 09 1995 - 18:50:09 NZST

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:45 NZDT