On Wednesday 11 February 2009 23:26:45 Stan Katz wrote:
I updated/upgraded both my AMD64 and AMD k6 "Etch" machines between Feb
10-11, 2009 using "Lenny" test. Both picked up a symptom I haven't seen
since the lpd exploit of the 1990's. This symptom manifests itself as
either a random escalation of the etc directory mode up to 600, or a
consistent escalation to mode 600 upon reboot.
My /etc is mode 755. Why would that be a problem? Some user/programs may
need to read data out of the directory and root (the owner of my /etc)
certainly needs write permissions.
I don't remember why the lpd
exploit did this. If this is an exploit, it shakes my confidence in debian
online updating.
I don't see how a 600 /etc can be exploited. Do you have any other records
that would indicate you are exploited, or is this just fear-mongering?
Also, the Bastille firewall on the
AMD64 began locking down port 80 after about 10min of operation. Adding 80
to all interfaces didn't help. Only shutting down Bastille cleared the
block.
Sounds like a bug in Bastille. Can you reproduce reliably? Have you checked
your configuration? If both, has you filed a bug yet?
I fear this is another indication of the exploit.
How/Why would these be related?
Has anyone else experienced this misbehavior after an upgrade?
Not here. I've been running Lenny for a number of months.
Any
suggestions, other than a complete disk wipe on both machines? In any case,
where would I go for a trusted rebuild, if there truly is a sabateur in the
ranks of the Debian maintainers?
I'm forwarding to debian-security; perhaps they will have suggestions. This
topic is more appropriate for that list than debian-user anyway.