From: Phil Farrell (farrell@pangea.Stanford.EDU)
Date: Mon Sep 16 2002 - 16:28:46 EDT
Hi sysadmins,
Original question at the end.
Thanks to Alan Nabeth, Ann Majeske, Paul Sand, William Skulley, and
Peter Sherwood for their quick responses. Ann (HP employee) took
a quick look at the Tru64 source code, and several of the others
did google searches that yielded some information (I didn't think
that RTFM now means searching the entire internet, but apparently
that works best).
Basically, /usr/lbin/chgpt is a setuid program that is called by
the grantpt(3) library function (which is documented), for the
purpose of modifiying ownership and mode of a slave pseudoterminal
device associated with a master counterpart. It must be setuid root
for the grantpt function to work.
In my case, I was suspicious of this setuid program because I
had never seen it used before (in about 3 years of monitoring).
I have process accounting turned on, and each night one of my
system management scripts gets a complete listing from the
pacct file and then e-mails to me any use of a setuid program
(identifiable because they start with the # character in the output)
that is not already on my list of "known" standard programs.
So it picked up "chgpt" for the first time that I can remember,
being run by an ordinary user who logged in for only a few minutes.
Well, with the information from our helpful colleagues above
that traces this back to pseudoterminal management, I looked
at all of the processes run by this same user and saw that just
before the chgpt process, he ran "mc", which I traced to
"Midnight Commander" (a file system browser). Grabbing the
source code for that program, I see that it does indeed call
the grantpt function at some point. So I think this use of
chgpt on my system was totally legitimate. (Guess no one has
used mc before, or at least not the function that requires
grantpt).
Alan also suggested sending a note to the folks who write the
Compaq/HP documentation requesting some info be added about the
/usr/lbin programs. I'll try to follow up on that.
Thanks to all who participate in this list.
-Phil Farrell, Computer Systems Manager
Stanford University School of Earth Sciences
farrell@pangea.stanford.edu
Original question:
Hi sysadmins,
Anybody known the function of /usr/lbin/chgpt? I'm running Tru64 UNIX
v4.0g, patch kit 3. I see that this program is loaded as part of the
OSFBASE445 subset. Of course, there is no man page or any other docs
I can find describing this program. "strings" yields no information.
This is a setuid root program, and I noticed one of our users recently ran
it from a login that looks funny. Always worried about hackers here.
I'd like to know what this program does and whether I even need to
leave it setuid root.
(Editorial comment: /usr/lbin is full of programs that have absolutely
no documentation on the system. Even though these programs are not
intended to be run by users, I think it is completely unacceptable
for Compaq/HP to provide a directory full of programs, some of them
setuid root, with absolutely no information about what they do or
how they are normally used. Come on, it can't be that hard to write
some minimal man pages!).
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:48:53 EDT