Permissions changed on /bin/quota & /usr/bin/su

CreateChange

Member
Apr 30, 2019
10
1
3
Denver, CO
cPanel Access Level
Root Administrator
Hello,

rkhunter caught some changes to permissions on /usr/bin/su:

Code:
Warning: The file properties have changed:
File: /usr/bin/su
Current permissions: 4750 Stored permissions: 4755
Current gid: 10 Stored gid: 0

Group ID changed to wheel, and permissions became more strict.


OSSEC caught changes on /bin/quota, where the execute for owner was changed to a sticky bit.

Code:
Integrity checksum changed for: '/bin/quota'
Permissions changed from 'rwxr-xr-x' to 'rwsr-xr-x'
I am curious to know if these changes are expected. They occurred on all 3 servers we have in production:

Code:
[email protected]:~/administration/cpanel-ansible$ ansible all -m shell -a "ls -la /bin/quota"
cpanel-6 | CHANGED | rc=0 >>
-rwsr-xr-x 1 root root 85312 Aug  8 21:34 /bin/quota

cpanel-7 | CHANGED | rc=0 >>
-rwsr-xr-x 1 root root 85312 Aug  8 21:34 /bin/quota

cpanel-8 | CHANGED | rc=0 >>
-rwsr-xr-x 1 root root 85312 Aug  8 21:34 /bin/quota

[email protected]:~/administration/cpanel-ansible$ ansible all -m shell -a "ls -la /usr/bin/su"
cpanel-8 | CHANGED | rc=0 >>
-rwsr-x--- 1 root wheel 32128 Aug  8 22:10 /usr/bin/su

cpanel-6 | CHANGED | rc=0 >>
-rwsr-x--- 1 root wheel 32128 Aug  8 22:10 /usr/bin/su

cpanel-7 | CHANGED | rc=0 >>
-rwsr-x--- 1 root wheel 32128 Aug  8 22:10 /usr/bin/su
Thanks for any insight you can provide!
Jonathan