Permissions changed on /bin/quota & /usr/bin/su

[CreateChange]

Hello,

rkhunter caught some changes to permissions on /usr/bin/su:

Warning: The file properties have changed:
File: /usr/bin/su
Current permissions: 4750 Stored permissions: 4755
Current gid: 10 Stored gid: 0

Group ID changed to wheel, and permissions became more strict.


OSSEC caught changes on /bin/quota, where the execute for owner was changed to a sticky bit.

Integrity checksum changed for: '/bin/quota'
Permissions changed from 'rwxr-xr-x' to 'rwsr-xr-x'

I am curious to know if these changes are expected. They occurred on all 3 servers we have in production:

me@computer:~/administration/cpanel-ansible$ ansible all -m shell -a "ls -la /bin/quota"
cpanel-6 | CHANGED | rc=0 >>
-rwsr-xr-x 1 root root 85312 Aug  8 21:34 /bin/quota

cpanel-7 | CHANGED | rc=0 >>
-rwsr-xr-x 1 root root 85312 Aug  8 21:34 /bin/quota

cpanel-8 | CHANGED | rc=0 >>
-rwsr-xr-x 1 root root 85312 Aug  8 21:34 /bin/quota

me@computer:~/administration/cpanel-ansible$ ansible all -m shell -a "ls -la /usr/bin/su"
cpanel-8 | CHANGED | rc=0 >>
-rwsr-x--- 1 root wheel 32128 Aug  8 22:10 /usr/bin/su

cpanel-6 | CHANGED | rc=0 >>
-rwsr-x--- 1 root wheel 32128 Aug  8 22:10 /usr/bin/su

cpanel-7 | CHANGED | rc=0 >>
-rwsr-x--- 1 root wheel 32128 Aug  8 22:10 /usr/bin/su

Thanks for any insight you can provide!
Jonathan

 

[cPanelLauren]

The permissions they're changed to are the standard permissions - I'd suggest opening a ticket to have this further investigated.