Permissions on /bin/su, /bin/mount and /usr/bin/newgrp

[kwessel]

Hi,

Running CPanel on a Centos 6 server for only a couple weeks, and pretty much from the start, RKHunter has been complaining that the permissions of /bin/su, /bin/mount and /usr/bin/newgrp don't match what the RPM DB says they should be. /bin/mount and /usr/bin/newgrp should be 4755, but the setuid bit has been removed. /bin/su should be 4755 and owned by group root, but it's 4750 and owned by group weel.

I saw no specific mention in the forums anywhere of CPanel making these changes, but I'm suspecting it did. Is this, in fact, true? If so, any suggestions on keeping RKHunter happy while still making it secure? --propupd does nothing for this since it's a package verification failure, and these are binaries that I'd really prefer not to whitelist. Personally, I'd like to set these perms and groups back to what they were in the original RPMs, but I'm not sure what that might break.

Any advice would be great.

Thanks,
Keith

 

[Mr. Bob]

I'm seeing the same on Cent 5.8

Warning: Package manager verification has failed:
File: /bin/su
The file permissions have changed
The file group has changed
Warning: Package manager verification has failed:
File: /usr/bin/locate
The file permissions have changed

Should I be concerned about this? The permissions still look safe to me. 711 on locate and 4750 on su. The warnings are quite annoying though...

 

[porsuke]

I cannt change permissions to 775.
What will I do?

 

[sehh]

Any news on this? I see the same warnings in multiple servers and I'd like to know if there is a rootkit that has affected the machines or if this is normal.

Thank you.

 

[cPanelTristan]

Here are my permissions on each for my machine:

[email protected] [/usr/local/cpanel]# ls -ld /bin/su
-rwsr-x--- 1 root wheel 34904 Jun 22 15:46 /bin/su*

[email protected] [/usr/local/cpanel]# ls -ld /bin/mount
-rwxr-xr-x 1 root root 76056 Jun 22 14:51 /bin/mount*

[email protected] [/usr/local/cpanel]# ls -ld /usr/bin/newgrp
-rwxr-xr-x 1 root root 36144 Dec  7  2011 /usr/bin/newgrp*

[email protected] [/usr/local/cpanel]# ls -ld /usr/bin/locate
-rwx--x--x 1 root slocate 35840 Aug 23  2010 /usr/bin/locate*

I haven't changed them at any point and I am most definitely not infected or hacked. I wipe my machine (it's a test VPS) every week or so, so it's definitely a clean system.