unexpected /bin/su permission changed

[leonep]

Hi,
Today i have warning message from RkHunter:

Warning: The file properties have changed:
File: /bin/su
Current permissions: 4750 Stored permissions: 4755
Current gid: 10 Stored gid: 0

The last update about coreutils was on 3 July:

root@host1 [/bin]# grep coreutils /var/log/yum.log
Jul 03 22:02:07 Updated: coreutils-libs-8.4-47.el6.x86_64
Jul 03 22:02:09 Updated: coreutils-8.4-47.el6.x86_64

root@host1 [/]# ls -l /bin/su
-rwsr-x--- 1 root wheel 34904 Jun 19 17:15 /bin/su*

I would like to understand if this change can be safe or need investigation........
thanks

 

[cPanelLauren]

Hi @leonep


While I don't know what caused rkhunter to see the change - those are the correct permissions for /bin/su I double checked on two separate test servers:

[root@server ~]# stat /bin/su
  File: ‘/bin/su’
  Size: 32184         Blocks: 64         IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 925656      Links: 1
Access: (4750/-rwsr-x---)  Uid: (    0/    root)   Gid: (   10/   wheel)
Access: 2018-07-12 13:21:55.220225691 +0000
Modify: 2018-04-11 06:50:28.000000000 +0000
Change: 2018-07-12 05:18:25.358119535 +0000
 Birth: -

[root@v70 ~]# stat /bin/su
  File: ‘/bin/su’
  Size: 32184         Blocks: 64         IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 86162       Links: 1
Access: (4750/-rwsr-x---)  Uid: (    0/    root)   Gid: (   10/   wheel)
Access: 2018-04-11 01:50:28.000000000 -0500
Modify: 2018-04-11 01:50:28.000000000 -0500
Change: 2018-07-04 14:48:51.489026149 -0500
 Birth: -

Thanks!

 

[leonep]

thanks lauren, this is the stat of my file:

root@host1 [~]# stat /bin/su
  File: `/bin/su'
  Size: 34904           Blocks: 72         IO Block: 4096   regular file
Device: 902h/2306d      Inode: 587602      Links: 1
Access: (4750/-rwsr-x---)  Uid: (    0/    root)   Gid: (   10/   wheel)
Access: 2018-07-12 22:07:44.000000000 +0200
Modify: 2018-06-19 17:15:49.000000000 +0200
Change: 2018-07-12 22:02:15.000000000 +0200

 

[cPanelLauren]

Hi @leonep

Perms/ownership looks fine - this is what it should be. What time did rkhunter run? Whatever change was made happened last night at 10

Thanks!

 

[leonep]

this is rkhunter.log , it found something around 4 in the morning...

[03:58:52] Info: Start date is Fri Jul 13 03:58:52 CEST 2018
......
......
[03:59:05]   /bin/su                                         [ Warning ]
[03:59:05] Warning: The file properties have changed:
[03:59:05]          File: /bin/su
[03:59:05]          Current permissions: 4750    Stored permissions: 4755
[03:59:05]          Current gid: 10    Stored gid: 0
.......
.......
[04:00:20] Info: End date is Fri Jul 13 04:00:20 CEST 2018

stored permission was wrong , maybe upcp or system restored correct permission ... !?!
Is the file content unchanged ?

 

[cPanelLauren]

It wouldn't be unlikely for upcp to have restored the permission of this and the size of yours is different than that of both my test servers. You can't check the contents directly. If there was some sort of compromise I would anticipate rkhunter finding more than just the perms/ownership on that file being modified from 755 ->750 and GID being changed from 0 (root) to the wheel group.

Thanks!

 

[leonep]

i agree
it seems a fix.. i will monitor the server
thanks Lauren

 

[cPanelLauren]

Hi @leonep

Good plan, you're most welcome!

Thanks!