unexpected /bin/su permission changed

leonep

Well-Known Member
Nov 18, 2014
230
18
68
Pescara
cPanel Access Level
Root Administrator
Hi,
Today i have warning message from RkHunter:

Warning: The file properties have changed:
File: /bin/su
Current permissions: 4750 Stored permissions: 4755
Current gid: 10 Stored gid: 0

The last update about coreutils was on 3 July:

[email protected] [/bin]# grep coreutils /var/log/yum.log
Jul 03 22:02:07 Updated: coreutils-libs-8.4-47.el6.x86_64
Jul 03 22:02:09 Updated: coreutils-8.4-47.el6.x86_64

[email protected] [/]# ls -l /bin/su
-rwsr-x--- 1 root wheel 34904 Jun 19 17:15 /bin/su*

I would like to understand if this change can be safe or need investigation........
thanks
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,300
363
Houston
Hi @leonep


While I don't know what caused rkhunter to see the change - those are the correct permissions for /bin/su I double checked on two separate test servers:

Code:
[[email protected] ~]# stat /bin/su
  File: ‘/bin/su’
  Size: 32184         Blocks: 64         IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 925656      Links: 1
Access: (4750/-rwsr-x---)  Uid: (    0/    root)   Gid: (   10/   wheel)
Access: 2018-07-12 13:21:55.220225691 +0000
Modify: 2018-04-11 06:50:28.000000000 +0000
Change: 2018-07-12 05:18:25.358119535 +0000
 Birth: -
Code:
[[email protected] ~]# stat /bin/su
  File: ‘/bin/su’
  Size: 32184         Blocks: 64         IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 86162       Links: 1
Access: (4750/-rwsr-x---)  Uid: (    0/    root)   Gid: (   10/   wheel)
Access: 2018-04-11 01:50:28.000000000 -0500
Modify: 2018-04-11 01:50:28.000000000 -0500
Change: 2018-07-04 14:48:51.489026149 -0500
 Birth: -
Thanks!
 

leonep

Well-Known Member
Nov 18, 2014
230
18
68
Pescara
cPanel Access Level
Root Administrator
thanks lauren, this is the stat of my file:

Code:
[email protected] [~]# stat /bin/su
  File: `/bin/su'
  Size: 34904           Blocks: 72         IO Block: 4096   regular file
Device: 902h/2306d      Inode: 587602      Links: 1
Access: (4750/-rwsr-x---)  Uid: (    0/    root)   Gid: (   10/   wheel)
Access: 2018-07-12 22:07:44.000000000 +0200
Modify: 2018-06-19 17:15:49.000000000 +0200
Change: 2018-07-12 22:02:15.000000000 +0200
 

leonep

Well-Known Member
Nov 18, 2014
230
18
68
Pescara
cPanel Access Level
Root Administrator
this is rkhunter.log , it found something around 4 in the morning...

Code:
[03:58:52] Info: Start date is Fri Jul 13 03:58:52 CEST 2018
......
......
[03:59:05]   /bin/su                                         [ Warning ]
[03:59:05] Warning: The file properties have changed:
[03:59:05]          File: /bin/su
[03:59:05]          Current permissions: 4750    Stored permissions: 4755
[03:59:05]          Current gid: 10    Stored gid: 0
.......
.......
[04:00:20] Info: End date is Fri Jul 13 04:00:20 CEST 2018
stored permission was wrong , maybe upcp or system restored correct permission ... !?!
Is the file content unchanged ?
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,300
363
Houston
It wouldn't be unlikely for upcp to have restored the permission of this and the size of yours is different than that of both my test servers. You can't check the contents directly. If there was some sort of compromise I would anticipate rkhunter finding more than just the perms/ownership on that file being modified from 755 ->750 and GID being changed from 0 (root) to the wheel group.

Thanks!