Monday Jul 30, 2007
As promised, I have uploaded version 0.5 of the Interesting File Discovery Tool (or ifd for short). This update includes fixes and enhancements that were contributed by Perley
and Joe Moore. Thank you both for your contributions!
The biggest change in this version is the introduction of the -D parameter which enables you to change the program used to calculate the file digests (or fingerprints):
# ./ifd-v0.5.sh -h
./ifd-v0.5.sh - Interesting File Discovery Tool
ifd -[ugnw] [-ds] [-q] [-D cmd] { -c | -l | [Solaris Product Directory] }
-c Collect information from /var/sadm/install/contents
-d Calculate MD5 digest for each file (Solaris 10 only)
-D Command used to calculate file fingerprint
-g Print information on files with the set-gid bit set
-h Display this message
-l Collect information from /var/sadm/pkg
-n Print information on WW directories without sticky bit set
-q Quiet mode. Do not print headers.
-s Validate ELF file signature for each file (Solaris 10 only)
-u Print information on files with the set-uid bit set
-w Print information on world writable files and directories
-? Display this message
This can be useful in cases where you are running the tool on earlier releases of Solaris that do not have the integrated digest command or in cases where you want to use a different algorithm. For example, with this change, you could tell ifd to create SHA-512 fingerprints:
# ./ifd-v0.5.sh -c -D "/usr/bin/digest -a sha512" -d -u
Set-UID Programs
SUNWaccu 4755 root adm 29478dd7ebde1555eaef0987789094cc778794ee73ddcfb0a67c44004f93652f599dd7276342f8113cc4e58f877e883b4687c4ca0f30f0585dd725ddaffeb0b7 /usr/lib/acct/accton
SUNWbip 4555 root bin 95c814f7ff9606e0dc8818b51dacf74e92e5b3af329d66dc6fc8343c20ae741c1cea758568a318713ce6aacb35d1605bd6ee0911cdd2457aa85ceed363d17326 /usr/sbin/ping
SUNWbnuu 4511 root uucp 540f94a7054233498f1925aceef3c69b76300141ef38acc920ae005287db5546a03daef37c19b98149e11a26c7b4da137788e45cf642a3449345f635d8dbf762 /usr/bin/ct
SUNWbnuu 4511 uucp uucp 1754a7f7aaea60f4a1d1ca1915af30bc0157333061c096088bd3b719d008167f603380fae5b417a237cc9fe8c4cdcf524b22c61a471d0a06df5188cabedb475c /usr/bin/uuglist
[...]
Pretty neat. Thanks again to Perley and Joe for their feedback and support! To everyone - give this new version a shot and let me know what you think.
Take care,
Glenn
Technorati Tag:
OpenSolaris
Solaris
security
Monday Jul 23, 2007
Way back when, I did a post that introduced the Solaris Interesting File Discovery Tool. Being a fan of automation, I had written the tool mainly for myself, but I was pleasantly surprised to hear that people were happily using it. This leads me to today's posting.
A month or so ago, Fredrich Maney dropped me an e-mail letting me know of his experience running the tool and what tweaks he had made to improve it for his environment. In particular, he wanted to run this tool on Solaris 9. Recognizing that
I had screwed up by not making the tool more broadly useable, I decided that an appropriate penance would be for me to
not only fix this bug but to also build in a few new enhancements. Today, I am happy to announce the arrival of the Solaris Interesting File Discovery tool version 0.4.
New to this version is:
- Support for Solaris 9 (and likely 8) in addition to Solaris 10;
- Support for Solaris ELF signature verification (Solaris 10 only);
- Support for file fingerprint (MD5) generation (Solaris 10 only);
Yes, I do realize the irony of allowing the tool to run on older versions of the operating system while at the same
time adding new features for only Solaris 10 and newer. Unfortunately, the older versions of the operating system
simply do not support ELF signatures or the digest(1) command. Hey, these are just a few of the many good reasons why
you should consider adopting Solaris 10 today!
Moving on... Let's take it on a brief spin to see what things look like. First, let's check out the options available:
# ./ifd-v0.4.sh -h
./ifd-v0.4.sh - Interesting File Discovery Tool
ifd -[ugnw] [-ds] [-q] { -c | -l | [Solaris Product Directory] }
-c Collect information from /var/sadm/install/contents
-d Calculate MD5 digest for each file (Solaris 10 only)
-g Print information on files with the set-gid bit set
-h Display this message
-l Collect information from /var/sadm/pkg
-n Print information on WW directories without sticky bit set
-q Quite mode. Do not print headers.
-s Validate ELF file signature for each file (Solaris 10 only)
-u Print information on files with the set-uid bit set
-w Print information on world writable files and directories
-? Display this message
So, let's fire it up with the works. In this example, we will use the /var/sadm/install/contents file as
our source and look for files that are set-uid, set-gid, or world writable (including a special check for world
writable directories that do not have their sticky bit set). Keep in mind that you can also point the tool at
the /var/sadm/pkg directory as well as a DVD/CD distribution depending on your needs. This allows you to
use the tool for a different OS (if you can point it at a mounted DVD for example) or your local system (without
a need for a separate OS distribution at all).
For each matching file, we will record:
- package that installed the file
- file permissions
- file owner
- file group
- status of ELF signature verification
- MD5 fingerprint (suitable for using with the Solaris Fingerprint Database)
- file name
So, without further ado...
# ./ifd-v0.4.sh -c -d -s -u -g -w -n
Set-UID Programs
SUNWaccu 4755 root adm PASS 0c003207377f5bd2a9b5be5394205384 /usr/lib/acct/accton
SUNWbip 4555 root bin PASS ff140f86524789942e3fc66867f5be40 /usr/sbin/ping
SUNWbnuu 4511 root uucp PASS 6cf336d0ccf51c2b66a241fc615dc2da /usr/bin/ct
SUNWbnuu 4511 uucp uucp PASS 03c7fab44124264943e892ff0f9f318e /usr/bin/uustat
SUNWbnuu 4511 uucp uucp PASS 1491a5a26b6936d3eed53eab01890bcc /usr/bin/uuglist
SUNWbnuu 4511 uucp uucp PASS 453cdc99764045086d813708e268914c /usr/lib/uucp/uusched
SUNWbnuu 4511 uucp uucp PASS 4ad108e11de2ce16cb5a804ee9618589 /usr/lib/uucp/uuxqt
SUNWbnuu 4511 uucp uucp PASS 4ca26f335387f825b786fe650001e2a1 /usr/lib/uucp/remote.unknown
SUNWbnuu 4511 uucp uucp PASS 65cca9d2de0955d87dc52220da544c14 /usr/bin/uuname
SUNWbnuu 4511 uucp uucp PASS 7059dea52454585b825d2fe731bd9ccf /usr/bin/uucp
SUNWbnuu 4511 uucp uucp PASS 784a41f571364cf7dd15d91798494528 /usr/lib/uucp/uucico
SUNWbnuu 4511 uucp uucp PASS bdb1aa92b2169d8774f1ad8aea589aa7 /usr/bin/uux
SUNWbnuu 4511 uucp uucp PASS d6bb0cfc77f20d31c64d3af07044b8f6 /usr/bin/cu
SUNWcacaort 4511 root sys PASS 5bce4227db29f95813a6c7c13cc7d46d /usr/lib/cacao/lib/tools/cacaocsc
SUNWcdrw 4755 root bin PASS 7ab3bed64d212595784a85f65b062d51 /usr/bin/cdrw
SUNWcsu 4511 uucp bin PASS d9ac90c128f8f2750b3a49ae0c340ab4 /usr/bin/tip
SUNWcsu 4555 root bin PASS 226f94dd9845c934a98fc7f2aaa19523 /usr/bin/fdformat
SUNWcsu 4555 root bin PASS 24cf3f5258e5df4acccfed98a8822af3 /usr/lib/fs/ufs/ufsdump
SUNWcsu 4555 root bin PASS 316e3db185c014eae1d7881293a72c41 /usr/lib/utmp_update
SUNWcsu 4555 root bin PASS 3bfd7b1fc9811058b24bcbd42f826dc2 /usr/bin/amd64/uptime
SUNWcsu 4555 root bin PASS 61c7000154baedd954a9e9dd461e390e /usr/lib/fs/ufs/quota
SUNWcsu 4555 root bin PASS 6269d65e9c176610ca42d498970eeff8 /usr/bin/login
SUNWcsu 4555 root bin PASS 6493ff50d04d5cdb4264407f0f2e8c78 /usr/sbin/i86/whodo
SUNWcsu 4555 root bin PASS 78fe5243a4dc6a5f4dca4e3e23c6a673 /usr/bin/i86/uptime
SUNWcsu 4555 root bin PASS 7b5f21df1819f2b69237579b8a1a0fe6 /usr/sbin/allocate
SUNWcsu 4555 root bin PASS 8c97df084b4e5f98e282857926fd86cb /usr/bin/pfexec
SUNWcsu 4555 root bin PASS bf1cb47e81689184214c6a83f63cdfb1 /usr/bin/crontab
SUNWcsu 4555 root bin PASS c96b766b4ccbac6431b1e815bb65bdde /usr/lib/fs/ufs/ufsrestore
SUNWcsu 4555 root bin PASS ca0d8f737092afaed8fb083668d80be1 /usr/sbin/traceroute
SUNWcsu 4555 root bin PASS f535cdc0d54439c14d8c92e915df83ea /usr/sbin/amd64/whodo
SUNWcsu 4555 root sys PASS 14bb586161ad6de0d6e8b891a797f385 /usr/bin/su
SUNWcsu 4555 root sys PASS e213aa06105763694156369709f7c0dd /usr/bin/amd64/newtask
SUNWcsu 4555 root sys PASS f88d0e395c4e5a8403e2273af8d73ea6 /usr/bin/i86/newtask
SUNWcsu 4755 root sys PASS 526d58c2ecc92e8678700a8514f697c5 /usr/bin/at
SUNWcsu 4755 root sys PASS 8c028119f2a38570f3bac37b4a0f83db /usr/bin/atq
SUNWcsu 4755 root sys PASS b3013b0aacd83a60208b015d47568040 /usr/sbin/sacadm
SUNWcsu 4755 root sys PASS c84a3ab1da0e4db2fdfb45ea20bdb51e /usr/bin/newgrp
SUNWcsu 4755 root sys PASS eaaf142b658cafa113a8ec0c41e0ecdb /usr/bin/atrm
SUNWcsu 6555 root sys PASS 5c2f4716b3713a6b3258dc3ef9b3b5c7 /usr/bin/passwd
SUNWdtbas 6555 root sys PASS b7203985ff6f6d5d2d356597a4864d11 /usr/dt/bin/dtaction
SUNWdtdmn 6555 root daemon PASS fc82558b87e32747c81f398a9656e90d /usr/dt/bin/sdtcm_convert
SUNWdtdst 4555 root bin PASS 62343f01fb78de1f18cea2e3dc10bb0c /usr/dt/bin/dtprintinfo
SUNWdtdst 4555 root bin PASS 624a41d131fb86054da0f860c898e97e /usr/dt/bin/dtfile
SUNWdtdte 4555 root bin PASS 86794ad490355171a79d6941f0babde3 /usr/dt/bin/dtappgather
SUNWdtwm 4555 root bin PASS 3dd7de38e474409e4e677bacc10130b9 /usr/dt/bin/dtsession
SUNWgnome-sys-suspend 4711 root bin UNSIGN 290ca164439161635c0d23d525bcead8 /usr/lib/gnome-suspend
SUNWmcos 4555 root sys PASS 381166949a022ebf659ef0cab6e275ff /usr/lib/webconsole/adminverifier
SUNWmcos 4555 root sys PASS fe73cd9209baf01586c2bc44b003434e /usr/lib/webconsole/pamverifier
SUNWnisu 4555 root sys PASS f6f934c50750f22791b1a4a23db437cd /usr/bin/chkey
SUNWpcu 4511 root lp PASS 6b71b3fb8bd8edeb77e90bcb40896842 /usr/bin/lpset
SUNWpmowu 4555 root bin PASS ecabbf94c13052cfe793985f388a3357 /usr/openwin/bin/sys-suspend
SUNWpmu 4555 root bin PASS 5f13d302a6ae4d5e0d3d03e28fa8f845 /usr/sbin/pmconfig
SUNWpppdu 4555 root bin PASS f762762ffe2349a59156b2621d540db6 /usr/bin/pppd
SUNWpprou 4555 root bin PASS 227be03e256c6dcc8c07c45275837195 /usr/sbin/smpatch
SUNWpsm-lpd 4511 root bin PASS 69b0a7e7ef6952a3bf0b9094a718b85b /usr/lib/print/lpd-port
SUNWpsu 4511 root bin PASS e80d4264a38f803dc6ca696d22c0e97e /usr/lib/lp/bin/netpr
SUNWrcmdc 4555 root bin PASS 49fab30241d57a8ab085804312238a94 /usr/bin/rcp
SUNWrcmdc 4555 root bin PASS 54391ee93e29e392d094260b3d4b3d68 /usr/bin/rsh
SUNWrcmdc 4555 root bin PASS 569ac7fbd0df6eea1430a601b7ecca39 /usr/bin/rlogin
SUNWrcmdc 4555 root bin PASS 5f206a9c57570976301642b8a929d94d /usr/bin/rdist
SUNWrmvolmgr 4555 root bin PASS e8f97baf47fe6400567e0518c259e157 /usr/bin/rmformat
SUNWsndmu 4555 root bin PASS 6df3ae57fb3cc0f83bea9f806ebcb84f /usr/bin/mailq
SUNWsshcu 4555 root bin PASS 6a5efb5008794fa74074de7f06e1456a /usr/lib/ssh/ssh-keysign
SUNWwlanr 4755 root bin PASS b907467dcbc24e79f191fc31f90fae6d /sbin/wificonfig
SUNWxcu4 4555 root bin PASS 97cc4f6659c3f8b85910d28c07c0fa9c /usr/xpg4/bin/crontab
SUNWxcu4 4755 root sys PASS f4ae837685c632d8df16891caa718053 /usr/xpg4/bin/at
SUNWxcu6 4555 root bin PASS 418a5488f784886fb545afc70530e59f /usr/xpg6/bin/crontab
SUNWxorg-server 4555 root bin PASS 5641dd1147ea1a088dba31235d898aa3 /usr/X11/bin/i386/Xorg
SUNWxorg-server 4555 root bin PASS 83ece035a60d7f98ed2ab1b15dbd3c76 /usr/X11/bin/amd64/Xorg
SUNWxsun-server 4755 root bin PASS 1938f2c3b4548ad0113ce52ef2d3d328 /usr/openwin/bin/Xsun
SUNWxwplt 4755 root bin PASS 515b26b22fa5d787808a993512202600 /usr/openwin/bin/xlock
SUNWxwsvr 4555 root bin PASS f2187476d6491e7b439b997259a10062 /usr/X11/bin/xscreensaver
Set-GID Programs
SUNWcsu 2511 root mail PASS 0a732e9746d3033f82bd1a19c7521dfb /usr/bin/mailx
SUNWcsu 2511 root mail PASS 38aa1ab24793bcbd9dbff6b22447bf2a /usr/bin/mail
SUNWcsu 2555 root bin PASS b36e0818f80a0c2e2f0710d23e184d5d /usr/sbin/eeprom
SUNWcsu 2555 root sys PASS 128eeaab017cbb492f0f0bbfcfdc8ff1 /usr/sbin/amd64/prtconf
SUNWcsu 2555 root sys PASS 1e60d93817985dedb7720e1e5ab6892c /usr/sbin/i86/prtconf
SUNWcsu 2555 root sys PASS 3099609858ed2234ffaaa597ec5d3bba /usr/sbin/amd64/sysdef
SUNWcsu 2555 root sys PASS 51f912b98d75019889c8921f5b42e826 /usr/sbin/amd64/swap
SUNWcsu 2555 root sys PASS 749a05fa3cbe0f27a220678a9defe895 /usr/sbin/i86/sysdef
SUNWcsu 2555 root sys PASS c3ec5940f697917257fca3a16ec1a07a /usr/sbin/i86/swap
SUNWcsu 2555 root tty PASS 091ee44402b7870a55e8f3d47adb7ce2 /usr/sbin/wall
SUNWcsu 2555 root tty PASS 26116f7ed5064c4e29720b629d824bb9 /usr/bin/write
SUNWcsu 2755 root sys PASS 7b44b3ead9ecda4c465a826c2ab56ed9 /usr/sbin/prtdiag
SUNWcsu 6555 root sys PASS 5c2f4716b3713a6b3258dc3ef9b3b5c7 /usr/bin/passwd
SUNWdtbas 6555 root sys PASS b7203985ff6f6d5d2d356597a4864d11 /usr/dt/bin/dtaction
SUNWdtdmn 6555 root daemon PASS fc82558b87e32747c81f398a9656e90d /usr/dt/bin/sdtcm_convert
SUNWdtdst 2555 root mail PASS 36dd0001f2ed41be07b027d1c02d115d /usr/dt/bin/dtmailpr
SUNWdtdst 2555 root mail PASS fdae40512f82352ba3e74f1b463f97b1 /usr/dt/bin/dtmail
SUNWgnome-games 2555 root bin PASS 103f02a4a24446506c7f8ace5026cbe3 /usr/bin/gnobots2
SUNWgnome-games 2555 root bin PASS 3db3e19d6299bfa875501179d99846ec /usr/bin/mahjongg
SUNWgnome-games 2555 root bin PASS 411180c45b893cac7c0dc673849c5097 /usr/bin/gnotravex
SUNWgnome-games 2555 root bin PASS 60acedf6d46a25884726273d56b7bc0f /usr/bin/glines
SUNWgnome-games 2555 root bin PASS 6f80e05e7b954b46516ca69cd7fc1377 /usr/bin/gnibbles
SUNWgnome-games 2555 root bin PASS 7db26899831c27556158d650fc8bbde8 /usr/bin/gtali
SUNWgnome-games 2555 root bin PASS a9694142b04f9cd030b87a2f5392d4af /usr/bin/gnotski
SUNWgnome-games 2555 root bin PASS b31d94aadd219580d7fc0e8480c35279 /usr/bin/same-gnome
SUNWgnome-games 2555 root bin PASS ca97825cae9ab8fa3a6ee5aff97768e3 /usr/bin/gnomine
SUNWsndmu 2555 root smmsp PASS 6350af850a401cb3c609d9e0067958ac /usr/lib/sendmail
SUNWxprint-server 2755 root root PASS 36d71e7b95bf992c9101a0c9f44779fd /usr/openwin/bin/Xprt
SUNWxwplt 2755 root root PASS 59a296e934338ef9fa2d33347d8ed750 /usr/openwin/bin/lbxproxy
World Writable Files
SUNWbnur 1777 uucp uucp NOTELF [Target_Is_Directory] /var/spool/uucppublic
SUNWcsr 0666 root bin NOTELF d41d8cd98f00b204e9800998ecf8427e /var/adm/spellhist
SUNWcsr 1777 root bin NOTELF [Target_Is_Directory] /var/preserve
SUNWcsr 1777 root mail NOTELF [Target_Is_Directory] /var/mail
SUNWcsr 1777 root sys NOTELF [Target_Is_Directory] /var/tmp
SUNWdtscm 0666 root root NOTELF eb6d8ae6f20283755b339c0dc273988b /var/dt/dtpower/_current_scheme
SUNWdtscm 1777 root root NOTELF [Target_Is_Directory] /var/dt/dtpower/schemes
SUNWiqr 1777 root sys NOTELF [Target_Is_Directory] /var/imq/instances
SUNWkrbr 1777 root sys NOTELF [Target_Is_Directory] /var/krb5/rcache
SUNWmconr 0777 root sys NOTELF [Target_Is_Directory] /var/webconsole/tmp
SUNWpkgcmdsr 1777 root bin NOTELF [Target_Is_Directory] /var/spool/pkg
SUNWscpr 1777 root sys NOTELF [Target_Is_Directory] /tmp
SUNWsmbar 1777 root bin NOTELF [Target_Is_Directory] /var/spool/samba
Non-Sticky World Writable Directories
SUNWmconr 0777 root sys NOTELF [Target_Is_Directory] /var/webconsole/tmp
So whether you are interesting in finding set-uid or set-gid programs, verifying their integrity (directly via elfsign(1) or using the Solaris Fingerprint Database) or perhaps something else entirely, the Solaris Interesting File Discovery
tool could be another useful weapon in your security auditing/forensics arsenal.
For those interested, this output is from a Nevada build 68 system running in Parallels Desktop for Mac OS X otherwise
known as my desktop!
At any rate, check out the tool and drop me a note with your feedback! I would love to hear from you!
Take care,
Glenn
Technorati Tag:
OpenSolaris
Solaris
security
Friday Jun 23, 2006
Following up on my posting of the
Solaris Package Companion yesterday, I would to post one more of my little utilities, called the Interesting File Discovery Tool (IFD). This tool is not taking on an overly grand challenge, but it does come in handy in a number of situations when you need to match up information being reported by the OS with information that is coming from the original distribution.
IFD is a simple utility that allows you to obtain a list of set-uid, set-gid, and world writable objects (including an option to just find world writable directories lacking the sticky bit). Certainly, there have been tools that have
done this for ages. The Solaris Security Toolkit, for example, includes
scripts (called print-suid-files.fin, print-sgid-files.fin, and print-world-writable-objects.fin)
that pull this information directly from the filesystem.
IFD is different however. Rather than pull the information from the filesystem (which can be easily accomplished using
just the find(1) command, the Interesting File Discovery tool collects information on these files from a number of different sources including: (1) the OS distribution, (2) the local system's /var/sadm/pkg directory and (3) the local system's /var/sadm/install/contents file. These are all interesting sources to collect this information since it can help an investigator.
For example, one could determine that there exists a program (shipped in the Solaris OS) that is set-uid on the filesystem and perhaps in the "contents" file, but it is not set-uid in the package repository or in the Solaris OS distribution. While this may not necessarily mean that there is a problem, it may point to an area requiring more investigation. This could be used in concert with tools such as the
Solaris Fingerprint Database or even Solaris 10 BART to determine the authenticity of a given program and its
permissions.
Before we give it a spin, let's take a look at how the tool is used and what options are available:
$ ./ifd-v0.3.sh -h
./ifd-v0.3.sh - Interesting File Discovery Tool
ifd -[ugnw] [-q] { -c | -l | [Solaris Product Directory] }
-c Collect information from /var/sadm/install/contents
-g Print information on files with the set-gid bit set
-h Display this message
-l Collect information from /var/sadm/pkg
-n Print information on WW directories without sticky bit set
-q Quite mode. Do not print headers.
-u Print information on files with the set-uid bit set
-w Print information on world writable files and directories
-? Display this message
So, let's see how this little tool works... In the first example, the tool is used to uncover set-uid files from
a Solaris OS distribution:
$ ./ifd-v0.3.sh -u /export/install/images/s10u1/Solaris_10/Product
Set-UID Programs
4511 root bin usr/lib/lp/bin/netpr
4511 root bin usr/lib/print/lpd-port
4511 root bin usr/lib/pt_chmod
4511 root lp usr/bin/cancel
4511 root lp usr/bin/lp
4511 root lp usr/bin/lpset
4511 root lp usr/bin/lpstat
4511 root lp usr/sbin/lpmove
4511 root uucp usr/bin/ct
4511 uucp bin usr/bin/tip
[... other results removed for brevity ...]
Another way you can use this is to collect information from the local package repository. For this example, we will look for set-gid files:
$ ./ifd-v0.3.sh -g -l
Set-GID Programs
2511 root mail usr/bin/mail
2511 root mail usr/bin/mailx
2555 root mail dt/bin/dtmail
2555 root mail dt/bin/dtmailpr
2555 root smmsp usr/lib/sendmail
2555 root sys usr/platform/i86pc/sbin/eeprom
2555 root sys usr/sbin/amd64/prtconf
2555 root sys usr/sbin/amd64/swap
2555 root sys usr/sbin/amd64/sysdef
2555 root sys usr/sbin/i86/prtconf
[... other results removed for brevity ...]
Finally, let's look for world writable files (and directories) using just the local /var/sadm/install/contents file:
$ ./ifd-v0.3.sh -w -l
World Writable Files
0622 bin bin usr/oasys/tmp/TERRLOG
0666 root bin var/adm/spellhist
0666 root root var/dt/dtpower/_current_scheme
1777 root bin var/preserve
1777 root bin var/spool/pkg
1777 root bin var/spool/samba
1777 root mail var/mail
1777 root root var/dt/dtpower/schemes
1777 root sys tmp
1777 root sys var/krb5/rcache
[... other results removed for brevity ...]
So, there you have it. Nothing earth shattering, but a useful little tool nonetheless. Please let me know if you use it, like it, hate it, have ideas to improve it, etc. I always love to get feedback.
Take care,
Glenn
Technorati Tag:
OpenSolaris
Solaris
security
Perley,
Thank you for letting me...
Joe,
Way cool. Thank you for th...