Annotation of src/etc/security, Revision 1.106
1.1 cgd 1: #!/bin/sh -
2: #
1.106 ! haad 3: # $NetBSD: security,v 1.105 2007/11/23 15:51:27 dholland Exp $
1.9 cgd 4: # from: @(#)security 8.1 (Berkeley) 6/9/93
1.1 cgd 5: #
6:
1.9 cgd 7: PATH=/sbin:/usr/sbin:/bin:/usr/bin
1.1 cgd 8:
1.89 jmmv 9: rcvar_manpage='security.conf(5)'
10:
1.31 lukem 11: if [ -f /etc/rc.subr ]; then
12: . /etc/rc.subr
13: else
14: echo "Can't read /etc/rc.subr; aborting."
15: exit 1;
16: fi
17:
1.9 cgd 18: umask 077
1.64 cjs 19: TZ=UTC; export TZ
1.1 cgd 20:
1.15 mrg 21: if [ -s /etc/security.conf ]; then
22: . /etc/security.conf
23: fi
24:
1.67 lukem 25: # Set reasonable defaults (if they're not set in security.conf)
26: #
27: backup_dir=${backup_dir:-/var/backups}
28: pkgdb_dir=${pkgdb_dir:-/var/db/pkg}
29: max_loginlen=${max_loginlen:-8}
30: max_grouplen=${max_grouplen:-8}
1.104 adrianp 31: pkg_info=${pkg_info:-/usr/sbin/pkg_info}
1.67 lukem 32:
33: # Other configurable variables
34: #
35: special_files="/etc/mtree/special /etc/mtree/special.local"
36: MP=/etc/master.passwd
37: CHANGELIST=""
38: work_dir=$backup_dir/work
39:
40: if [ ! -d "$work_dir" ]; then
41: mkdir -p "$work_dir"
42: fi
43:
1.102 martti 44: SECUREDIR=$(mktemp -d -t _securedir) || exit 1
1.56 lukem 45:
1.67 lukem 46: trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE
1.15 mrg 47:
1.56 lukem 48: if ! cd "$SECUREDIR"; then
49: echo "Can not cd to $SECUREDIR".
1.15 mrg 50: exit 1
51: fi
52:
1.91 lukem 53: ERR=err.$$
54: TMP1=tmp1.$$
55: TMP2=tmp2.$$
56: MPBYUID=mpbyuid.$$
57: MPBYPATH=mpbypath.$$
58: LIST=list.$$
59: OUTPUT=output.$$
60: LABELS=labels.$$
1.106 ! haad 61: LVM_LABELS=lvm.$$
1.91 lukem 62: PKGS=pkgs.$$
63: CHANGEFILES=changefiles.$$
64: SPECIALSPEC=specialspec.$$
1.67 lukem 65:
66: # migrate_file old new
67: # Determine if the "${old}" path name needs to be migrated to the
68: # "${new}" path. Also checks if "${old}.current" needs migrating,
69: # and if so, migrate it and possibly "${old}.current,v" and
70: # "${old}.backup".
71: #
72: migrate_file()
73: {
74: _old=$1
75: _new=$2
76: if [ -z "$_old" -o -z "$_new" ]; then
77: err 3 "USAGE: migrate_file old new"
78: fi
79: if [ ! -d "${_new%/*}" ]; then
80: mkdir -p "${_new%/*}"
81: fi
82: if [ -f "${_old}" -a ! -f "${_new}" ]; then
83: echo "==> migrating ${_old}"
84: echo " to ${_new}"
85: mv "${_old}" "${_new}"
86: fi
87: if [ -f "${_old}.current" -a ! -f "${_new}.current" ]; then
88: echo "==> migrating ${_old}.current"
89: echo " to ${_new}.current"
90: mv "${_old}.current" "${_new}.current"
91: if [ -f "${_old}.current,v" -a ! -f "${_new}.current,v" ]; then
92: echo "==> migrating ${_old}.current,v"
93: echo " to ${_new}.current,v"
94: mv "${_old}.current,v" "${_new}.current,v"
95: fi
96: if [ -f "${_old}.backup" -a ! -f "${_new}.backup" ]; then
97: echo "==> migrating ${_old}.backup"
98: echo " to ${_new}.backup"
99: mv "${_old}.backup" "${_new}.backup"
100: fi
101: fi
102: }
103:
104:
105: # backup_and_diff file printdiff
106: # Determine if file needs backing up, and if so, do it.
107: # If printdiff is yes, display the diffs, otherwise
108: # just print a message saying "[changes omitted]".
109: #
110: backup_and_diff()
111: {
112: _file=$1
113: _printdiff=$2
114: if [ -z "$_file" -o -z "$_printdiff" ]; then
115: err 3 "USAGE: backup_and_diff file printdiff"
116: fi
117: ! checkyesno _printdiff
118: _printdiff=$?
119:
120: _old=$backup_dir/${_file##*/}
121: case "$_file" in
122: $work_dir/*)
123: _new=$_file
124: migrate_file "$backup_dir/$_old" "$_new"
125: migrate_file "$_old" "$_new"
126: ;;
127: *)
128: _new=$backup_dir/$_file
129: migrate_file "$_old" "$_new"
130: ;;
131: esac
132: CUR=${_new}.current
133: BACK=${_new}.backup
134: if [ -f $_file ]; then
135: if [ -f $CUR ] ; then
136: if [ "$_printdiff" -ne 0 ]; then
1.83 jhawk 137: diff ${diff_options} $CUR $_file > $OUTPUT
1.67 lukem 138: else
139: if ! cmp -s $CUR $_file; then
140: echo "[changes omitted]"
141: fi > $OUTPUT
142: fi
143: if [ -s $OUTPUT ] ; then
144: printf \
145: "\n======\n%s diffs (OLD < > NEW)\n======\n" $_file
146: cat $OUTPUT
147: backup_file update $_file $CUR $BACK
148: fi
149: else
150: printf "\n======\n%s added\n======\n" $_file
151: if [ "$_printdiff" -ne 0 ]; then
1.83 jhawk 152: diff ${diff_options} /dev/null $_file
1.67 lukem 153: else
154: echo "[changes omitted]"
155: fi
156: backup_file add $_file $CUR $BACK
157: fi
158: else
159: if [ -f $CUR ]; then
160: printf "\n======\n%s removed\n======\n" $_file
161: if [ "$_printdiff" -ne 0 ]; then
1.83 jhawk 162: diff ${diff_options} $CUR /dev/null
1.67 lukem 163: else
164: echo "[changes omitted]"
165: fi
166: backup_file remove $_file $CUR $BACK
167: fi
168: fi
169: }
1.48 abs 170:
1.9 cgd 171:
1.67 lukem 172: # These are used several times.
173: #
1.91 lukem 174: awk -F: '!/^\+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID
1.29 lukem 175: awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH
1.91 lukem 176: for file in $special_files; do
177: [ -s $file ] && cat $file
178: done | mtree -CM -k all > $SPECIALSPEC || exit 1
1.9 cgd 179:
1.67 lukem 180:
1.9 cgd 181: # Check the master password file syntax.
1.32 lukem 182: #
1.31 lukem 183: if checkyesno check_passwd; then
1.85 jhawk 184: # XXX: the sense of permit_star is reversed; the code works as
185: # implemented, but usage needs to be negated.
1.81 jhawk 186: checkyesno check_passwd_permit_star && permit_star=0 || permit_star=1
1.94 jdolecek 187: checkyesno check_passwd_permit_nonalpha \
188: && permit_nonalpha=1 || permit_nonalpha=0
189:
1.81 jhawk 190: awk -v "len=$max_loginlen" \
191: -v "nowarn_shells_list=$check_passwd_nowarn_shells" \
192: -v "nowarn_users_list=$check_passwd_nowarn_users" \
1.94 jdolecek 193: -v "permit_star=$permit_star" \
194: -v "permit_nonalpha=$permit_nonalpha" \
195: '
1.25 lukem 196: BEGIN {
197: while ( getline < "/etc/shells" > 0 ) {
1.39 hubertf 198: if ($0 ~ /^\#/ || $0 ~ /^$/ )
1.25 lukem 199: continue;
200: shells[$1]++;
201: }
1.81 jhawk 202: split(nowarn_shells_list, a);
203: for (i in a) nowarn_shells[a[i]]++;
204: split(nowarn_users_list, a);
205: for (i in a) nowarn_users[a[i]]++;
206: uid0_users_list="root toor"
207: split(uid0_users_list, a);
208: for (i in a) uid0_users[a[i]]++;
1.25 lukem 209: FS=":";
210: }
211:
212: {
1.15 mrg 213: if ($0 ~ /^[ ]*$/) {
1.25 lukem 214: printf "Line %d is a blank line.\n", NR;
1.15 mrg 215: next;
216: }
1.105 dholland 217:
218: # NIS compat entry?
219: compatline = $1 ~ "^[\\+-]";
220: if (compatline) {
221: if ($1 == "+" && NF == 1) {
222: next;
223: }
224: sub("^.", "", $1);
225: }
226: if (NF != 10)
1.25 lukem 227: printf "Line %d has the wrong number of fields.\n", NR;
1.105 dholland 228: if (compatline) {
229: if ($3 == 0)
1.81 jhawk 230: printf "Line %d includes entries with uid 0.\n",
231: NR;
1.105 dholland 232: if ($1 == "")
233: next;
1.34 abs 234: }
1.94 jdolecek 235: if (!permit_nonalpha &&
1.95 peter 236: $1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/)
1.25 lukem 237: printf "Login %s has non-alphanumeric characters.\n",
238: $1;
1.34 abs 239: if (length($1) > len)
1.81 jhawk 240: printf "Login %s has more than "len" characters.\n",
241: $1;
1.105 dholland 242: if ($2 == "" && !compatline && !nowarn_users[$1])
1.81 jhawk 243: printf "Login %s has no password.\n", $1;
244: if (!nowarn_shells[$10] && !nowarn_users[$1]) {
245: if (length($2) != 13 &&
246: length($2) != 20 &&
247: $2 !~ /^\$1/ &&
248: $2 !~ /^\$2/ &&
1.99 jmcneill 249: $2 !~ /^\$sha1/ &&
1.81 jhawk 250: $2 != "" &&
251: (permit_star || $2 != "*") &&
252: $2 !~ /^\*[A-z-]+$/ &&
253: $1 != "toor") {
254: if ($10 == "" || shells[$10])
255: printf "Login %s is off but still has "\
256: "a valid shell (%s)\n", $1, $10;
1.105 dholland 257: } else if (compatline && $10 == "") {
258: # nothing
1.81 jhawk 259: } else if (! shells[$10])
260: printf "Login %s does not have a valid "\
261: "shell (%s)\n", $1, $10;
262: }
263: if ($3 == 0 && !uid0_users[$1] && !nowarn_users[$1])
1.25 lukem 264: printf "Login %s has a user id of 0.\n", $1;
1.105 dholland 265: if ($3 != "" && $3 < 0)
1.25 lukem 266: printf "Login %s has a negative user id.\n", $1;
1.105 dholland 267: if ($4 != "" && $4 < 0)
1.25 lukem 268: printf "Login %s has a negative group id.\n", $1;
1.15 mrg 269: }' < $MP > $OUTPUT
270: if [ -s $OUTPUT ] ; then
271: printf "\nChecking the $MP file:\n"
272: cat $OUTPUT
273: fi
274:
275: awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
276: if [ -s $OUTPUT ] ; then
277: printf "\n$MP has duplicate user names.\n"
278: column $OUTPUT
279: fi
280:
1.37 wrstuden 281: # To not exclude 'toor', a standard duplicate root account, from the duplicate
282: # account test, uncomment the line below (without egrep in it)and comment
283: # out the line (with egrep in it) below it.
284: #
285: # < $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2
1.36 wrstuden 286: < $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2
1.15 mrg 287: if [ -s $TMP2 ] ; then
288: printf "\n$MP has duplicate user id's.\n"
289: while read uid; do
1.28 lukem 290: grep -w $uid $MPBYUID
1.15 mrg 291: done < $TMP2 | column
292: fi
1.9 cgd 293: fi
294:
295: # Check the group file syntax.
1.32 lukem 296: #
1.31 lukem 297: if checkyesno check_group; then
1.15 mrg 298: GRP=/etc/group
1.49 jdolecek 299: awk -F: -v "len=$max_grouplen" '{
1.15 mrg 300: if ($0 ~ /^[ ]*$/) {
1.25 lukem 301: printf "Line %d is a blank line.\n", NR;
1.15 mrg 302: next;
303: }
1.34 abs 304: if (NF != 4 && ($1 != "+" || NF != 1))
1.25 lukem 305: printf "Line %d has the wrong number of fields.\n", NR;
1.34 abs 306: if ($1 == "+" ) {
307: next;
308: }
1.95 peter 309: if ($1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/)
1.25 lukem 310: printf "Group %s has non-alphanumeric characters.\n",
311: $1;
1.49 jdolecek 312: if (length($1) > len)
313: printf "Group %s has more than "len" characters.\n", $1;
1.15 mrg 314: if ($3 !~ /[0-9]*/)
1.25 lukem 315: printf "Login %s has a negative group id.\n", $1;
1.15 mrg 316: }' < $GRP > $OUTPUT
317: if [ -s $OUTPUT ] ; then
318: printf "\nChecking the $GRP file:\n"
319: cat $OUTPUT
320: fi
321:
322: awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT
323: if [ -s $OUTPUT ] ; then
324: printf "\n$GRP has duplicate group names.\n"
325: column $OUTPUT
326: fi
1.9 cgd 327: fi
328:
329: # Check for root paths, umask values in startup files.
330: # The check for the root paths is problematical -- it's likely to fail
331: # in other environments. Once the shells have been modified to warn
332: # of '.' in the path, the path tests should go away.
1.32 lukem 333: #
1.31 lukem 334: if checkyesno check_rootdotfiles; then
1.67 lukem 335: rhome=~root
1.15 mrg 336: umaskset=no
337: list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login"
338: for i in $list ; do
339: if [ -f $i ] ; then
1.67 lukem 340: if egrep '^[ \t]*umask[ \t]+[0-7]+' $i > /dev/null ;
341: then
1.15 mrg 342: umaskset=yes
343: fi
1.63 lukem 344: # Double check the umask value itself; ensure that
1.67 lukem 345: # both the group and other write bits are set.
346: #
1.45 sommerfe 347: egrep '^[ \t]*umask[ \t]+[0-7]+' $i |
1.63 lukem 348: awk '{
1.67 lukem 349: if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) {
1.80 wiz 350: print "\tRoot umask is group writable"
1.63 lukem 351: }
1.67 lukem 352: if ($2 ~ /[^2367]$/) {
1.80 wiz 353: print "\tRoot umask is other writable"
1.63 lukem 354: }
1.67 lukem 355: }' | sort -u
1.26 lukem 356: SAVE_PATH=$PATH
357: unset PATH
1.15 mrg 358: /bin/csh -f -s << end-of-csh > /dev/null 2>&1
359: source $i
360: /bin/ls -ldgT \$path > $TMP1
1.9 cgd 361: end-of-csh
1.76 atatat 362: export PATH=$SAVE_PATH
1.15 mrg 363: awk '{
364: if ($10 ~ /^\.$/) {
1.27 lukem 365: print "\tThe root path includes .";
1.15 mrg 366: next;
367: }
368: }
369: $1 ~ /^d....w/ \
1.80 wiz 370: { print "\tRoot path directory " $10 " is group writable." } \
1.15 mrg 371: $1 ~ /^d.......w/ \
1.80 wiz 372: { print "\tRoot path directory " $10 " is other writable." }' \
1.67 lukem 373: < $TMP1
1.15 mrg 374: fi
1.67 lukem 375: done > $OUTPUT
1.15 mrg 376: if [ $umaskset = "no" -o -s $OUTPUT ] ; then
1.27 lukem 377: printf "\nChecking root csh paths, umask values:\n$list\n\n"
1.15 mrg 378: if [ -s $OUTPUT ]; then
379: cat $OUTPUT
380: fi
381: if [ $umaskset = "no" ] ; then
1.27 lukem 382: printf "\tRoot csh startup files do not set the umask.\n"
1.15 mrg 383: fi
1.9 cgd 384: fi
385:
1.15 mrg 386: umaskset=no
1.23 lukem 387: list="/etc/profile ${rhome}/.profile"
1.15 mrg 388: for i in $list; do
389: if [ -f $i ] ; then
390: if egrep umask $i > /dev/null ; then
391: umaskset=yes
392: fi
393: egrep umask $i |
1.67 lukem 394: awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \
1.80 wiz 395: { print "\tRoot umask is group writable" } \
1.67 lukem 396: $2 ~ /[^2367]$/ \
1.80 wiz 397: { print "\tRoot umask is other writable" }'
1.26 lukem 398: SAVE_PATH=$PATH
399: unset PATH
1.15 mrg 400: /bin/sh << end-of-sh > /dev/null 2>&1
401: . $i
1.26 lukem 402: list=\`echo \$PATH | /usr/bin/sed -e \
403: 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\`
1.15 mrg 404: /bin/ls -ldgT \$list > $TMP1
1.9 cgd 405: end-of-sh
1.76 atatat 406: export PATH=$SAVE_PATH
1.15 mrg 407: awk '{
408: if ($10 ~ /^\.$/) {
1.27 lukem 409: print "\tThe root path includes .";
1.15 mrg 410: next;
411: }
412: }
413: $1 ~ /^d....w/ \
1.80 wiz 414: { print "\tRoot path directory " $10 " is group writable." } \
1.15 mrg 415: $1 ~ /^d.......w/ \
1.80 wiz 416: { print "\tRoot path directory " $10 " is other writable." }' \
1.67 lukem 417: < $TMP1
1.9 cgd 418:
1.15 mrg 419: fi
1.67 lukem 420: done > $OUTPUT
1.15 mrg 421: if [ $umaskset = "no" -o -s $OUTPUT ] ; then
422: printf "\nChecking root sh paths, umask values:\n$list\n"
423: if [ -s $OUTPUT ]; then
424: cat $OUTPUT
425: fi
426: if [ $umaskset = "no" ] ; then
1.27 lukem 427: printf "\tRoot sh startup files do not set the umask.\n"
1.15 mrg 428: fi
1.9 cgd 429: fi
430: fi
431:
432: # Root and uucp should both be in /etc/ftpusers.
1.32 lukem 433: #
1.31 lukem 434: if checkyesno check_ftpusers; then
1.28 lukem 435: list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID`
1.27 lukem 436: for i in $list; do
1.29 lukem 437: if /usr/libexec/ftpd -C $i ; then
1.67 lukem 438: printf "\t$i is not denied\n"
1.27 lukem 439: fi
1.67 lukem 440: done > $OUTPUT
1.28 lukem 441: if [ -s $OUTPUT ]; then
442: printf "\nChecking the /etc/ftpusers configuration:\n"
443: cat $OUTPUT
444: fi
1.9 cgd 445: fi
446:
1.43 itojun 447: # Uudecode should not be in the /etc/mail/aliases file.
1.32 lukem 448: #
1.31 lukem 449: if checkyesno check_aliases; then
1.43 itojun 450: for f in /etc/mail/aliases /etc/aliases; do
451: if [ -f $f ] && egrep '^[^#]*(uudecode|decode).*\|' $f; then
452: printf "\nEntry for uudecode in $f file.\n"
453: fi
454: done
1.9 cgd 455: fi
456:
457: # Files that should not have + signs.
1.32 lukem 458: #
1.31 lukem 459: if checkyesno check_rhosts; then
1.15 mrg 460: list="/etc/hosts.equiv /etc/hosts.lpd"
461: for f in $list ; do
462: if [ -f $f ] && egrep '\+' $f > /dev/null ; then
463: printf "\nPlus sign in $f file.\n"
464: fi
465: done
466:
467: # Check for special users with .rhosts files. Only root and toor should
1.16 mikel 468: # have .rhosts files. Also, .rhosts files should not have plus signs.
1.15 mrg 469: awk -F: '$1 != "root" && $1 != "toor" && \
470: ($3 < 100 || $1 == "ftp" || $1 == "uucp") \
1.20 mycroft 471: { print $1 " " $9 }' $MP |
1.19 mycroft 472: sort -k2 |
1.15 mrg 473: while read uid homedir; do
474: if [ -f ${homedir}/.rhosts ] ; then
475: rhost=`ls -ldgT ${homedir}/.rhosts`
1.46 christos 476: printf -- "$uid: $rhost\n"
1.15 mrg 477: fi
478: done > $OUTPUT
479: if [ -s $OUTPUT ] ; then
480: printf "\nChecking for special users with .rhosts files.\n"
481: cat $OUTPUT
482: fi
483:
484: while read uid homedir; do
1.35 fair 485: if [ -f ${homedir}/.rhosts -a -r ${homedir}/.rhosts ] && \
1.41 christos 486: cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null ; then
1.46 christos 487: printf -- "$uid: + in .rhosts file.\n"
1.15 mrg 488: fi
1.29 lukem 489: done < $MPBYPATH > $OUTPUT
1.15 mrg 490: if [ -s $OUTPUT ] ; then
491: printf "\nChecking .rhosts files syntax.\n"
492: cat $OUTPUT
493: fi
1.9 cgd 494: fi
495:
496: # Check home directories. Directories should not be owned by someone else
1.80 wiz 497: # or writable.
1.32 lukem 498: #
1.31 lukem 499: if checkyesno check_homes; then
1.85 jhawk 500: checkyesno check_homes_permit_usergroups && \
501: permit_usergroups=1 || permit_usergroups=0
1.15 mrg 502: while read uid homedir; do
503: if [ -d ${homedir}/ ] ; then
504: file=`ls -ldgT ${homedir}`
1.46 christos 505: printf -- "$uid $file\n"
1.9 cgd 506: fi
1.29 lukem 507: done < $MPBYPATH |
1.85 jhawk 508: awk -v "usergroups=$permit_usergroups" '
509: $1 != $4 && $4 != "root" \
1.15 mrg 510: { print "user " $1 " home directory is owned by " $4 }
1.101 jnemeth 511: $2 ~ /^d....w/ && (!usergroups || $5 != $1) \
1.80 wiz 512: { print "user " $1 " home directory is group writable" }
1.101 jnemeth 513: $2 ~ /^d.......w/ \
1.80 wiz 514: { print "user " $1 " home directory is other writable" }' \
1.27 lukem 515: > $OUTPUT
1.15 mrg 516: if [ -s $OUTPUT ] ; then
517: printf "\nChecking home directories.\n"
518: cat $OUTPUT
519: fi
520:
521: # Files that should not be owned by someone else or readable.
1.67 lukem 522: list=".Xauthority .netrc .ssh/id_dsa .ssh/id_rsa .ssh/identity"
1.15 mrg 523: while read uid homedir; do
524: for f in $list ; do
525: file=${homedir}/${f}
526: if [ -f $file ] ; then
1.46 christos 527: printf -- "$uid $f `ls -ldgT $file`\n"
1.15 mrg 528: fi
529: done
1.29 lukem 530: done < $MPBYPATH |
1.85 jhawk 531: awk -v "usergroups=$permit_usergroups" '
532: $1 != $5 && $5 != "root" \
1.15 mrg 533: { print "user " $1 " " $2 " file is owned by " $5 }
1.85 jhawk 534: $3 ~ /^-...r/ && (!usergroups || $6 != $1) \
1.15 mrg 535: { print "user " $1 " " $2 " file is group readable" }
536: $3 ~ /^-......r/ \
537: { print "user " $1 " " $2 " file is other readable" }
1.85 jhawk 538: $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
1.80 wiz 539: { print "user " $1 " " $2 " file is group writable" }
1.15 mrg 540: $3 ~ /^-.......w/ \
1.80 wiz 541: { print "user " $1 " " $2 " file is other writable" }' \
1.27 lukem 542: > $OUTPUT
1.15 mrg 543:
1.80 wiz 544: # Files that should not be owned by someone else or writable.
1.19 mycroft 545: list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \
1.79 elric 546: .cshrc .emacs .exrc .forward .history .k5login .klogin .login \
547: .logout .profile .qmail .rc_history .rhosts .shosts ssh .tcshrc \
548: .twmrc .xinitrc .xsession .ssh/authorized_keys \
549: .ssh/authorized_keys2 .ssh/config .ssh/id_dsa.pub \
550: .ssh/id_rsa.pub .ssh/identity.pub .ssh/known_hosts \
551: .ssh/known_hosts2"
1.15 mrg 552: while read uid homedir; do
553: for f in $list ; do
554: file=${homedir}/${f}
555: if [ -f $file ] ; then
1.46 christos 556: printf -- "$uid $f `ls -ldgT $file`\n"
1.15 mrg 557: fi
558: done
1.29 lukem 559: done < $MPBYPATH |
1.85 jhawk 560: awk -v "usergroups=$permit_usergroups" '
561: $1 != $5 && $5 != "root" \
1.15 mrg 562: { print "user " $1 " " $2 " file is owned by " $5 }
1.85 jhawk 563: $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
1.80 wiz 564: { print "user " $1 " " $2 " file is group writable" }
1.15 mrg 565: $3 ~ /^-.......w/ \
1.80 wiz 566: { print "user " $1 " " $2 " file is other writable" }' \
1.27 lukem 567: >> $OUTPUT
1.15 mrg 568: if [ -s $OUTPUT ] ; then
569: printf "\nChecking dot files.\n"
570: cat $OUTPUT
571: fi
1.9 cgd 572: fi
573:
574: # Mailboxes should be owned by user and unreadable.
1.32 lukem 575: #
1.31 lukem 576: if checkyesno check_varmail; then
1.86 jhawk 577: ls -lA /var/mail | \
1.63 lukem 578: awk ' NR == 1 { next; }
1.86 jhawk 579: $9 ~ /^\./ {next; }
1.63 lukem 580: $3 != $9 {
581: print "user " $9 " mailbox is owned by " $3
582: }
583: $1 != "-rw-------" {
584: print "user " $9 " mailbox is " $1 ", group " $4
585: }' > $OUTPUT
1.15 mrg 586: if [ -s $OUTPUT ] ; then
587: printf "\nChecking mailbox ownership.\n"
588: cat $OUTPUT
589: fi
590: fi
591:
1.32 lukem 592: # NFS exports shouldn't be globally exported
593: #
594: if checkyesno check_nfs && [ -f /etc/exports ]; then
595: awk '{
1.22 lukem 596: # ignore comments and blank lines
1.39 hubertf 597: if ($0 ~ /^\#/ || $0 ~ /^$/ )
1.22 lukem 598: next;
1.100 tron 599: # manage line continuation
600: while ($NF ~ /^\\$/) {
601: $NF = "";
602: line = $0 "";
603: getline;
604: $0 = line $0 "";
605: }
1.22 lukem 606:
1.100 tron 607: delete dir;
608: readonly = ndir = 0;
609: for (i = 1; i <= NF; ++i) {
610: if ($i ~ /^\//) dir[ndir++] = $i;
611: else if ($i ~ /^-/) {
612: if ($i ~ /^-(ro|o)$/) readonly = 1;
613: if ($i ~ /^-network/) next;
614: }
615: else next;
1.15 mrg 616: }
617: if (readonly)
1.100 tron 618: for (item in dir)
619: rodir[nrodir++] = dir[item];
1.15 mrg 620: else
1.100 tron 621: for (item in dir)
622: rwdir[nrwdir++] = dir[item];
623:
624: }
625:
626: END {
627: if (nrodir) {
628: printf("Globally exported file system%s, read-only:\n",
629: nrodir > 1 ? "s" : "");
630: for (item in rodir)
631: printf("\t%s\n", rodir[item]);
632: }
633: if (nrwdir) {
634: printf("Globally exported file system%s, read-write:\n",
635: nrwdir > 1 ? "s" : "");
636: for (item in rwdir)
637: printf("\t%s\n", rwdir[item]);
638: }
1.32 lukem 639: }' < /etc/exports > $OUTPUT
640: if [ -s $OUTPUT ] ; then
1.15 mrg 641: printf "\nChecking for globally exported file systems.\n"
642: cat $OUTPUT
643: fi
1.9 cgd 644: fi
645:
646: # Display any changes in setuid files and devices.
1.32 lukem 647: #
1.31 lukem 648: if checkyesno check_devices; then
1.28 lukem 649: > $ERR
1.92 erh 650: (
1.98 lukem 651:
652: # Convert check_devices_ignore_fstypes="foo !bar bax"
653: # into "-fstype foo -o ! -fstype bar -o -fstype bax"
654: # and check_devices_ignore_paths="/foo !/bar /bax"
655: # into " -path /foo -o ! -path /bar -o -path /bax"
656: #
657: ignexpr=$(\
658: echo $check_devices_ignore_fstypes | \
659: sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -fstype \2/g' ; \
660: echo $check_devices_ignore_paths | \
661: sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -path \2/g' \
662: )
663:
664: # Massage the expression into ( $ignexpr ) -a -prune -o
665: if [ -n "${ignexpr}" ]; then
666: ignexpr=$(\
667: echo $ignexpr | \
668: sed -e 's/^-o /( /' \
669: -e 's/$/ ) -a -prune -o/' \
670: )
671: fi
672:
673: find / $ignexpr \
1.21 mycroft 674: \( \( -perm -u+s -a ! -type d \) -o \
675: \( -perm -g+s -a ! -type d \) -o \
1.24 lukem 676: -type b -o -type c \) -print0 | \
1.98 lukem 677: xargs -0 ls -ldgTq | sort +9 > $LIST
678:
679: ) 2> $OUTPUT
1.15 mrg 680:
681: # Display any errors that occurred during system file walk.
682: if [ -s $OUTPUT ] ; then
1.28 lukem 683: printf "Setuid/device find errors:\n" >> $ERR
684: cat $OUTPUT >> $ERR
685: printf "\n" >> $ERR
1.15 mrg 686: fi
687:
688: # Display any changes in the setuid file list.
689: egrep -v '^[bc]' $LIST > $TMP1
690: if [ -s $TMP1 ] ; then
691: # Check to make sure uudecode isn't setuid.
692: if grep -w uudecode $TMP1 > /dev/null ; then
1.28 lukem 693: printf "\nUudecode is setuid.\n" >> $ERR
1.15 mrg 694: fi
695:
1.67 lukem 696: file=$work_dir/setuid
697: migrate_file "$backup_dir/setuid" "$file"
698: CUR=${file}.current
699: BACK=${file}.backup
1.15 mrg 700: if [ -s $CUR ] ; then
701: if cmp -s $CUR $TMP1 ; then
702: :
703: else
704: > $TMP2
705: join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
706: if [ -s $OUTPUT ] ; then
1.28 lukem 707: printf "Setuid additions:\n" >> $ERR
708: tee -a $TMP2 < $OUTPUT >> $ERR
709: printf "\n" >> $ERR
1.15 mrg 710: fi
711:
712: join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
713: if [ -s $OUTPUT ] ; then
1.28 lukem 714: printf "Setuid deletions:\n" >> $ERR
715: tee -a $TMP2 < $OUTPUT >> $ERR
716: printf "\n" >> $ERR
1.15 mrg 717: fi
718:
1.20 mycroft 719: sort -k10 $TMP2 $CUR $TMP1 | \
1.27 lukem 720: sed -e 's/[ ][ ]*/ /g' | \
721: uniq -u > $OUTPUT
1.15 mrg 722: if [ -s $OUTPUT ] ; then
1.28 lukem 723: printf "Setuid changes:\n" >> $ERR
724: column -t $OUTPUT >> $ERR
725: printf "\n" >> $ERR
1.15 mrg 726: fi
1.9 cgd 727:
1.52 atatat 728: backup_file update $TMP1 $CUR $BACK
1.9 cgd 729: fi
1.15 mrg 730: else
1.28 lukem 731: printf "Setuid additions:\n" >> $ERR
732: column -t $TMP1 >> $ERR
733: printf "\n" >> $ERR
1.52 atatat 734: backup_file add $TMP1 $CUR $BACK
1.9 cgd 735: fi
1.15 mrg 736: fi
737:
1.27 lukem 738: # Check for block and character disk devices that are readable or
1.80 wiz 739: # writable or not owned by root.operator.
1.15 mrg 740: >$TMP1
1.61 lukem 741: DISKLIST="ccd ch hk hp ld md ra raid rb rd rl rx \
1.57 simonb 742: sd se ss uk up vnd wd xd xy"
1.27 lukem 743: # DISKLIST="$DISKLIST ct mt st wt"
1.15 mrg 744: for i in $DISKLIST; do
745: egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1
746: egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1
747: done
748:
749: awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \
1.25 lukem 750: { printf "Disk %s is user %s, group %s, permissions %s.\n", \
751: $11, $3, $4, $1; }' < $TMP1 > $OUTPUT
1.15 mrg 752: if [ -s $OUTPUT ] ; then
1.28 lukem 753: printf "\nChecking disk ownership and permissions.\n" >> $ERR
754: cat $OUTPUT >> $ERR
755: printf "\n" >> $ERR
1.9 cgd 756: fi
757:
1.15 mrg 758: # Display any changes in the device file list.
1.20 mycroft 759: egrep '^[bc]' $LIST | sort -k11 > $TMP1
1.15 mrg 760: if [ -s $TMP1 ] ; then
1.67 lukem 761: file=$work_dir/device
762: migrate_file "$backup_dir/device" "$file"
763: CUR=${file}.current
764: BACK=${file}.backup
1.15 mrg 765:
766: if [ -s $CUR ] ; then
767: if cmp -s $CUR $TMP1 ; then
768: :
769: else
770: > $TMP2
771: join -111 -211 -v2 $CUR $TMP1 > $OUTPUT
772: if [ -s $OUTPUT ] ; then
1.28 lukem 773: printf "Device additions:\n" >> $ERR
774: tee -a $TMP2 < $OUTPUT >> $ERR
775: printf "\n" >> $ERR
1.15 mrg 776: fi
777:
778: join -111 -211 -v1 $CUR $TMP1 > $OUTPUT
779: if [ -s $OUTPUT ] ; then
1.28 lukem 780: printf "Device deletions:\n" >> $ERR
781: tee -a $TMP2 < $OUTPUT >> $ERR
782: printf "\n" >> $ERR
1.15 mrg 783: fi
784:
1.27 lukem 785: # Report any block device change. Ignore
786: # character devices, only the name is
787: # significant.
1.15 mrg 788: cat $TMP2 $CUR $TMP1 | \
1.27 lukem 789: sed -e '/^c/d' | \
790: sort -k11 | \
791: sed -e 's/[ ][ ]*/ /g' | \
792: uniq -u > $OUTPUT
1.15 mrg 793: if [ -s $OUTPUT ] ; then
1.28 lukem 794: printf "Block device changes:\n" >> $ERR
795: column -t $OUTPUT >> $ERR
796: printf "\n" >> $ERR
1.15 mrg 797: fi
1.9 cgd 798:
1.52 atatat 799: backup_file update $TMP1 $CUR $BACK
1.9 cgd 800: fi
1.15 mrg 801: else
1.28 lukem 802: printf "Device additions:\n" >> $ERR
803: column -t $TMP1 >> $ERR
804: printf "\n" >> $ERR
1.52 atatat 805: backup_file add $TMP1 $CUR $BACK >> $ERR
1.9 cgd 806: fi
1.28 lukem 807: fi
808: if [ -s $ERR ] ; then
809: printf "\nChecking setuid files and devices:\n"
810: cat $ERR
811: printf "\n"
1.9 cgd 812: fi
813: fi
814:
815: # Check special files.
816: # Check system binaries.
817: #
818: # Create the mtree tree specifications using:
1.67 lukem 819: # mtree -cx -pDIR -kmd5,uid,gid,mode,nlink,size,link,time > DIR.secure
1.38 kleink 820: # chown root:wheel DIR.secure
1.67 lukem 821: # chmod u+r,go= DIR.secure
1.9 cgd 822: #
823: # Note, this is not complete protection against Trojan horsed binaries, as
824: # the hacker can modify the tree specification to match the replaced binary.
825: # For details on really protecting yourself against modified binaries, see
826: # the mtree(8) manual page.
1.32 lukem 827: #
1.31 lukem 828: if checkyesno check_mtree; then
1.82 jhawk 829: if checkyesno check_mtree_follow_symlinks; then
830: check_mtree_flags="-L"
831: else
832: check_mtree_flags=""
833: fi
1.91 lukem 834: mtree -e -l -p / $check_mtree_flags -f $SPECIALSPEC 3>&1 >$OUTPUT 2>&3 |
1.87 jhawk 835: grep -v '^mtree: dev/tty: Device not configured$' >&2
1.15 mrg 836: if [ -s $OUTPUT ]; then
1.9 cgd 837: printf "\nChecking special files and directories.\n"
838: cat $OUTPUT
839: fi
840:
1.16 mikel 841: for file in /etc/mtree/*.secure; do
842: [ $file = '/etc/mtree/*.secure' ] && continue
1.9 cgd 843: tree=`sed -n -e '3s/.* //p' -e 3q $file`
1.82 jhawk 844: mtree $check_mtree_flags -f $file -p $tree > $TMP1
1.9 cgd 845: if [ -s $TMP1 ]; then
1.67 lukem 846: printf "\nChecking $tree:\n"
847: cat $TMP1
1.9 cgd 848: fi
1.67 lukem 849: done > $OUTPUT
1.15 mrg 850: if [ -s $OUTPUT ]; then
1.9 cgd 851: printf "\nChecking system binaries:\n"
852: cat $OUTPUT
853: fi
854: fi
855:
1.32 lukem 856: # Backup disklabels of available disks
857: #
858: if checkyesno check_disklabels; then
1.67 lukem 859: # migrate old disklabels
860: for file in `ls -1d $backup_dir/$backup_dir/disklabel.* \
861: $backup_dir/disklabel.* 2>/dev/null`; do
862: migrate_file "$file" "$work_dir/${file##*/}"
863: done
864:
1.103 tron 865: # generate list of old disklabels, fdisks & wedges and remove them
866: ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null |
1.52 atatat 867: egrep -v '\.(backup|current)(,v)?$' > $LABELS
1.32 lukem 868: xargs rm < $LABELS
869:
1.103 tron 870: # generate disklabels of all disks excluding: cd dk fd md st
871: disks=`iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d|dk|st|nfs/ { print $1; }'`
1.32 lukem 872: for i in $disks; do
1.67 lukem 873: disklabel $i > "$work_dir/disklabel.$i" 2>/dev/null
1.32 lukem 874: done
875:
1.67 lukem 876: # if fdisk is available, generate fdisks for: ed ld sd wd
877: if [ -x /sbin/fdisk ]; then
878: disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d/ { print $1; }'`
879: for i in $disks; do
880: /sbin/fdisk $i > "$work_dir/fdisk.$i" 2>/dev/null
881: done
882: fi
883:
1.103 tron 884: # if dkctl is available, generate dkctl listwedges for: ed ld sd wd cgd ofdisk ra rl raid
885: if [ -x /sbin/dkctl ]; then
886: disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d|cgd|ofdisk|r[al]|raid/ { print $1; }'`
887: for i in $disks; do
888: /sbin/dkctl $i listwedges > "$work_dir/wedges.$i" 2>/dev/null
889: done
890: fi
891:
892: # append list of new disklabels, fdisks and wedges
893: ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null |
1.52 atatat 894: egrep -v '\.(backup|current)(,v)?$' >> $LABELS
1.62 atatat 895: CHANGELIST="$LABELS $CHANGELIST"
896: fi
897:
1.106 ! haad 898: if checkyesno check_lvm; then
! 899:
! 900: # generate list of existing LVM elements Physical Volumes, Volume Groups and Logical Volumes.
! 901: if [ -x /sbin/lvm ]; then
! 902: lvm pvdisplay -m >"$work_dir/lvm.pv" 2>/dev/null
! 903: lvm vgdisplay -m >"$work_dir/lvm.vg" 2>/dev/null
! 904: lvm lvdisplay -m >"$work_dir/lvm.lv" 2>/dev/null
! 905: fi
! 906: ls -1d $work_dir/lvm.* 2>/dev/null |
! 907: egrep -v '\.(backup|current)(,v)?$'>> $LVM_LABELS
! 908: CHANGELIST="$CHANGELIST $LVM_LABELS"
! 909: fi
! 910:
1.62 atatat 911: # Check for changes in the list of installed pkgs
912: #
1.65 lukem 913: if checkyesno check_pkgs && [ -d $pkgdb_dir ]; then
1.67 lukem 914: pkgs=$work_dir/pkgs
915: migrate_file "$backup_dir/pkgs" "$pkgs"
1.65 lukem 916: ( cd $pkgdb_dir
1.104 adrianp 917: $pkg_info | sort
1.62 atatat 918: echo ""
919: find . \( -name +REQUIRED_BY -o -name +CONTENTS \) -print0 |
1.72 lukem 920: xargs -0 ls -ldgTq | sort -t. +1 | sed -e 's, \./, ,'
1.62 atatat 921: ) > $pkgs
1.67 lukem 922: echo "$pkgs" > $PKGS
1.62 atatat 923: CHANGELIST="$PKGS $CHANGELIST"
1.32 lukem 924: fi
925:
1.67 lukem 926: # List of files that get backed up and checked for any modifications.
1.9 cgd 927: # Any changes cause the files to rotate.
1.32 lukem 928: #
1.67 lukem 929: if checkyesno check_changelist ; then
1.91 lukem 930: mtree -D -k type -f $SPECIALSPEC -E exclude |
931: sed '/^type=file/!d ; s/type=file \.//' | unvis > $CHANGEFILES
1.67 lukem 932:
1.75 lukem 933: (
1.68 lukem 934: # Add other files which might dynamically exist:
1.67 lukem 935: # /etc/ifconfig.*
936: # /etc/raid*.conf
1.68 lukem 937: # /etc/rc.d/*
1.67 lukem 938: # /etc/rc.conf.d/*
1.68 lukem 939: #
1.75 lukem 940: echo "/etc/ifconfig.*"
941: echo "/etc/raid*.conf"
942: echo "/etc/rc.d/*"
943: echo "/etc/rc.conf.d/*"
1.106 ! haad 944: echo "/etc/lvm/backup/*"
! 945: echo "/etc/lvm/archive/*"
1.67 lukem 946:
1.68 lukem 947: # Add /etc/changelist
948: #
1.75 lukem 949: if [ -s /etc/changelist ]; then
950: grep -v '^#' /etc/changelist
951: fi
952: ) | while read file; do
953: case "$file" in
954: *[\*\?\[]*) # If changelist line is a glob ...
955: # ... expand possible backup files
956: #
957: ls -1d $(echo $backup_dir/${file}.current) 2>/dev/null \
958: | sed "s,^$backup_dir/,, ; s,\.current$,,"
959:
960: # ... expand possible files
961: #
962: ls -1d $(echo $file) 2>/dev/null
963: ;;
964: *)
965: # Otherwise, just print the filename
966: echo $file
967: ;;
968: esac
969: done >> $CHANGEFILES
1.67 lukem 970: CHANGELIST="$CHANGEFILES $CHANGELIST"
971: fi
972:
973: # Special case backups, including the master password file and
974: # ssh private host keys. The normal backup mechanisms for
975: # $check_changelist (see below) also print out the actual file
976: # differences and we don't want to do that for these files
977: #
978: echo $MP > $TMP1 # always add /etc/master.passwd
1.91 lukem 979: mtree -D -k type -f $SPECIALSPEC -I nodiff |
980: sed '/^type=file/!d ; s/type=file \.//' | unvis >> $TMP1
1.73 lukem 981: grep -v '^$' $TMP1 | sort -u > $TMP2
1.68 lukem 982:
1.69 lukem 983: while read file; do
1.67 lukem 984: backup_and_diff "$file" no
1.69 lukem 985: done < $TMP2
1.67 lukem 986:
1.32 lukem 987:
988: if [ -n "$CHANGELIST" ]; then
1.73 lukem 989: grep -h -v '^$' $CHANGELIST | sort -u > $TMP1
1.68 lukem 990: comm -23 $TMP1 $TMP2 | while read file; do
1.67 lukem 991: backup_and_diff "$file" yes
1.9 cgd 992: done
1.44 ad 993: fi
994:
995: if [ -f /etc/security.local ]; then
1.90 kim 996: . /etc/security.local > $OUTPUT 2>&1
1.84 jhawk 997: if [ -s $OUTPUT ] ; then
998: printf "\nRunning /etc/security.local:\n"
999: cat $OUTPUT
1000: fi
1.9 cgd 1001: fi
CVSweb <webmaster@jp.NetBSD.org>