head 1.132; access; symbols netbsd-11-0-RC3:1.132 netbsd-11-0-RC2:1.132 netbsd-11-0-RC1:1.132 perseant-exfatfs-base-20250801:1.132 netbsd-11:1.132.0.2 netbsd-11-base:1.132 netbsd-10-1-RELEASE:1.129.2.1 perseant-exfatfs-base-20240630:1.131 perseant-exfatfs:1.131.0.2 perseant-exfatfs-base:1.131 netbsd-8-3-RELEASE:1.121 netbsd-9-4-RELEASE:1.124 netbsd-10-0-RELEASE:1.129.2.1 netbsd-10-0-RC6:1.129.2.1 netbsd-10-0-RC5:1.129.2.1 netbsd-10-0-RC4:1.129.2.1 netbsd-10-0-RC3:1.129.2.1 netbsd-10-0-RC2:1.129.2.1 netbsd-10-0-RC1:1.129.2.1 netbsd-10:1.129.0.2 netbsd-10-base:1.129 netbsd-9-3-RELEASE:1.124 cjep_sun2x-base1:1.128 cjep_sun2x:1.128.0.4 cjep_sun2x-base:1.128 cjep_staticlib_x-base1:1.128 netbsd-9-2-RELEASE:1.124 cjep_staticlib_x:1.128.0.2 cjep_staticlib_x-base:1.128 netbsd-9-1-RELEASE:1.124 phil-wifi-20200421:1.126 phil-wifi-20200411:1.126 is-mlppp:1.126.0.2 is-mlppp-base:1.126 phil-wifi-20200406:1.126 netbsd-8-2-RELEASE:1.121 netbsd-9-0-RELEASE:1.124 netbsd-9-0-RC2:1.124 netbsd-9-0-RC1:1.124 phil-wifi-20191119:1.125 netbsd-9:1.124.0.2 netbsd-9-base:1.124 phil-wifi-20190609:1.124 netbsd-8-1-RELEASE:1.121 netbsd-8-1-RC1:1.121 pgoyette-compat-merge-20190127:1.122.2.2 pgoyette-compat-20190127:1.124 pgoyette-compat-20190118:1.124 pgoyette-compat-1226:1.124 pgoyette-compat-1126:1.124 pgoyette-compat-1020:1.124 pgoyette-compat-0930:1.123 pgoyette-compat-0906:1.122 netbsd-7-2-RELEASE:1.115 pgoyette-compat-0728:1.122 netbsd-8-0-RELEASE:1.121 phil-wifi:1.122.0.4 phil-wifi-base:1.122 pgoyette-compat-0625:1.122 netbsd-8-0-RC2:1.121 pgoyette-compat-0521:1.122 pgoyette-compat-0502:1.122 pgoyette-compat-0422:1.122 netbsd-8-0-RC1:1.121 pgoyette-compat-0415:1.122 pgoyette-compat-0407:1.122 pgoyette-compat-0330:1.122 pgoyette-compat-0322:1.122 pgoyette-compat-0315:1.122 netbsd-7-1-2-RELEASE:1.115 pgoyette-compat:1.122.0.2 pgoyette-compat-base:1.122 netbsd-7-1-1-RELEASE:1.115 matt-nb8-mediatek:1.121.0.12 matt-nb8-mediatek-base:1.121 perseant-stdc-iso10646:1.121.0.10 perseant-stdc-iso10646-base:1.121 netbsd-8:1.121.0.8 netbsd-8-base:1.121 prg-localcount2-base3:1.121 prg-localcount2-base2:1.121 prg-localcount2-base1:1.121 prg-localcount2:1.121.0.6 prg-localcount2-base:1.121 pgoyette-localcount-20170426:1.121 bouyer-socketcan-base1:1.121 pgoyette-localcount-20170320:1.121 netbsd-7-1:1.115.0.10 netbsd-7-1-RELEASE:1.115 netbsd-7-1-RC2:1.115 netbsd-7-nhusb-base-20170116:1.115 bouyer-socketcan:1.121.0.4 bouyer-socketcan-base:1.121 pgoyette-localcount-20170107:1.121 netbsd-7-1-RC1:1.115 pgoyette-localcount-20161104:1.121 netbsd-7-0-2-RELEASE:1.115 localcount-20160914:1.121 netbsd-7-nhusb:1.115.0.8 netbsd-7-nhusb-base:1.115 pgoyette-localcount-20160806:1.121 pgoyette-localcount-20160726:1.121 pgoyette-localcount:1.121.0.2 pgoyette-localcount-base:1.121 netbsd-7-0-1-RELEASE:1.115 netbsd-7-0:1.115.0.6 netbsd-7-0-RELEASE:1.115 netbsd-7-0-RC3:1.115 netbsd-7-0-RC2:1.115 netbsd-7-0-RC1:1.115 netbsd-5-2-3-RELEASE:1.105 netbsd-5-1-5-RELEASE:1.105 netbsd-6-0-6-RELEASE:1.110 netbsd-6-1-5-RELEASE:1.110 netbsd-7:1.115.0.4 netbsd-7-base:1.115 yamt-pagecache-base9:1.115 yamt-pagecache-tag8:1.110.4.1 netbsd-6-1-4-RELEASE:1.110 netbsd-6-0-5-RELEASE:1.110 tls-earlyentropy:1.115.0.2 tls-earlyentropy-base:1.115 riastradh-xf86-video-intel-2-7-1-pre-2-21-15:1.115 riastradh-drm2-base3:1.115 netbsd-6-1-3-RELEASE:1.110 netbsd-6-0-4-RELEASE:1.110 netbsd-5-2-2-RELEASE:1.105 netbsd-5-1-4-RELEASE:1.105 netbsd-6-1-2-RELEASE:1.110 netbsd-6-0-3-RELEASE:1.110 netbsd-5-2-1-RELEASE:1.105 netbsd-5-1-3-RELEASE:1.105 netbsd-6-1-1-RELEASE:1.110 riastradh-drm2-base2:1.112 riastradh-drm2-base1:1.112 riastradh-drm2:1.112.0.4 riastradh-drm2-base:1.112 netbsd-6-1:1.110.0.12 netbsd-6-0-2-RELEASE:1.110 netbsd-6-1-RELEASE:1.110 khorben-n900:1.112.0.2 netbsd-6-1-RC4:1.110 netbsd-6-1-RC3:1.110 agc-symver:1.111.0.6 agc-symver-base:1.111 netbsd-6-1-RC2:1.110 netbsd-6-1-RC1:1.110 yamt-pagecache-base8:1.111 netbsd-5-2:1.105.0.24 netbsd-6-0-1-RELEASE:1.110 yamt-pagecache-base7:1.111 netbsd-5-2-RELEASE:1.105 netbsd-5-2-RC1:1.105 matt-nb6-plus-nbase:1.110 yamt-pagecache-base6:1.111 netbsd-6-0:1.110.0.10 netbsd-6-0-RELEASE:1.110 netbsd-6-0-RC2:1.110 tls-maxphys:1.111.0.2 tls-maxphys-base:1.115 matt-nb6-plus:1.110.0.8 matt-nb6-plus-base:1.110 netbsd-6-0-RC1:1.110 yamt-pagecache-base5:1.111 yamt-pagecache-base4:1.111 netbsd-6:1.110.0.6 netbsd-6-base:1.110 netbsd-5-1-2-RELEASE:1.105 netbsd-5-1-1-RELEASE:1.105 yamt-pagecache-base3:1.110 yamt-pagecache-base2:1.110 yamt-pagecache:1.110.0.4 yamt-pagecache-base:1.110 cherry-xenmp:1.110.0.2 cherry-xenmp-base:1.110 bouyer-quota2-nbase:1.110 bouyer-quota2:1.109.0.2 bouyer-quota2-base:1.109 matt-mips64-premerge-20101231:1.109 matt-nb5-mips64-premerge-20101231:1.105 matt-nb5-pq3:1.105.0.22 matt-nb5-pq3-base:1.105 netbsd-5-1:1.105.0.20 netbsd-5-1-RELEASE:1.105 netbsd-5-1-RC4:1.105 matt-nb5-mips64-k15:1.105 netbsd-5-1-RC3:1.105 netbsd-5-1-RC2:1.105 netbsd-5-1-RC1:1.105 netbsd-5-0-2-RELEASE:1.105 matt-nb5-mips64-premerge-20091211:1.105 matt-premerge-20091211:1.106 matt-nb5-mips64-u2-k2-k4-k7-k8-k9:1.105 matt-nb4-mips64-k7-u2a-k9b:1.105 matt-nb5-mips64-u1-k1-k5:1.105 matt-nb5-mips64:1.105.0.18 netbsd-5-0-1-RELEASE:1.105 jym-xensuspend-nbase:1.106 netbsd-5-0:1.105.0.16 netbsd-5-0-RELEASE:1.105 netbsd-5-0-RC4:1.105 netbsd-5-0-RC3:1.105 netbsd-5-0-RC2:1.105 jym-xensuspend:1.106.0.2 jym-xensuspend-base:1.106 netbsd-5-0-RC1:1.105 mjf-devfs2-base2:1.105 netbsd-5:1.105.0.14 netbsd-5-base:1.105 matt-mips64-base2:1.105 matt-mips64:1.102.0.4 netbsd-4-0-1-RELEASE:1.100.2.4 wrstuden-revivesa-base-3:1.105 wrstuden-revivesa-base-2:1.105 wrstuden-fixsa-newbase:1.100.2.4 wrstuden-revivesa-base-1:1.105 yamt-pf42-base4:1.105 yamt-pf42-base3:1.105 hpcarm-cleanup-nbase:1.105 yamt-pf42-baseX:1.105 yamt-pf42-base2:1.105 wrstuden-revivesa:1.105.0.12 wrstuden-revivesa-base:1.105 yamt-pf42:1.105.0.10 yamt-pf42-base:1.105 mjf-devfs2:1.105.0.8 mjf-devfs2-base:1.105 keiichi-mipv6:1.105.0.6 keiichi-mipv6-base:1.105 mjf-devfs:1.105.0.4 mjf-devfs-base:1.105 matt-armv6-nbase:1.105 matt-armv6-prevmlocking:1.103.2.1 wrstuden-fixsa-base-1:1.100.2.4 netbsd-4-0:1.100.2.4.0.2 netbsd-4-0-RELEASE:1.100.2.4 cube-autoconf:1.105.0.2 cube-autoconf-base:1.105 netbsd-4-0-RC5:1.100.2.4 netbsd-4-0-RC4:1.100.2.4 netbsd-4-0-RC3:1.100.2.4 netbsd-4-0-RC2:1.100.2.4 netbsd-4-0-RC1:1.100.2.3 matt-armv6:1.103.0.2 matt-armv6-base:1.105 matt-mips64-base:1.102 hpcarm-cleanup:1.102.0.2 hpcarm-cleanup-base:1.105 netbsd-3-1-1-RELEASE:1.94.2.3.2.2 netbsd-3-0-3-RELEASE:1.94.2.1.2.2 wrstuden-fixsa:1.100.2.1.0.2 wrstuden-fixsa-base:1.100.2.4 abandoned-netbsd-4-base:1.98 abandoned-netbsd-4:1.98.0.2 netbsd-3-1:1.94.2.3.0.2 netbsd-3-1-RELEASE:1.94.2.3 netbsd-3-0-2-RELEASE:1.94.2.1 netbsd-3-1-RC4:1.94.2.3 netbsd-3-1-RC3:1.94.2.2 netbsd-3-1-RC2:1.94.2.2 netbsd-3-1-RC1:1.94.2.2 netbsd-4:1.100.0.2 netbsd-4-base:1.100 netbsd-3-0-1-RELEASE:1.94.2.1 netbsd-3-0:1.94.2.1.0.2 netbsd-3-0-RELEASE:1.94.2.1 netbsd-3-0-RC6:1.94.2.1 netbsd-3-0-RC5:1.94.2.1 netbsd-3-0-RC4:1.94.2.1 netbsd-3-0-RC3:1.94.2.1 netbsd-3-0-RC2:1.94.2.1 netbsd-3-0-RC1:1.94.2.1 netbsd-2-0-3-RELEASE:1.88 netbsd-2-1:1.88.0.6 netbsd-2-1-RELEASE:1.88 netbsd-2-1-RC6:1.88 netbsd-2-1-RC5:1.88 netbsd-2-1-RC4:1.88 netbsd-2-1-RC3:1.88 netbsd-2-1-RC2:1.88 netbsd-2-1-RC1:1.88 netbsd-2-0-2-RELEASE:1.88 netbsd-3:1.94.0.2 netbsd-3-base:1.94 netbsd-2-0-1-RELEASE:1.88 netbsd-2:1.88.0.4 netbsd-2-base:1.88 netbsd-2-0-RELEASE:1.88 netbsd-2-0-RC5:1.88 netbsd-2-0-RC4:1.88 netbsd-2-0-RC3:1.88 netbsd-2-0-RC2:1.88 netbsd-2-0-RC1:1.88 netbsd-2-0:1.88.0.2 netbsd-2-0-base:1.88 netbsd-1-6-PATCH002-RELEASE:1.75.2.2 netbsd-1-6-PATCH002:1.75.2.2 netbsd-1-6-PATCH002-RC4:1.75.2.2 netbsd-1-6-PATCH002-RC3:1.75.2.2 netbsd-1-6-PATCH002-RC2:1.75.2.2 netbsd-1-6-PATCH002-RC1:1.75.2.2 netbsd-1-6-PATCH001:1.75.2.2 netbsd-1-6-PATCH001-RELEASE:1.75.2.2 netbsd-1-6-PATCH001-RC3:1.75.2.2 netbsd-1-6-PATCH001-RC2:1.75.2.2 netbsd-1-6-PATCH001-RC1:1.75.2.2 fvdl_fs64_base:1.79 netbsd-1-6-RELEASE:1.75.2.2 netbsd-1-6-RC3:1.75.2.2 netbsd-1-6-RC2:1.75.2.2 netbsd-1-6-RC1:1.75.2.2 netbsd-1-6:1.75.0.2 netbsd-1-6-base:1.75 netbsd-1-5-PATCH003:1.44.4.2 netbsd-1-5-PATCH002:1.44.4.1 netbsd-1-5-PATCH001:1.44.4.1 netbsd-1-5-RELEASE:1.44.4.1 netbsd-1-5-BETA2:1.44.4.1 netbsd-1-5-BETA:1.44.4.1 netbsd-1-4-PATCH003:1.37.2.1 netbsd-1-5-ALPHA2:1.44.4.1 netbsd-1-5:1.44.0.4 netbsd-1-5-base:1.44 minoura-xpg4dl:1.44.0.2 minoura-xpg4dl-base:1.44 netbsd-1-4-PATCH002:1.37.2.1 wrstuden-devbsize-19991221:1.40 wrstuden-devbsize:1.40.0.4 wrstuden-devbsize-base:1.40 comdex-fall-1999:1.40.0.2 comdex-fall-1999-base:1.40 netbsd-1-4-PATCH001:1.37 netbsd-1-4-RELEASE:1.37 netbsd-1-4:1.37.0.2 netbsd-1-4-base:1.37 netbsd-1-3-PATCH003:1.30 netbsd-1-3-PATCH003-CANDIDATE2:1.30 netbsd-1-3-PATCH003-CANDIDATE1:1.30 netbsd-1-3-PATCH003-CANDIDATE0:1.30 netbsd-1-3-PATCH002:1.30 netbsd-1-3-PATCH001:1.30 netbsd-1-3-RELEASE:1.30 netbsd-1-3-BETA:1.30 netbsd-1-3:1.30.0.2 netbsd-1-3-base:1.30 netbsd-1-2-PATCH001:1.13 lite-2:1.1.1.2 lite-1:1.1.1.2 CSRG:1.1.1 netbsd-1-2-RELEASE:1.13 netbsd-1-2-BETA:1.13 netbsd-1-2-base:1.13 netbsd-1-2:1.13.0.4 netbsd-1-1-PATCH001:1.11 netbsd-1-1-RELEASE:1.11 netbsd-1-1:1.11.0.2 netbsd-1-1-base:1.11 netbsd-1-0-PATCH06:1.9.2.1 netbsd-1-0-PATCH05:1.9.2.1 netbsd-1-0-PATCH04:1.9.2.1 netbsd-1-0-PATCH03:1.9.2.1 netbsd-1-0-PATCH02:1.9.2.1 netbsd-1-0-PATCH1:1.9.2.1 netbsd-1-0-PATCH0:1.9.2.1 netbsd-1-0-RELEASE:1.9.2.1 netbsd-1-0:1.9.0.2 netbsd-1-0-base:1.9 netbsd-0-9-RELEASE:1.2 netbsd-0-9-BETA:1.2 netbsd-0-9-ALPHA2:1.2 netbsd-0-9-ALPHA:1.2 netbsd-0-9:1.2.0.2 netbsd-0-9-base:1.2 netbsd-0-8:1.2 netbsd-alpha-1:1.2 patchkit-0-2-2:1.1.1.1 WFJ-386bsd-01:1.1.1.1 WFJ-920714:1.1.1; locks; strict; comment @# @; 1.132 date 2024.07.21.14.56.16; author he; state Exp; branches; next 1.131; commitid MYLZzS5Qslf0uIiF; 1.131 date 2023.07.05.12.07.21; author martin; state Exp; branches 1.131.2.1; next 1.130; commitid vvLxnub96AG0QBvE; 1.130 date 2023.06.30.21.42.29; author riastradh; state Exp; branches; next 1.129; commitid 6uCyrmLGhUAxb1vE; 1.129 date 2021.11.04.12.40.00; author nia; state Exp; branches 1.129.2.1; next 1.128; commitid e3Wu5aBwuDq1ztfD; 1.128 date 2021.01.10.23.24.25; author riastradh; state Exp; branches; next 1.127; commitid nvjdXwWVOKPFFeDC; 1.127 date 2020.12.02.14.18.13; author wiz; state Exp; branches; next 1.126; commitid 0spyv1YSJnfoWayC; 1.126 date 2019.12.06.14.43.30; author riastradh; state Exp; branches; next 1.125; commitid 36hsZmlDZdRyIENB; 1.125 date 2019.09.18.22.27.55; author uwe; state Exp; branches; next 1.124; commitid rU0CAPQShgGkPxDB; 1.124 date 2018.10.04.11.50.34; author kre; state Exp; branches; next 1.123; commitid 42qPSMz6FV65wDUA; 1.123 date 2018.09.23.23.48.33; author kre; state Exp; branches; next 1.122; commitid Vee09vQdmtC4PhTA; 1.122 date 2018.01.06.23.44.06; author mlelstv; state Exp; branches 1.122.2.1 1.122.4.1; next 1.121; commitid H2LNq7PHA9D2bSlA; 1.121 date 2016.02.29.16.16.42; author riastradh; state Exp; branches; next 1.120; commitid eaQCdy2I8qLzsPWy; 1.120 date 2015.04.20.22.46.35; author pgoyette; state Exp; branches; next 1.119; commitid hrxTq11f92dFJniy; 1.119 date 2015.02.14.19.46.55; author nakayama; state Exp; branches; next 1.118; commitid hk38ECMVRVN8Q0ay; 1.118 date 2014.12.13.02.17.35; author uebayasi; state Exp; branches; next 1.117; commitid CvRgmZeA9RaL3P1y; 1.117 date 2014.11.23.16.36.03; author christos; state Exp; branches; next 1.116; commitid OKPsDetBp4cVrkZx; 1.116 date 2014.08.27.13.56.02; author apb; state Exp; branches; next 1.115; commitid TU4ekMxv2xUwo0Ox; 1.115 date 2013.11.06.19.37.05; author spz; state Exp; branches; next 1.114; commitid zCe1RdRZ5dP4Ifcx; 1.114 date 2013.11.06.19.30.20; author spz; state Exp; branches; next 1.113; commitid U9S1SkQMfeToGfcx; 1.113 date 2013.09.08.08.19.40; author prlw1; state Exp; branches; next 1.112; commitid hSQ2d4CMXC3qSB4x; 1.112 date 2013.05.01.05.36.25; author agc; state Exp; branches; next 1.111; 1.111 date 2012.04.05.09.09.27; author spz; state Exp; branches 1.111.2.1; next 1.110; 1.110 date 2011.03.02.17.00.28; author christos; state Exp; branches 1.110.4.1; next 1.109; 1.109 date 2010.12.27.03.38.52; author christos; state Exp; branches 1.109.2.1; next 1.108; 1.108 date 2010.02.05.16.29.02; author jmmv; state Exp; branches; next 1.107; 1.107 date 2010.01.19.22.08.11; author jmmv; state Exp; branches; next 1.106; 1.106 date 2009.01.27.10.32.18; author haad; state Exp; branches; next 1.105; 1.105 date 2007.11.23.15.51.27; author dholland; state Exp; branches 1.105.4.1; next 1.104; 1.104 date 2007.08.27.19.57.02; author adrianp; state Exp; branches; next 1.103; 1.103 date 2007.08.09.07.50.58; author tron; state Exp; branches 1.103.2.1; next 1.102; 1.102 date 2007.06.06.13.30.48; author martti; state Exp; branches; next 1.101; 1.101 date 2007.03.27.08.37.58; author jnemeth; state Exp; branches; next 1.100; 1.100 date 2006.09.26.08.32.40; author tron; state Exp; branches 1.100.2.1; next 1.99; 1.99 date 2006.09.23.04.07.01; author jmcneill; state Exp; branches; next 1.98; 1.98 date 2006.05.25.02.38.10; author lukem; state Exp; branches; next 1.97; 1.97 date 2006.04.17.07.38.53; author veego; state Exp; branches; next 1.96; 1.96 date 2006.01.29.23.17.24; author rpaulo; state Exp; branches; next 1.95; 1.95 date 2005.04.11.15.46.42; author peter; state Exp; branches; next 1.94; 1.94 date 2005.02.05.15.26.37; author jdolecek; state Exp; branches 1.94.2.1; next 1.93; 1.93 date 2004.11.21.19.00.12; author kim; state Exp; branches; next 1.92; 1.92 date 2004.09.28.15.03.58; author erh; state Exp; branches; next 1.91; 1.91 date 2004.07.23.06.12.16; author lukem; state Exp; branches; next 1.90; 1.90 date 2004.04.09.17.33.35; author kim; state Exp; branches; next 1.89; 1.89 date 2004.04.02.13.13.47; author jmmv; state Exp; branches; next 1.88; 1.88 date 2004.02.09.09.04.13; author jdolecek; state Exp; branches 1.88.2.1 1.88.4.1 1.88.6.1; next 1.87; 1.87 date 2003.11.19.20.28.19; author jhawk; state Exp; branches; next 1.86; 1.86 date 2003.11.18.03.30.40; author jhawk; state Exp; branches; next 1.85; 1.85 date 2003.11.18.03.23.53; author jhawk; state Exp; branches; next 1.84; 1.84 date 2003.10.01.04.29.03; author jhawk; state Exp; branches; next 1.83; 1.83 date 2003.02.21.22.47.51; author jhawk; state Exp; branches; next 1.82; 1.82 date 2003.02.13.02.42.06; author jhawk; state Exp; branches; next 1.81; 1.81 date 2003.02.13.01.55.10; author jhawk; state Exp; branches; next 1.80; 1.80 date 2003.01.06.20.30.30; author wiz; state Exp; branches; next 1.79; 1.79 date 2002.08.20.07.53.51; author elric; state Exp; branches; next 1.78; 1.78 date 2002.06.18.22.43.53; author itojun; state Exp; branches; next 1.77; 1.77 date 2002.06.18.22.21.43; author itojun; state Exp; branches; next 1.76; 1.76 date 2002.06.10.16.04.48; author atatat; state Exp; branches; next 1.75; 1.75 date 2002.05.21.13.50.46; author lukem; state Exp; branches 1.75.2.1; next 1.74; 1.74 date 2001.12.18.00.44.20; author lukem; state Exp; branches; next 1.73; 1.73 date 2001.11.09.09.01.20; author lukem; state Exp; branches; next 1.72; 1.72 date 2001.10.18.16.08.24; author lukem; state Exp; branches; next 1.71; 1.71 date 2001.10.18.14.50.17; author taca; state Exp; branches; next 1.70; 1.70 date 2001.10.15.03.00.22; author lukem; state Exp; branches; next 1.69; 1.69 date 2001.10.14.00.42.31; author lukem; state Exp; branches; next 1.68; 1.68 date 2001.10.13.14.22.11; author lukem; state Exp; branches; next 1.67; 1.67 date 2001.10.12.05.18.23; author lukem; state Exp; branches; next 1.66; 1.66 date 2001.10.05.01.06.17; author lukem; state Exp; branches; next 1.65; 1.65 date 2001.10.03.15.41.25; author lukem; state Exp; branches; next 1.64; 1.64 date 2001.10.03.07.04.32; author cjs; state Exp; branches; next 1.63; 1.63 date 2001.10.03.00.12.17; author lukem; state Exp; branches; next 1.62; 1.62 date 2001.10.01.02.21.20; author atatat; state Exp; branches; next 1.61; 1.61 date 2001.09.24.03.19.43; author lukem; state Exp; branches; next 1.60; 1.60 date 2001.09.23.19.51.20; author perry; state Exp; branches; next 1.59; 1.59 date 2001.09.23.19.10.25; author perry; state Exp; branches; next 1.58; 1.58 date 2001.09.22.04.06.23; author perry; state Exp; branches; next 1.57; 1.57 date 2001.08.26.11.55.38; author simonb; state Exp; branches; next 1.56; 1.56 date 2001.06.18.10.54.02; author lukem; state Exp; branches; next 1.55; 1.55 date 2001.06.14.07.50.07; author lukem; state Exp; branches; next 1.54; 1.54 date 2001.05.10.14.19.27; author atatat; state Exp; branches; next 1.53; 1.53 date 2001.05.10.14.10.15; author atatat; state Exp; branches; next 1.52; 1.52 date 2001.04.04.03.17.19; author atatat; state Exp; branches; next 1.51; 1.51 date 2001.03.15.02.23.47; author hubertf; state Exp; branches; next 1.50; 1.50 date 2001.03.12.16.48.13; author atatat; state Exp; branches; next 1.49; 1.49 date 2001.02.11.09.55.09; author jdolecek; state Exp; branches; next 1.48; 1.48 date 2001.01.09.17.30.29; author abs; state Exp; branches; next 1.47; 1.47 date 2000.10.07.07.36.56; author lukem; state Exp; branches; next 1.46; 1.46 date 2000.09.10.21.27.50; author christos; state Exp; branches; next 1.45; 1.45 date 2000.07.02.22.27.47; author sommerfeld; state Exp; branches; next 1.44; 1.44 date 2000.05.26.17.08.21; author ad; state Exp; branches 1.44.4.1; next 1.43; 1.43 date 2000.05.05.18.28.53; author itojun; state Exp; branches; next 1.42; 1.42 date 2000.04.24.23.46.37; author fair; state Exp; branches; next 1.41; 1.41 date 2000.01.15.01.15.12; author christos; state Exp; branches; next 1.40; 1.40 date 99.09.05.15.11.42; author perry; state Exp; branches; next 1.39; 1.39 date 99.07.22.00.47.50; author hubertf; state Exp; branches; next 1.38; 1.38 date 99.04.23.08.20.28; author kleink; state Exp; branches; next 1.37; 1.37 date 99.03.17.19.11.05; author wrstuden; state Exp; branches 1.37.2.1; next 1.36; 1.36 date 99.03.17.02.58.11; author wrstuden; state Exp; branches; next 1.35; 1.35 date 99.03.16.06.18.17; author fair; state Exp; branches; next 1.34; 1.34 date 99.02.18.18.53.33; author abs; state Exp; branches; next 1.33; 1.33 date 98.09.14.19.42.42; author tv; state Exp; branches; next 1.32; 1.32 date 98.08.25.13.47.29; author lukem; state Exp; branches; next 1.31; 1.31 date 98.01.26.12.02.55; author lukem; state Exp; branches; next 1.30; 1.30 date 97.10.08.16.13.44; author mycroft; state Exp; branches; next 1.29; 1.29 date 97.09.23.14.36.56; author lukem; state Exp; branches; next 1.28; 1.28 date 97.09.18.05.16.19; author lukem; state Exp; branches; next 1.27; 1.27 date 97.08.22.09.40.17; author lukem; state Exp; branches; next 1.26; 1.26 date 97.08.19.12.08.35; author lukem; state Exp; branches; next 1.25; 1.25 date 97.06.24.02.32.38; author lukem; state Exp; branches; next 1.24; 1.24 date 97.06.24.01.16.47; author lukem; state Exp; branches; next 1.23; 1.23 date 97.06.23.11.59.30; author lukem; state Exp; branches; next 1.22; 1.22 date 97.06.23.01.49.15; author lukem; state Exp; branches; next 1.21; 1.21 date 97.04.21.17.38.39; author mycroft; state Exp; branches; next 1.20; 1.20 date 97.04.21.11.19.57; author mycroft; state Exp; branches; next 1.19; 1.19 date 97.04.21.11.14.41; author mycroft; state Exp; branches; next 1.18; 1.18 date 97.04.17.07.42.07; author mikel; state Exp; branches; next 1.17; 1.17 date 97.03.10.09.45.58; author mycroft; state Exp; branches; next 1.16; 1.16 date 97.02.14.08.52.05; author mikel; state Exp; branches; next 1.15; 1.15 date 97.01.05.11.46.12; author mrg; state Exp; branches; next 1.14; 1.14 date 96.05.22.00.51.08; author mrg; state Exp; branches; next 1.13; 1.13 date 96.01.14.00.58.25; author pk; state Exp; branches; next 1.12; 1.12 date 95.12.17.02.01.14; author thorpej; state Exp; branches; next 1.11; 1.11 date 95.01.31.16.09.45; author jtc; state Exp; branches; next 1.10; 1.10 date 94.10.18.16.52.57; author mycroft; state Exp; branches; next 1.9; 1.9 date 94.06.15.04.28.20; author cgd; state Exp; branches 1.9.2.1; next 1.8; 1.8 date 94.01.15.18.32.06; author cgd; state Exp; branches; next 1.7; 1.7 date 93.12.15.07.07.36; author mycroft; state Exp; branches; next 1.6; 1.6 date 93.10.27.16.59.13; author cgd; state Exp; branches; next 1.5; 1.5 date 93.10.27.09.54.31; author mycroft; state Exp; branches; next 1.4; 1.4 date 93.10.26.01.38.57; author cgd; state Exp; branches; next 1.3; 1.3 date 93.10.19.06.13.08; author mycroft; state Exp; branches; next 1.2; 1.2 date 93.04.02.08.00.48; author cgd; state Exp; branches; next 1.1; 1.1 date 93.03.21.09.45.37; author cgd; state Exp; branches 1.1.1.1; next ; 1.131.2.1 date 2025.08.02.05.20.42; author perseant; state Exp; branches; next ; commitid 23j6GFaDws3O875G; 1.129.2.1 date 2023.08.11.14.35.25; author martin; state Exp; branches; next ; commitid nYaaMWQ1aHVjtnAE; 1.122.2.1 date 2018.09.30.01.45.07; author pgoyette; state Exp; branches; next 1.122.2.2; commitid SQ44grEPCeKPh4UA; 1.122.2.2 date 2018.10.20.06.58.18; author pgoyette; state Exp; branches; next ; commitid mTSoqZEZ4arHnFWA; 1.122.4.1 date 2019.06.10.21.42.39; author christos; state Exp; branches; next 1.122.4.2; commitid jtc8rnCzWiEEHGqB; 1.122.4.2 date 2020.04.08.14.03.56; author martin; state Exp; branches; next 1.122.4.3; commitid Qli2aW9E74UFuA3C; 1.122.4.3 date 2020.04.13.07.45.38; author martin; state Exp; branches; next ; commitid X01YhRUPVUDaec4C; 1.111.2.1 date 2013.06.23.06.26.21; author tls; state Exp; branches; next 1.111.2.2; commitid OnlO1cBgtQRcIHUw; 1.111.2.2 date 2014.08.19.23.45.50; author tls; state Exp; branches; next ; commitid jTnpym9Qu0o4R1Nx; 1.110.4.1 date 2012.04.17.00.02.56; author yamt; state Exp; branches; next 1.110.4.2; 1.110.4.2 date 2014.05.22.11.27.18; author yamt; state Exp; branches; next ; commitid spVi6gj5ReXSGwBx; 1.109.2.1 date 2011.03.05.15.08.41; author bouyer; state Exp; branches; next ; 1.105.4.1 date 2007.11.23.15.51.27; author dholland; state dead; branches; next 1.105.4.2; 1.105.4.2 date 2007.11.23.15.51.28; author dholland; state Exp; branches; next ; 1.103.2.1 date 2007.11.06.23.10.26; author matt; state Exp; branches; next 1.103.2.2; 1.103.2.2 date 2008.01.09.01.29.50; author matt; state Exp; branches; next ; 1.100.2.1 date 2007.05.08.09.53.46; author pavel; state Exp; branches 1.100.2.1.2.1; next 1.100.2.2; 1.100.2.2 date 2007.06.06.14.58.14; author liamjfoy; state Exp; branches; next 1.100.2.3; 1.100.2.3 date 2007.08.24.16.32.01; author liamjfoy; state Exp; branches; next 1.100.2.4; 1.100.2.4 date 2007.09.17.20.27.16; author bouyer; state Exp; branches; next ; 1.100.2.1.2.1 date 2007.09.03.06.57.48; author wrstuden; state Exp; branches; next 1.100.2.1.2.2; 1.100.2.1.2.2 date 2007.09.24.05.12.42; author wrstuden; state Exp; branches; next ; 1.94.2.1 date 2005.04.13.15.56.38; author tron; state Exp; branches 1.94.2.1.2.1; next 1.94.2.2; 1.94.2.2 date 2006.07.12.14.23.25; author tron; state Exp; branches; next 1.94.2.3; 1.94.2.3 date 2006.10.06.20.51.09; author ghen; state Exp; branches 1.94.2.3.2.1; next 1.94.2.4; 1.94.2.4 date 2007.05.27.20.39.43; author bouyer; state Exp; branches; next 1.94.2.5; 1.94.2.5 date 2007.06.07.11.22.33; author liamjfoy; state Exp; branches; next 1.94.2.6; 1.94.2.6 date 2007.09.17.20.05.07; author bouyer; state Exp; branches; next ; 1.94.2.1.2.1 date 2007.05.27.20.40.28; author bouyer; state Exp; branches; next 1.94.2.1.2.2; 1.94.2.1.2.2 date 2007.06.28.18.14.39; author ghen; state Exp; branches; next 1.94.2.1.2.3; 1.94.2.1.2.3 date 2007.09.17.20.07.16; author bouyer; state Exp; branches; next ; 1.94.2.3.2.1 date 2007.05.27.20.41.39; author bouyer; state Exp; branches; next 1.94.2.3.2.2; 1.94.2.3.2.2 date 2007.06.28.18.14.49; author ghen; state Exp; branches; next 1.94.2.3.2.3; 1.94.2.3.2.3 date 2007.09.17.20.08.21; author bouyer; state Exp; branches; next ; 1.88.2.1 date 2007.05.27.21.26.12; author bouyer; state Exp; branches; next 1.88.2.2; 1.88.2.2 date 2007.09.17.19.58.48; author bouyer; state Exp; branches; next ; 1.88.4.1 date 2007.05.27.21.25.13; author bouyer; state Exp; branches; next 1.88.4.2; 1.88.4.2 date 2007.09.17.19.57.09; author bouyer; state Exp; branches; next ; 1.88.6.1 date 2007.05.27.21.27.01; author bouyer; state Exp; branches; next 1.88.6.2; 1.88.6.2 date 2007.09.17.20.00.07; author bouyer; state Exp; branches; next ; 1.75.2.1 date 2002.06.10.17.42.32; author tv; state Exp; branches; next 1.75.2.2; 1.75.2.2 date 2002.08.07.00.55.54; author lukem; state Exp; branches; next ; 1.44.4.1 date 2000.07.03.02.27.20; author sommerfeld; state Exp; branches; next 1.44.4.2; 1.44.4.2 date 2001.12.09.17.44.18; author he; state Exp; branches; next 1.44.4.3; 1.44.4.3 date 2002.09.04.01.02.37; author itojun; state Exp; branches; next ; 1.37.2.1 date 99.09.10.22.15.11; author he; state Exp; branches; next ; 1.9.2.1 date 94.10.18.18.41.40; author cgd; state Exp; branches; next ; 1.1.1.1 date 93.03.21.09.45.37; author cgd; state Exp; branches; next 1.1.1.2; 1.1.1.2 date 97.02.15.05.27.55; author mikel; state Exp; branches; next ; desc @@ 1.132 log @etc/security: emit proper error message when there are dup groups. ...instead of erroring with "[: $grpname: unexpected operator". @ text @#!/bin/sh - # # $NetBSD: security,v 1.131 2023/07/05 12:07:21 martin Exp $ # from: @@(#)security 8.1 (Berkeley) 6/9/93 # PATH=/sbin:/usr/sbin:/bin:/usr/bin rcvar_manpage='security.conf(5)' if [ -f /etc/rc.subr ]; then . /etc/rc.subr else echo "Can't read /etc/rc.subr; aborting." exit 1; fi umask 077 TZ=UTC; export TZ if [ -s /etc/security.conf ]; then . /etc/security.conf fi if [ -s /etc/pkgpath.conf ]; then . /etc/pkgpath.conf fi # Set reasonable defaults (if they're not set in security.conf) # backup_dir=${backup_dir:-/var/backups} max_loginlen=${max_loginlen:-8} max_grouplen=${max_grouplen:-8} pkg_admin=${pkg_admin:-/usr/sbin/pkg_admin} pkg_info=${pkg_info:-/usr/sbin/pkg_info} # Other configurable variables # special_files="/etc/mtree/special /etc/mtree/special.local" MP=/etc/master.passwd CHANGELIST="" work_dir=$backup_dir/work if [ ! -d "$work_dir" ]; then mkdir -p "$work_dir" fi SECUREDIR=$(mktemp -d -t _securedir) || exit 1 trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE if ! cd "$SECUREDIR"; then echo "Can not cd to $SECUREDIR". exit 1 fi ERR=err.$$ TMP1=tmp1.$$ TMP2=tmp2.$$ MPBYUID=mpbyuid.$$ MPBYPATH=mpbypath.$$ LIST=list.$$ OUTPUT=output.$$ LABELS=labels.$$ LVM_LABELS=lvm.$$ PKGS=pkgs.$$ CHANGEFILES=changefiles.$$ SPECIALSPEC=specialspec.$$ if [ -n "${pkgdb_dir}" ]; then echo "WARNING: Setting pkgdb_dir in security.conf(5) is deprecated" echo "WARNING: Please define PKG_DBDIR in pkg_install.conf(5) instead" _compat_K_flag="-K ${pkgdb_dir}" fi have_pkgs() { $pkg_info ${_compat_K_flag} -q -E '*' } # migrate_file old new # Determine if the "${old}" path name needs to be migrated to the # "${new}" path. Also checks if "${old}.current" needs migrating, # and if so, migrate it and possibly "${old}.current,v" and # "${old}.backup". # migrate_file() { _old=$1 _new=$2 if [ -z "$_old" ] || [ -z "$_new" ]; then err 3 "USAGE: migrate_file old new" fi if [ ! -d "${_new%/*}" ]; then mkdir -p "${_new%/*}" fi if [ -f "${_old}" ] && ! [ -f "${_new}" ]; then echo "==> migrating ${_old}" echo " to ${_new}" mv "${_old}" "${_new}" fi if [ -f "${_old}.current" ] && ! [ -f "${_new}.current" ]; then echo "==> migrating ${_old}.current" echo " to ${_new}.current" mv "${_old}.current" "${_new}.current" if [ -f "${_old}.current,v" ] && ! [ -f "${_new}.current,v" ]; then echo "==> migrating ${_old}.current,v" echo " to ${_new}.current,v" mv "${_old}.current,v" "${_new}.current,v" fi if [ -f "${_old}.backup" ] && ! [ -f "${_new}.backup" ]; then echo "==> migrating ${_old}.backup" echo " to ${_new}.backup" mv "${_old}.backup" "${_new}.backup" fi fi } # backup_and_diff file printdiff # Determine if file needs backing up, and if so, do it. # If printdiff is yes, display the diffs, otherwise # just print a message saying "[changes omitted]". # backup_and_diff() { _file=$1 _printdiff=$2 if [ -z "$_file" ] || [ -z "$_printdiff" ]; then err 3 "USAGE: backup_and_diff file printdiff" fi ! checkyesno _printdiff _printdiff=$? _old=$backup_dir/${_file##*/} case "$_file" in $work_dir/*) _new=$_file migrate_file "$backup_dir/$_old" "$_new" migrate_file "$_old" "$_new" ;; *) _new=$backup_dir/$_file migrate_file "$_old" "$_new" ;; esac CUR=${_new}.current BACK=${_new}.backup if [ -f $_file ]; then if [ -f $CUR ] ; then if [ "$_printdiff" -ne 0 ]; then diff ${diff_options} $CUR $_file > $OUTPUT else if ! cmp -s $CUR $_file; then echo "[changes omitted]" fi > $OUTPUT fi if [ -s $OUTPUT ] ; then printf \ "\n======\n%s diffs (OLD < > NEW)\n======\n" $_file cat $OUTPUT backup_file update $_file $CUR $BACK fi else printf "\n======\n%s added\n======\n" $_file if [ "$_printdiff" -ne 0 ]; then diff ${diff_options} /dev/null $_file else echo "[changes omitted]" fi backup_file add $_file $CUR $BACK fi else if [ -f $CUR ]; then printf "\n======\n%s removed\n======\n" $_file if [ "$_printdiff" -ne 0 ]; then diff ${diff_options} $CUR /dev/null else echo "[changes omitted]" fi backup_file remove $_file $CUR $BACK fi fi } # These are used several times. # awk -F: '!/^\+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH for file in $special_files; do [ -s $file ] && cat $file done | mtree -CM -k all > $SPECIALSPEC || exit 1 # Check for enough entropy. # if checkyesno check_entropy; then if [ "$(sysctl -n kern.entropy.needed)" != 0 ]; then printf '\n' printf 'Entropy:\n' printf 'System may need more entropy for cryptography.\n' printf 'See the entropy(7) man page for details.\n' fi fi # Check the master password file syntax. # if checkyesno check_passwd; then # XXX: the sense of permit_star is reversed; the code works as # implemented, but usage needs to be negated. checkyesno check_passwd_permit_star && permit_star=0 || permit_star=1 checkyesno check_passwd_permit_nonalpha \ && permit_nonalpha=1 || permit_nonalpha=0 awk -v "len=$max_loginlen" \ -v "nowarn_shells_list=$check_passwd_nowarn_shells" \ -v "nowarn_users_list=$check_passwd_nowarn_users" \ -v "permit_star=$permit_star" \ -v "permit_nonalpha=$permit_nonalpha" \ ' BEGIN { while ( getline < "/etc/shells" > 0 ) { if ($0 ~ /^\#/ || $0 ~ /^$/ ) continue; shells[$1]++; } split(nowarn_shells_list, a); for (i in a) nowarn_shells[a[i]]++; split(nowarn_users_list, a); for (i in a) nowarn_users[a[i]]++; uid0_users_list="root toor" split(uid0_users_list, a); for (i in a) uid0_users[a[i]]++; FS=":"; } { if ($0 ~ /^[ ]*$/) { printf "Line %d is a blank line.\n", NR; next; } # NIS compat entry? compatline = $1 ~ "^[\\+-]"; if (compatline) { if ($1 == "+" && NF == 1) { next; } sub("^.", "", $1); } if (NF != 10) printf "Line %d has the wrong number of fields.\n", NR; if (compatline) { if ($3 == 0) printf "Line %d includes entries with uid 0.\n", NR; if ($1 == "") next; } if (!permit_nonalpha && $1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/) printf "Login %s has non-alphanumeric characters.\n", $1; if (length($1) > len) printf "Login %s has more than "len" characters.\n", $1; if ($2 == "" && !compatline && !nowarn_users[$1]) printf "Login %s has no password.\n", $1; if (!nowarn_shells[$10] && !nowarn_users[$1]) { if (length($2) != 13 && length($2) != 20 && $2 !~ /^\$1/ && $2 !~ /^\$2/ && $2 !~ /^\$sha1/ && $2 !~ /^\$argon2(i|d|id)/ && $2 != "" && (permit_star || $2 != "*") && $2 !~ /^\*[A-z-]+$/ && $1 != "toor") { if ($10 == "" || shells[$10]) printf "Login %s is off but still has "\ "a valid shell (%s)\n", $1, $10; } else if (compatline && $10 == "") { # nothing } else if (! shells[$10]) printf "Login %s does not have a valid "\ "shell (%s)\n", $1, $10; } if ($3 == 0 && !uid0_users[$1] && !nowarn_users[$1]) printf "Login %s has a user id of 0.\n", $1; if ($3 != "" && $3 < 0) printf "Login %s has a negative user id.\n", $1; if ($4 != "" && $4 < 0) printf "Login %s has a negative group id.\n", $1; }' < $MP > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking the $MP file:\n" cat $OUTPUT fi awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT if [ -s $OUTPUT ] ; then printf "\n$MP has duplicate user names.\n" column $OUTPUT fi awk -v "permit_dups_list=$check_passwd_permit_dups" \ ' BEGIN { split(permit_dups_list, a); for (i in a) permit_dups[a[i]]++; } { if (!permit_dups[$1]) print $2; }' < $MPBYUID | uniq -d > $TMP2 if [ -s $TMP2 ] ; then printf "\n$MP has duplicate user ids.\n" while read uid; do grep -w $uid $MPBYUID done < $TMP2 | column fi fi # Check the group file syntax. # if checkyesno check_group; then GRP=/etc/group awk -F: -v "len=$max_grouplen" '{ if ($0 ~ /^[ ]*$/) { printf "Line %d is a blank line.\n", NR; next; } if (NF != 4 && ($1 != "+" || NF != 1)) printf "Line %d has the wrong number of fields.\n", NR; if ($1 == "+" ) { next; } if ($1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/) printf "Group %s has non-alphanumeric characters.\n", $1; if (length($1) > len) printf "Group %s has more than "len" characters.\n", $1; if ($3 !~ /[0-9]*/) printf "Login %s has a negative group id.\n", $1; }' < $GRP > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking the $GRP file:\n" cat $OUTPUT fi awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT dupgroups="" for group in $(cat $OUTPUT) ; do gcount=$(awk -F: "/$group/ { print \$1,\$3 }" $GRP | sort -u | wc -l) if [ $gcount -gt 1 ]; then dupgroups="$dupgroups $group" fi done if [ ! -z "$dupgroups" ] ; then printf "\n$GRP has duplicate group names.\n" printf "$dupgroups\n" fi fi # Check for root paths, umask values in startup files. # The check for the root paths is problematical -- it's likely to fail # in other environments. Once the shells have been modified to warn # of '.' in the path, the path tests should go away. # if checkyesno check_rootdotfiles; then rhome=~root umaskset=no list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" for i in $list ; do if [ -f $i ] ; then if egrep '^[ \t]*umask[ \t]+[0-7]+' $i > /dev/null ; then umaskset=yes fi # Double check the umask value itself; ensure that # both the group and other write bits are set. # egrep '^[ \t]*umask[ \t]+[0-7]+' $i | awk '{ if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) { print "\tRoot umask is group writable" } if ($2 ~ /[^2367]$/) { print "\tRoot umask is other writable" } }' | sort -u SAVE_PATH=$PATH unset PATH /bin/csh -f -s << end-of-csh > /dev/null 2>&1 source $i /bin/ls -ldgT \$path > $TMP1 end-of-csh export PATH=$SAVE_PATH awk '{ if ($10 ~ /^\.$/) { print "\tThe root path includes ."; next; } } $1 ~ /^d....w/ \ { print "\tRoot path directory " $10 " is group writable." } \ $1 ~ /^d.......w/ \ { print "\tRoot path directory " $10 " is other writable." }' \ < $TMP1 fi done > $OUTPUT if [ $umaskset = no ] || [ -s $OUTPUT ] ; then printf "\nChecking root csh paths, umask values:\n$list\n\n" if [ -s $OUTPUT ]; then cat $OUTPUT fi if [ $umaskset = no ] ; then printf "\tRoot csh startup files do not set the umask.\n" fi fi umaskset=no list="/etc/profile ${rhome}/.profile" for i in $list; do if [ -f $i ] ; then if egrep umask $i > /dev/null ; then umaskset=yes fi egrep umask $i | awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \ { print "\tRoot umask is group writable" } \ $2 ~ /[^2367]$/ \ { print "\tRoot umask is other writable" }' SAVE_PATH=$PATH unset PATH /bin/sh << end-of-sh > /dev/null 2>&1 . $i list=\$(echo \$PATH | /usr/bin/sed -e \ 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g') /bin/ls -ldgT \$list > $TMP1 end-of-sh export PATH=$SAVE_PATH awk '{ if ($10 ~ /^\.$/) { print "\tThe root path includes ."; next; } } $1 ~ /^d....w/ \ { print "\tRoot path directory " $10 " is group writable." } \ $1 ~ /^d.......w/ \ { print "\tRoot path directory " $10 " is other writable." }' \ < $TMP1 fi done > $OUTPUT if [ $umaskset = no ] || [ -s $OUTPUT ] ; then printf "\nChecking root sh paths, umask values:\n$list\n" if [ -s $OUTPUT ]; then cat $OUTPUT fi if [ $umaskset = no ] ; then printf "\tRoot sh startup files do not set the umask.\n" fi fi fi # Root and uucp should both be in /etc/ftpusers. # if checkyesno check_ftpusers; then list="uucp "$(awk '$2 == 0 { print $1 }' $MPBYUID) for i in $list; do if /usr/libexec/ftpd -C $i ; then printf "\t$i is not denied\n" fi done > $OUTPUT if [ -s $OUTPUT ]; then printf "\nChecking the /etc/ftpusers configuration:\n" cat $OUTPUT fi fi # Uudecode should not be in the /etc/mail/aliases file. # if checkyesno check_aliases; then for f in /etc/mail/aliases /etc/aliases; do if [ -f $f ] && egrep '^[^#]*(uudecode|decode).*\|' $f; then printf "\nEntry for uudecode in $f file.\n" fi done fi # Files that should not have + signs. # if checkyesno check_rhosts; then list="/etc/hosts.equiv /etc/hosts.lpd" for f in $list ; do if [ -f $f ] && egrep '\+' $f > /dev/null ; then printf "\nPlus sign in $f file.\n" fi done # Check for special users with .rhosts files. Only root and toor should # have .rhosts files. Also, .rhosts files should not have plus signs. awk -F: '$1 != "root" && $1 != "toor" && \ ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ { print $1 " " $9 }' $MP | sort -k2 | while read uid homedir; do if [ -f ${homedir}/.rhosts ] ; then rhost=$(ls -ldgT ${homedir}/.rhosts) printf -- "$uid: $rhost\n" fi done > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking for special users with .rhosts files.\n" cat $OUTPUT fi while read uid homedir; do if [ -f ${homedir}/.rhosts ] && [ -r ${homedir}/.rhosts ] && cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null then printf -- "$uid: + in .rhosts file.\n" fi done < $MPBYPATH > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking .rhosts files syntax.\n" cat $OUTPUT fi fi # Check home directories. Directories should not be owned by someone else # or writable. # if checkyesno check_homes; then checkyesno check_homes_permit_usergroups && \ permit_usergroups=1 || permit_usergroups=0 while read uid homedir; do if [ -d ${homedir}/ ] ; then file=$(ls -ldgT ${homedir}) printf -- "$uid $file\n" fi done < $MPBYPATH | awk -v "usergroups=$permit_usergroups" \ -v "permit_owners_list=$check_homes_permit_other_owner" ' BEGIN { split(permit_owners_list, a); for (i in a) permit_owners[a[i]]++; } $1 != $4 && $4 != "root" && !permit_owners[$1] \ { print "user " $1 " home directory is owned by " $4 } $2 ~ /^d....w/ && (!usergroups || $5 != $1) \ { print "user " $1 " home directory is group writable" } $2 ~ /^d.......w/ \ { print "user " $1 " home directory is other writable" }' \ > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking home directories.\n" cat $OUTPUT fi # Files that should not be owned by someone else or readable. list=".Xauthority .netrc .ssh/id_dsa .ssh/id_rsa .ssh/identity" while read uid homedir; do for f in $list ; do file=${homedir}/${f} if [ -f $file ] ; then printf -- "$uid $f $(ls -ldgT $file)\n" fi done done < $MPBYPATH | awk -v "usergroups=$permit_usergroups" \ -v "permit_owners_list=$check_homes_permit_other_owner" ' BEGIN { split(permit_owners_list, a); for (i in a) permit_owners[a[i]]++; } $1 != $5 && $5 != "root" && !permit_owners[$1] \ { print "user " $1 " " $2 " file is owned by " $5 } $3 ~ /^-...r/ && (!usergroups || $6 != $1) \ { print "user " $1 " " $2 " file is group readable" } $3 ~ /^-......r/ \ { print "user " $1 " " $2 " file is other readable" } $3 ~ /^-....w/ && (!usergroups || $6 != $1) \ { print "user " $1 " " $2 " file is group writable" } $3 ~ /^-.......w/ \ { print "user " $1 " " $2 " file is other writable" }' \ > $OUTPUT # Files that should not be owned by someone else or writable. list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \ .cshrc .emacs .exrc .forward .history .k5login .klogin .login \ .logout .profile .qmail .rc_history .rhosts .shosts ssh .tcshrc \ .twmrc .xinitrc .xsession .ssh/authorized_keys \ .ssh/authorized_keys2 .ssh/config .ssh/id_dsa.pub \ .ssh/id_rsa.pub .ssh/identity.pub .ssh/known_hosts \ .ssh/known_hosts2" while read uid homedir; do for f in $list ; do file=${homedir}/${f} if [ -f $file ] ; then printf -- "$uid $f $(ls -ldgT $file)\n" fi done done < $MPBYPATH | awk -v "usergroups=$permit_usergroups" \ -v "permit_owners_list=$check_homes_permit_other_owner" ' BEGIN { split(permit_owners_list, a); for (i in a) permit_owners[a[i]]++; } $1 != $5 && $5 != "root" && !permit_owners[$1] \ { print "user " $1 " " $2 " file is owned by " $5 } $3 ~ /^-....w/ && (!usergroups || $6 != $1) \ { print "user " $1 " " $2 " file is group writable" } $3 ~ /^-.......w/ \ { print "user " $1 " " $2 " file is other writable" }' \ >> $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking dot files.\n" cat $OUTPUT fi fi # Mailboxes should be owned by user and unreadable. # if checkyesno check_varmail; then ls -lA /var/mail | \ awk ' NR == 1 { next; } $9 ~ /^\./ {next; } $3 != $9 { print "user " $9 " mailbox is owned by " $3 } $1 != "-rw-------" { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking mailbox ownership.\n" cat $OUTPUT fi fi # NFS exports shouldn't be globally exported # if checkyesno check_nfs && [ -f /etc/exports ]; then awk '{ # ignore comments and blank lines if ($0 ~ /^\#/ || $0 ~ /^$/ ) next; # manage line continuation while ($NF ~ /^\\$/) { $NF = ""; line = $0 ""; getline; $0 = line $0 ""; } delete dir; readonly = ndir = 0; for (i = 1; i <= NF; ++i) { if ($i ~ /^\//) dir[ndir++] = $i; else if ($i ~ /^-/) { if ($i ~ /^-(ro|o)$/) readonly = 1; if ($i ~ /^-network/) next; } else next; } if (readonly) for (item in dir) rodir[nrodir++] = dir[item]; else for (item in dir) rwdir[nrwdir++] = dir[item]; } END { if (nrodir) { printf("Globally exported file system%s, read-only:\n", nrodir > 1 ? "s" : ""); for (item in rodir) printf("\t%s\n", rodir[item]); } if (nrwdir) { printf("Globally exported file system%s, read-write:\n", nrwdir > 1 ? "s" : ""); for (item in rwdir) printf("\t%s\n", rwdir[item]); } }' < /etc/exports > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking for globally exported file systems.\n" cat $OUTPUT fi fi # Display any changes in setuid files and devices. # if checkyesno check_devices; then > $ERR ( # Convert check_devices_ignore_fstypes="foo !bar bax" # into "-fstype foo -o ! -fstype bar -o -fstype bax" # and check_devices_ignore_paths="/foo !/bar /bax" # into " -path /foo -o ! -path /bar -o -path /bax" # ignexpr=$(\ echo $check_devices_ignore_fstypes | \ sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -fstype \2/g' ; \ echo $check_devices_ignore_paths | \ sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -path \2/g' \ ) # Massage the expression into ( $ignexpr ) -a -prune -o if [ -n "${ignexpr}" ]; then ignexpr=$(\ echo $ignexpr | \ sed -e 's/^-o /( /' \ -e 's/$/ ) -a -prune -o/' \ ) fi find / $ignexpr \ \( \( -perm -u+s -a ! -type d \) -o \ \( -perm -g+s -a ! -type d \) -o \ -type b -o -type c \) -print0 | \ xargs -0 ls -ldgTq | sort +9 > $LIST ) 2> $OUTPUT # Display any errors that occurred during system file walk. if [ -s $OUTPUT ] ; then printf "Setuid/device find errors:\n" >> $ERR cat $OUTPUT >> $ERR printf "\n" >> $ERR fi # Display any changes in the setuid file list. egrep -v '^[bc]' $LIST > $TMP1 if [ -s $TMP1 ] ; then # Check to make sure uudecode isn't setuid. if grep -w uudecode $TMP1 > /dev/null ; then printf "\nUudecode is setuid.\n" >> $ERR fi file=$work_dir/setuid migrate_file "$backup_dir/setuid" "$file" CUR=${file}.current BACK=${file}.backup if [ -s $CUR ] ; then if cmp -s $CUR $TMP1 ; then : else > $TMP2 join -110 -210 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Setuid additions:\n" >> $ERR tee -a $TMP2 < $OUTPUT >> $ERR printf "\n" >> $ERR fi join -110 -210 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Setuid deletions:\n" >> $ERR tee -a $TMP2 < $OUTPUT >> $ERR printf "\n" >> $ERR fi sort -k10 $TMP2 $CUR $TMP1 | \ sed -e 's/[ ][ ]*/ /g' | \ uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then printf "Setuid changes:\n" >> $ERR column -t $OUTPUT >> $ERR printf "\n" >> $ERR fi backup_file update $TMP1 $CUR $BACK fi else printf "Setuid additions:\n" >> $ERR column -t $TMP1 >> $ERR printf "\n" >> $ERR backup_file add $TMP1 $CUR $BACK fi fi # Check for block and character disk devices that are readable or # writable or not owned by root.operator. >$TMP1 DISKLIST="ccd ch hk hp ld md ra raid rb rd rl rx \ sd se ss uk up vnd wd xd xy" # DISKLIST="$DISKLIST ct mt st wt" for i in $DISKLIST; do egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 done awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ { printf "Disk %s is user %s, group %s, permissions %s.\n", \ $11, $3, $4, $1; }' < $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking disk ownership and permissions.\n" >> $ERR cat $OUTPUT >> $ERR printf "\n" >> $ERR fi # Display any changes in the device file list. egrep '^[bc]' $LIST | sort -k11 > $TMP1 if [ -s $TMP1 ] ; then file=$work_dir/device migrate_file "$backup_dir/device" "$file" CUR=${file}.current BACK=${file}.backup if [ -s $CUR ] ; then if cmp -s $CUR $TMP1 ; then : else > $TMP2 join -111 -211 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Device additions:\n" >> $ERR tee -a $TMP2 < $OUTPUT >> $ERR printf "\n" >> $ERR fi join -111 -211 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Device deletions:\n" >> $ERR tee -a $TMP2 < $OUTPUT >> $ERR printf "\n" >> $ERR fi # Report any block device change. Ignore # character devices, only the name is # significant. cat $TMP2 $CUR $TMP1 | \ sed -e '/^c/d' | \ sort -k11 | \ sed -e 's/[ ][ ]*/ /g' | \ uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then printf "Block device changes:\n" >> $ERR column -t $OUTPUT >> $ERR printf "\n" >> $ERR fi backup_file update $TMP1 $CUR $BACK fi else printf "Device additions:\n" >> $ERR column -t $TMP1 >> $ERR printf "\n" >> $ERR backup_file add $TMP1 $CUR $BACK >> $ERR fi fi if [ -s $ERR ] ; then printf "\nChecking setuid files and devices:\n" cat $ERR printf "\n" fi fi # Check special files. # Check system binaries. # # Create the mtree tree specifications using: # mtree -cx -pDIR -kmd5,uid,gid,mode,nlink,size,link,time > DIR.secure # chown root:wheel DIR.secure # chmod u+r,go= DIR.secure # # Note, this is not complete protection against Trojan horsed binaries, as # the hacker can modify the tree specification to match the replaced binary. # For details on really protecting yourself against modified binaries, see # the mtree(8) manual page. # if checkyesno check_mtree; then if checkyesno check_mtree_follow_symlinks; then check_mtree_flags="-L" else check_mtree_flags="" fi mtree -e -l -p / $check_mtree_flags -f $SPECIALSPEC 3>&1 >$OUTPUT 2>&3 | grep -v '^mtree: dev/tty: Device not configured$' >&2 if [ -s $OUTPUT ]; then printf "\nChecking special files and directories.\n" cat $OUTPUT fi for file in /etc/mtree/*.secure; do [ $file = '/etc/mtree/*.secure' ] && continue tree=$(sed -n -e '3s/.* //p' -e 3q $file) mtree $check_mtree_flags -f $file -p $tree > $TMP1 if [ -s $TMP1 ]; then printf "\nChecking $tree:\n" cat $TMP1 fi done > $OUTPUT if [ -s $OUTPUT ]; then printf "\nChecking system binaries:\n" cat $OUTPUT fi fi # Backup disklabels of available disks # if checkyesno check_disklabels; then # migrate old disklabels for file in $(ls -1d $backup_dir/$backup_dir/disklabel.* \ $backup_dir/disklabel.* 2>/dev/null); do migrate_file "$file" "$work_dir/${file##*/}" done # generate list of old disklabels, fdisks & wedges, # and remove them ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* \ 2>/dev/null | egrep -v '\.(backup|current)(,v)?$' > $LABELS xargs rm < $LABELS disks="$(/sbin/sysctl -n hw.iostatnames)" # generate disklabels of all disks excluding: cd fd md dk st # nfs and "device" (the header of iostat) for i in $disks; do case $i in [cfm]d[0-9]*|dk[0-9]*|st[0-9]*|nfs[0-9]*) ;; *) if disklabel $i > /dev/null 2>&1; then disklabel $i > "$work_dir/disklabel.$i" fi ;; esac done # if fdisk is available, generate fdisks for: ed ld sd wd if [ -x /sbin/fdisk ]; then for i in $disks; do case $i in [elsw]d[0-9]*) /sbin/fdisk $i > "$work_dir/fdisk.$i" \ 2>/dev/null ;; esac done fi # if dkctl is available, generate dkctl listwedges # for: ed ld sd wd cgd ofdisk ra rl raid if [ -x /sbin/dkctl ]; then for i in $disks; do case $i in [elsw]d[0-9]*|cgd[0-9]*|ofdisk[0-9]*|r[al][0-9]*|raid[0-9]*) if /sbin/dkctl $i listwedges | grep -qe '[0-9] wedges:'; then /sbin/dkctl $i listwedges \ > "$work_dir/wedges.$i" 2>/dev/null fi ;; esac done fi # if raidctl is available, generate raidctls for: raid if [ -x /sbin/raidctl ]; then disks=$(iostat -x | awk 'NR > 1 && $1 ~ /^raid/ { print $1; }') for i in $disks; do /sbin/raidctl -G $i > "$work_dir/raidconf.$i" \ 2>/dev/null done fi # append list of new disklabels, fdisks and wedges ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* \ $work_dir/raidconf.* 2>/dev/null | egrep -v '\.(backup|current)(,v)?$' >> $LABELS CHANGELIST="$LABELS $CHANGELIST" fi if checkyesno check_lvm; then # generate list of existing LVM elements Physical Volumes, # Volume Groups and Logical Volumes. if [ -x /sbin/lvm ]; then lvm pvdisplay -m >"$work_dir/lvm.pv" 2>/dev/null lvm vgdisplay -m >"$work_dir/lvm.vg" 2>/dev/null lvm lvdisplay -m >"$work_dir/lvm.lv" 2>/dev/null fi ls -1d $work_dir/lvm.* 2>/dev/null | egrep -v '\.(backup|current)(,v)?$'>> $LVM_LABELS CHANGELIST="$CHANGELIST $LVM_LABELS" fi # Check for changes in the list of installed pkgs # if checkyesno check_pkgs && have_pkgs; then pkgs=$work_dir/pkgs migrate_file "$backup_dir/pkgs" "$pkgs" pkg_dbdir=$(${pkg_admin} config-var PKG_DBDIR) : ${pkg_dbdir:=/usr/pkg/pkgdb} ( cd $pkg_dbdir $pkg_info | sort echo "" find . \( -name +REQUIRED_BY -o -name +CONTENTS \) -print0 | xargs -0 ls -ldgTq | sort -t. +1 | sed -e 's, \./, ,' ) > $pkgs echo "$pkgs" > $PKGS CHANGELIST="$PKGS $CHANGELIST" fi # List of files that get backed up and checked for any modifications. # Any changes cause the files to rotate. # if checkyesno check_changelist ; then mtree -D -k type -f $SPECIALSPEC -E exclude | sed '/^type=file/!d ; s/type=file \.//' | unvis > $CHANGEFILES ( # Add other files which might dynamically exist: # /etc/ifconfig.* # /etc/raid*.conf # /etc/rc.d/* # /etc/rc.conf.d/* # echo "/etc/ifconfig.*" echo "/etc/raid*.conf" echo "/etc/rc.d/*" echo "/etc/rc.conf.d/*" echo "/etc/lvm/backup/*" echo "/etc/lvm/archive/*" # Add /etc/changelist # if [ -s /etc/changelist ]; then grep -v '^#' /etc/changelist fi ) | while read file; do case "$file" in *[\*\?\[]*) # If changelist line is a glob ... # ... expand possible backup files # ls -1d $backup_dir/${file}.current 2>/dev/null \ | sed "s,^$backup_dir/,, ; s,\.current$,," # ... expand possible files # ls -1d $file 2>/dev/null ;; *) # Otherwise, just print the filename echo $file ;; esac done >> $CHANGEFILES CHANGELIST="$CHANGEFILES $CHANGELIST" fi # Save entropy to ${random_file} if defined, like # /etc/rc.d/random_seed. # if [ -n "${random_file:-}" ]; then rndctl -S "$random_file" fi # Special case backups, including the master password file and # ssh private host keys. The normal backup mechanisms for # $check_changelist (see below) also print out the actual file # differences and we don't want to do that for these files # echo $MP > $TMP1 # always add /etc/master.passwd mtree -D -k type -f $SPECIALSPEC -I nodiff | sed '/^type=file/!d ; s/type=file \.//' | unvis >> $TMP1 grep -v '^$' $TMP1 | sort -u > $TMP2 while read file; do backup_and_diff "$file" no done < $TMP2 if [ -n "$CHANGELIST" ]; then grep -h -v '^$' $CHANGELIST | sort -u > $TMP1 comm -23 $TMP1 $TMP2 | while read file; do backup_and_diff "$file" yes done fi if have_pkgs; then if checkyesno check_pkg_vulnerabilities; then ${pkg_admin} ${_compat_K_flag} audit >${OUTPUT} 2>&1 if [ -s ${OUTPUT} ]; then printf "\nInstalled vulnerable packages:\n" cat ${OUTPUT} fi fi if checkyesno check_pkg_signatures; then ${pkg_admin} ${_compat_K_flag} check >${OUTPUT} 2>&1 if [ $? -ne 0 ]; then printf "\nFiles with invalid signatures:\n" cat ${OUTPUT} fi fi fi if [ -f /etc/security.local ]; then . /etc/security.local > $OUTPUT 2>&1 if [ -s $OUTPUT ] ; then printf "\nRunning /etc/security.local:\n" cat $OUTPUT fi fi @ 1.131 log @Fix sysctl invocation testing for missing entropy. @ text @d3 1 a3 1 # $NetBSD: security,v 1.130 2023/06/30 21:42:29 riastradh Exp $ d362 1 a362 1 if [ ! -z $dupgroups ] ; then @ 1.131.2.1 log @Sync with HEAD @ text @d3 1 a3 1 # $NetBSD: security,v 1.132 2024/07/21 14:56:16 he Exp $ d362 1 a362 1 if [ ! -z "$dupgroups" ] ; then @ 1.130 log @security(5): Check kern.entropy.needed for confident entropy. Don't test whether a non-blocking read from /dev/random would return data. For the sake of availability, /dev/random will unblock based on sources like timer interrupts, which we can't confidently assert anything about the actual unpredictability of. Here, the goal is to highlight systems that have neither obtained entropy from an HWRNG with a confident entropy assessment, nor been seeded from a source the operator knows about. XXX pullup-10 @ text @d3 1 a3 1 # $NetBSD: security,v 1.129 2021/11/04 12:40:00 nia Exp $ d198 1 a198 1 if [ "$(sysctl -nq kern.entropy.needed)" != 0 ]; then @ 1.129 log @Recognize argon2 passwords as valid in daily security reports. from RVP in misc/56486 @ text @d3 1 a3 1 # $NetBSD: security,v 1.128 2021/01/10 23:24:25 riastradh Exp $ d198 1 a198 2 if ! dd if=/dev/random iflag=nonblock of=/dev/null bs=1 count=1 \ msgfmt=quiet 2>/dev/null; then @ 1.129.2.1 log @Pull up following revision(s) (requested by riastradh in ticket #319): sys/dev/pci/ubsec.c: revision 1.64 sys/dev/pci/hifn7751.c: revision 1.82 lib/libc/gen/getentropy.3: revision 1.5 lib/libc/gen/getentropy.3: revision 1.6 share/man/man4/rnd.4: revision 1.41 lib/libc/sys/getrandom.2: revision 1.2 lib/libc/sys/getrandom.2: revision 1.3 share/man/man5/rc.conf.5: revision 1.193 share/man/man7/entropy.7: revision 1.5 share/man/man7/entropy.7: revision 1.6 share/man/man7/entropy.7: revision 1.7 share/man/man7/entropy.7: revision 1.8 etc/security: revision 1.130 share/man/man7/entropy.7: revision 1.9 etc/security: revision 1.131 sys/crypto/cprng_fast/cprng_fast.c: revision 1.19 sys/sys/rndio.h: revision 1.3 tests/lib/libc/sys/t_getrandom.c: revision 1.5 etc/defaults/rc.conf: revision 1.164 etc/defaults/rc.conf: revision 1.165 sys/sys/rndsource.h: revision 1.10 sys/kern/kern_entropy.c: revision 1.62 sys/kern/kern_entropy.c: revision 1.63 sys/kern/kern_entropy.c: revision 1.64 sys/kern/subr_cprng.c: revision 1.44 sys/kern/kern_entropy.c: revision 1.65 sys/kern/kern_clock.c: revision 1.149 sys/dev/pci/viornd.c: revision 1.22 share/man/man9/rnd.9: revision 1.32 sys/kern/subr_prf.c: revision 1.202 sys/sys/rndsource.h: revision 1.8 sys/sys/rndsource.h: revision 1.9 share/man/man7/entropy.7: revision 1.10 1. Reinstate netbsd<=9 entropy estimator to unblock /dev/random, in parallel with assessment of only confident entropy sources (seed, HWRNG) for security warnings like sshd keys in motd and daily insecurity report. 2. Make multiuser boot wait for first /dev/random output soon after loading a seed and configuring rndctl, so that getentropy(3) meets its contract starting early at boot without introducing blocking paths that could cause hangs in init(8) or single-user mode. Operators can choose to disable this wait in rc.conf. 3. Fix some bugs left over from reducing the global entropy lock from a spin lock at IPL_VM to an adaptive lock at IPL_SOFTSERIAL. 4. Update man pages. @ text @d3 1 a3 1 # $NetBSD: security,v 1.129 2021/11/04 12:40:00 nia Exp $ d198 2 a199 1 if [ "$(sysctl -n kern.entropy.needed)" != 0 ]; then @ 1.128 log @Various entropy integration improvements. - New /etc/security check for entropy in daily security report. - New /etc/rc.d/entropy script runs (after random_seed and rndctl) to check for entropy at boot -- in rc.conf, you can: . set `entropy=check' to halt multiuser boot and enter single-user mode if not enough entropy . set `entropy=wait' to make multiuser boot wait until enough entropy Default is to always boot without waiting -- and rely on other channels like security report to alert the operator if there's a problem. - New man page entropy(7) discussing the higher-level concepts and system integration with cross-references. - New paragraph in afterboot(8) about entropy citing entropy(7) for more details. This change addresses many of the issues discussed in security/55659. This is a first draft; happy to take improvements to the man pages and scripted messages to improve clarity. I considered changing motd to include an entropy warning with a reference to the entropy(7) man page, but it's a little trickier: - Not sure it's appropriate for all users to see at login rather than users who have power to affect the entropy estimate (maybe it is, just haven't decided). - We only have a mechanism for changing once at boot; the message would remain until next boot even if an operator adds enough entropy. - The mechanism isn't really conducive to making a message appear conditionally from boot to boot. @ text @d3 1 a3 1 # $NetBSD: security,v 1.127 2020/12/02 14:18:13 wiz Exp $ d277 1 @ 1.127 log @Update default pkgsrc database location from /var/db/pkg to /usr/pkg/pkgdb. @ text @d3 1 a3 1 # $NetBSD: security,v 1.126 2019/12/06 14:43:30 riastradh Exp $ d195 13 @ 1.126 log @Save the entropy seed daily in /etc/security. @ text @d3 1 a3 1 # $NetBSD: security,v 1.125 2019/09/18 22:27:55 uwe Exp $ d994 1 a994 1 : ${pkg_dbdir:=/var/db/pkg} @ 1.125 log @Use $file instead of $(echo $file). I don't think the extra round of word expansions was really intended here. @ text @d3 1 a3 1 # $NetBSD: security,v 1.124 2018/10/04 11:50:34 kre Exp $ d1052 7 @ 1.124 log @ Fix an obvious botch in the previous rev, found by martin@@ @ text @d3 1 a3 1 # $NetBSD: security,v 1.123 2018/09/23 23:48:33 kre Exp $ d1036 1 a1036 1 ls -1d $(echo $backup_dir/${file}.current) 2>/dev/null \ d1041 1 a1041 1 ls -1d $(echo $file) 2>/dev/null @ 1.123 log @ Convert uses of test (aka '[') to use only posix specified forms, mostly just on general principle... this resulted in one or two minor code reformattings to keep 80 char limits - a few needless uses of quotes ("no" ??) were also removed (sh is not C. strings are strings without quotes around them...) @ text @d3 1 a3 1 # $NetBSD: security,v 1.122 2018/01/06 23:44:06 mlelstv Exp $ d402 1 a402 1 if [ $umaskset = no ] -o [ -s $OUTPUT ] ; then @ 1.122 log @Use sysctl to retrieve iostat names instead of parsing possibly truncated iostat output. Check dkctl listwedges output with grep. Fixes PR 59205. @ text @d3 1 a3 1 # $NetBSD: security,v 1.121 2016/02/29 16:16:42 riastradh Exp $ d89 1 a89 1 if [ -z "$_old" -o -z "$_new" ]; then d95 1 a95 1 if [ -f "${_old}" -a ! -f "${_new}" ]; then d100 1 a100 1 if [ -f "${_old}.current" -a ! -f "${_new}.current" ]; then d104 2 a105 1 if [ -f "${_old}.current,v" -a ! -f "${_new}.current,v" ]; then d110 1 a110 1 if [ -f "${_old}.backup" -a ! -f "${_new}.backup" ]; then d128 1 a128 1 if [ -z "$_file" -o -z "$_printdiff" ]; then d402 1 a402 1 if [ $umaskset = "no" -o -s $OUTPUT ] ; then d407 1 a407 1 if [ $umaskset = "no" ] ; then d447 1 a447 1 if [ $umaskset = "no" -o -s $OUTPUT ] ; then d452 1 a452 1 if [ $umaskset = "no" ] ; then d511 4 a514 2 if [ -f ${homedir}/.rhosts -a -r ${homedir}/.rhosts ] && \ cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null ; then @ 1.122.4.1 log @Sync with HEAD @ text @d3 1 a3 1 # $NetBSD: security,v 1.124 2018/10/04 11:50:34 kre Exp $ d89 1 a89 1 if [ -z "$_old" ] || [ -z "$_new" ]; then d95 1 a95 1 if [ -f "${_old}" ] && ! [ -f "${_new}" ]; then d100 1 a100 1 if [ -f "${_old}.current" ] && ! [ -f "${_new}.current" ]; then d104 1 a104 2 if [ -f "${_old}.current,v" ] && ! [ -f "${_new}.current,v" ]; then d109 1 a109 1 if [ -f "${_old}.backup" ] && ! [ -f "${_new}.backup" ]; then d127 1 a127 1 if [ -z "$_file" ] || [ -z "$_printdiff" ]; then d401 1 a401 1 if [ $umaskset = no ] || [ -s $OUTPUT ] ; then d406 1 a406 1 if [ $umaskset = no ] ; then d446 1 a446 1 if [ $umaskset = no ] || [ -s $OUTPUT ] ; then d451 1 a451 1 if [ $umaskset = no ] ; then d510 2 a511 4 if [ -f ${homedir}/.rhosts ] && [ -r ${homedir}/.rhosts ] && cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null then @ 1.122.4.2 log @Merge changes from current as of 20200406 @ text @d3 1 a3 1 # $NetBSD$ a1051 7 # Save entropy to ${random_file} if defined, like # /etc/rc.d/random_seed. # if [ -n "${random_file:-}" ]; then rndctl -S "$random_file" fi @ 1.122.4.3 log @Mostly merge changes from HEAD upto 20200411 @ text @d1036 1 a1036 1 ls -1d $backup_dir/${file}.current 2>/dev/null \ d1041 1 a1041 1 ls -1d $file 2>/dev/null @ 1.122.2.1 log @Ssync with HEAD @ text @d3 1 a3 1 # $NetBSD: security,v 1.123 2018/09/23 23:48:33 kre Exp $ d89 1 a89 1 if [ -z "$_old" ] || [ -z "$_new" ]; then d95 1 a95 1 if [ -f "${_old}" ] && ! [ -f "${_new}" ]; then d100 1 a100 1 if [ -f "${_old}.current" ] && ! [ -f "${_new}.current" ]; then d104 1 a104 2 if [ -f "${_old}.current,v" ] && ! [ -f "${_new}.current,v" ]; then d109 1 a109 1 if [ -f "${_old}.backup" ] && ! [ -f "${_new}.backup" ]; then d127 1 a127 1 if [ -z "$_file" ] || [ -z "$_printdiff" ]; then d401 1 a401 1 if [ $umaskset = no ] -o [ -s $OUTPUT ] ; then d406 1 a406 1 if [ $umaskset = no ] ; then d446 1 a446 1 if [ $umaskset = no ] || [ -s $OUTPUT ] ; then d451 1 a451 1 if [ $umaskset = no ] ; then d510 2 a511 4 if [ -f ${homedir}/.rhosts ] && [ -r ${homedir}/.rhosts ] && cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null then @ 1.122.2.2 log @Sync with head @ text @d3 1 a3 1 # $NetBSD: security,v 1.124 2018/10/04 11:50:34 kre Exp $ d402 1 a402 1 if [ $umaskset = no ] || [ -s $OUTPUT ] ; then @ 1.121 log @Record current raid configurations too in /etc/security. @ text @d3 1 a3 1 # $NetBSD: security,v 1.120 2015/04/20 22:46:35 pgoyette Exp $ d912 1 a912 1 disks="$(iostat -x | cut -f 1 -d ' ' )" d918 1 a918 1 [cfm]d[0-9]*|dk[0-9]*|st[0-9]*|nfs[0-9]*|device) d946 2 a947 1 if /sbin/dkctl $i listwedges -qe; then @ 1.120 log @Set the redirection correctly, so that stderr gets duped to the already redirected stdout, rather than duping stdout to stderr! Without this fix, the disklabel output is included in the log file rather than being discarded as intended. (The purpose of running disklabel this first time is only to check for success.) @ text @d3 1 a3 1 # $NetBSD: security,v 1.119 2015/02/14 19:46:55 nakayama Exp $ d955 9 d966 1 a966 1 2>/dev/null | @ 1.119 log @Avoid nfs devices correctly. @ text @d3 1 a3 1 # $NetBSD: security,v 1.118 2014/12/13 02:17:35 uebayasi Exp $ d921 1 a921 1 if disklabel $i > /dev/null 1>&2; then @ 1.118 log @Indent and space fixes. @ text @d3 1 a3 1 # $NetBSD$ d918 1 a918 1 [cfm]d[0-9]*|dk[0-9]*|st[0-9]*|nfs|device) @ 1.117 log @- generate the list of disks only once and select from them later - don't generate empty/useless files when disklabel or dkctl don't have data @ text @d3 1 a3 1 # $NetBSD: security,v 1.116 2014/08/27 13:56:02 apb Exp $ d70 3 a72 3 echo "WARNING: Setting pkgdb_dir in security.conf(5) is deprecated" echo "WARNING: Please define PKG_DBDIR in pkg_install.conf(5) instead" _compat_K_flag="-K ${pkgdb_dir}" d120 1 a120 1 # If printdiff is yes, display the diffs, otherwise d197 2 a198 2 # XXX: the sense of permit_star is reversed; the code works as # implemented, but usage needs to be negated. d534 1 a534 1 -v "permit_owners_list=$check_homes_permit_other_owner" ' d562 1 a562 1 -v "permit_owners_list=$check_homes_permit_other_owner" ' d596 1 a596 1 -v "permit_owners_list=$check_homes_permit_other_owner" ' d918 1 a918 1 [cfm]d[0-9]*|dk[0-9]*|st[0-9]*|nfs|device) d963 10 a972 11 # generate list of existing LVM elements Physical Volumes, Volume Groups # and Logical Volumes. if [ -x /sbin/lvm ]; then lvm pvdisplay -m >"$work_dir/lvm.pv" 2>/dev/null lvm vgdisplay -m >"$work_dir/lvm.vg" 2>/dev/null lvm lvdisplay -m >"$work_dir/lvm.lv" 2>/dev/null fi ls -1d $work_dir/lvm.* 2>/dev/null | egrep -v '\.(backup|current)(,v)?$'>> $LVM_LABELS CHANGELIST="$CHANGELIST $LVM_LABELS" d1025 1 a1025 1 @ 1.116 log @Split some long lines. @ text @d3 1 a3 1 # $NetBSD: security,v 1.115 2013/11/06 19:37:05 spz Exp $ d912 4 a915 3 # generate disklabels of all disks excluding: cd dk fd md st disks=$(iostat -x | awk \ 'NR > 1 && $1 !~ /^[cfm]d|dk|st|nfs/ { print $1; }') d917 9 a925 1 disklabel $i > "$work_dir/disklabel.$i" 2>/dev/null a929 2 disks=$(iostat -x | awk \ 'NR > 1 && $1 ~ /^[elsw]d/ { print $1; }') d931 6 a936 1 /sbin/fdisk $i > "$work_dir/fdisk.$i" 2>/dev/null a942 3 disks=$(iostat -x | awk \ 'NR > 1 && $1 ~ /^[elsw]d|cgd|ofdisk|r[al]|raid/ { print $1; }') d944 8 a951 2 /sbin/dkctl $i listwedges \ > "$work_dir/wedges.$i" 2>/dev/null @ 1.115 log @Introduce a variable for security.conf, default empty, to list users whose home is (allowed to be) owned by another user. It's a separate variable and not just check_passwd_permit_dups so I can make security shut up about my uucp users. Fixes the second half of PR misc/36063 @ text @d3 1 a3 1 # $NetBSD: security,v 1.113 2013/09/08 08:19:40 prlw1 Exp $ d342 2 a343 1 gcount=$(awk -F: "/$group/ { print \$1,\$3 }" $GRP | sort -u | wc -l) d905 4 a908 2 # generate list of old disklabels, fdisks & wedges and remove them ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null | d913 2 a914 1 disks=$(iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d|dk|st|nfs/ { print $1; }') d921 2 a922 1 disks=$(iostat -x | awk 'NR > 1 && $1 ~ /^[elsw]d/ { print $1; }') d928 2 a929 1 # if dkctl is available, generate dkctl listwedges for: ed ld sd wd cgd ofdisk ra rl raid d931 3 a933 1 disks=$(iostat -x | awk 'NR > 1 && $1 ~ /^[elsw]d|cgd|ofdisk|r[al]|raid/ { print $1; }') d935 2 a936 1 /sbin/dkctl $i listwedges > "$work_dir/wedges.$i" 2>/dev/null d941 2 a942 1 ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null | d949 2 a950 1 # generate list of existing LVM elements Physical Volumes, Volume Groups and Logical Volumes. @ 1.114 log @having more than one line with the same group name and gid is not only allowed, it's even recommended for groups with lots of members, so do not warn about duplicate group name lines if the gid is the same @ text @d532 7 a538 2 awk -v "usergroups=$permit_usergroups" ' $1 != $4 && $4 != "root" \ d560 7 a566 2 awk -v "usergroups=$permit_usergroups" ' $1 != $5 && $5 != "root" \ d594 7 a600 2 awk -v "usergroups=$permit_usergroups" ' $1 != $5 && $5 != "root" \ @ 1.113 log @Add defaults for pkg_info and pkg_admin variables in case pkgpath.conf is not installed. @ text @d3 1 a3 1 # $NetBSD: security,v 1.112 2013/05/01 05:36:25 agc Exp $ d340 8 a347 1 if [ -s $OUTPUT ] ; then d349 1 a349 1 column $OUTPUT @ 1.112 log @Fix for problematic paths in /etc/daily and /etc/security reported in PR/47645. Add a separate file which contains the paths for the pkg_admin and pkg_info utilities. This is called /etc/pkgpath.conf (to distinguish it from pkg.conf). Thanks also to Edgar Fuss for the sanity check. @ text @d3 1 a3 1 # $NetBSD: security,v 1.111 2012/04/05 09:09:27 spz Exp $ d33 1 @ 1.111 log @change security so that there is a configuration value for the list of users who will not be considered for duplicate uid check. Seed it with 'toor' in defaults/security.conf. @ text @d3 1 a3 1 # $NetBSD: security,v 1.110 2011/03/02 17:00:28 christos Exp $ d24 3 d932 1 a932 1 pkg_dbdir=$(pkg_admin config-var PKG_DBDIR) d1015 1 a1015 1 pkg_admin ${_compat_K_flag} audit >${OUTPUT} 2>&1 d1023 1 a1023 1 pkg_admin ${_compat_K_flag} check >${OUTPUT} 2>&1 @ 1.111.2.1 log @resync from head @ text @d3 1 a3 1 # $NetBSD$ a23 3 if [ -s /etc/pkgpath.conf ]; then . /etc/pkgpath.conf fi d929 1 a929 1 pkg_dbdir=$(${pkg_admin} config-var PKG_DBDIR) d1012 1 a1012 1 ${pkg_admin} ${_compat_K_flag} audit >${OUTPUT} 2>&1 d1020 1 a1020 1 ${pkg_admin} ${_compat_K_flag} check >${OUTPUT} 2>&1 @ 1.111.2.2 log @Rebase to HEAD as of a few days ago. @ text @a32 1 pkg_admin=${pkg_admin:-/usr/sbin/pkg_admin} d339 1 a339 8 dupgroups="" for group in $(cat $OUTPUT) ; do gcount=$(awk -F: "/$group/ { print \$1,\$3 }" $GRP | sort -u | wc -l) if [ $gcount -gt 1 ]; then dupgroups="$dupgroups $group" fi done if [ ! -z $dupgroups ] ; then d341 1 a341 1 printf "$dupgroups\n" d524 2 a525 7 awk -v "usergroups=$permit_usergroups" \ -v "permit_owners_list=$check_homes_permit_other_owner" ' BEGIN { split(permit_owners_list, a); for (i in a) permit_owners[a[i]]++; } $1 != $4 && $4 != "root" && !permit_owners[$1] \ d547 2 a548 7 awk -v "usergroups=$permit_usergroups" \ -v "permit_owners_list=$check_homes_permit_other_owner" ' BEGIN { split(permit_owners_list, a); for (i in a) permit_owners[a[i]]++; } $1 != $5 && $5 != "root" && !permit_owners[$1] \ d576 2 a577 7 awk -v "usergroups=$permit_usergroups" \ -v "permit_owners_list=$check_homes_permit_other_owner" ' BEGIN { split(permit_owners_list, a); for (i in a) permit_owners[a[i]]++; } $1 != $5 && $5 != "root" && !permit_owners[$1] \ @ 1.110 log @too much quoting. pointed by anon ymous @ text @d3 1 a3 1 # $NetBSD: security,v 1.109 2010/12/27 03:38:52 christos Exp $ d290 10 a299 6 # To not exclude 'toor', a standard duplicate root account, from the duplicate # account test, uncomment the line below (without egrep in it)and comment # out the line (with egrep in it) below it. # # < $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2 < $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 d301 1 a301 1 printf "\n$MP has duplicate user id's.\n" @ 1.110.4.1 log @sync with head @ text @d3 1 a3 1 # $NetBSD: security,v 1.110 2011/03/02 17:00:28 christos Exp $ d290 6 a295 10 awk -v "permit_dups_list=$check_passwd_permit_dups" \ ' BEGIN { split(permit_dups_list, a); for (i in a) permit_dups[a[i]]++; } { if (!permit_dups[$1]) print $2; }' < $MPBYUID | uniq -d > $TMP2 d297 1 a297 1 printf "\n$MP has duplicate user ids.\n" @ 1.110.4.2 log @sync with head. for a reference, the tree before this commit was tagged as yamt-pagecache-tag8. this commit was splitted into small chunks to avoid a limitation of cvs. ("Protocol error: too many arguments") @ text @d3 1 a3 1 # $NetBSD: security,v 1.110.4.1 2012/04/17 00:02:56 yamt Exp $ a23 3 if [ -s /etc/pkgpath.conf ]; then . /etc/pkgpath.conf fi a29 1 pkg_admin=${pkg_admin:-/usr/sbin/pkg_admin} d336 1 a336 8 dupgroups="" for group in $(cat $OUTPUT) ; do gcount=$(awk -F: "/$group/ { print \$1,\$3 }" $GRP | sort -u | wc -l) if [ $gcount -gt 1 ]; then dupgroups="$dupgroups $group" fi done if [ ! -z $dupgroups ] ; then d338 1 a338 1 printf "$dupgroups\n" d521 2 a522 7 awk -v "usergroups=$permit_usergroups" \ -v "permit_owners_list=$check_homes_permit_other_owner" ' BEGIN { split(permit_owners_list, a); for (i in a) permit_owners[a[i]]++; } $1 != $4 && $4 != "root" && !permit_owners[$1] \ d544 2 a545 7 awk -v "usergroups=$permit_usergroups" \ -v "permit_owners_list=$check_homes_permit_other_owner" ' BEGIN { split(permit_owners_list, a); for (i in a) permit_owners[a[i]]++; } $1 != $5 && $5 != "root" && !permit_owners[$1] \ d573 2 a574 7 awk -v "usergroups=$permit_usergroups" \ -v "permit_owners_list=$check_homes_permit_other_owner" ' BEGIN { split(permit_owners_list, a); for (i in a) permit_owners[a[i]]++; } $1 != $5 && $5 != "root" && !permit_owners[$1] \ d929 1 a929 1 pkg_dbdir=$(${pkg_admin} config-var PKG_DBDIR) d1012 1 a1012 1 ${pkg_admin} ${_compat_K_flag} audit >${OUTPUT} 2>&1 d1020 1 a1020 1 ${pkg_admin} ${_compat_K_flag} check >${OUTPUT} 2>&1 @ 1.109 log @`` -> $() @ text @d3 1 a3 1 # $NetBSD: security,v 1.108 2010/02/05 16:29:02 jmmv Exp $ d411 2 a412 2 list=\$\(echo \$PATH | /usr/bin/sed -e \ 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\) @ 1.109.2.1 log @Sync with HEAD @ text @d3 1 a3 1 # $NetBSD$ d411 2 a412 2 list=\$(echo \$PATH | /usr/bin/sed -e \ 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g') @ 1.108 log @Deprecate the pkgdb_dir settings from daily.conf and security.conf in favor of the PKG_DBDIR variable in /etc/pkg_install.conf. The purpose of this is to only have to define the location of the packages database in a single place and have all other system components pick it up. pkgdb_dir is still honored if defined and the scripts will spit out a warning in that case, asking the administrator to migrate to the PKG_DBDIR setting. We can't remove this compatibility workaround until, at least, after NetBSD 6 is released. @ text @d3 1 a3 1 # $NetBSD: security,v 1.107 2010/01/19 22:08:11 jmmv Exp $ d411 2 a412 2 list=\`echo \$PATH | /usr/bin/sed -e \ 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\` d444 1 a444 1 list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID` d484 1 a484 1 rhost=`ls -ldgT ${homedir}/.rhosts` d513 1 a513 1 file=`ls -ldgT ${homedir}` d536 1 a536 1 printf -- "$uid $f `ls -ldgT $file`\n" d565 1 a565 1 printf -- "$uid $f `ls -ldgT $file`\n" d852 1 a852 1 tree=`sed -n -e '3s/.* //p' -e 3q $file` d869 2 a870 2 for file in `ls -1d $backup_dir/$backup_dir/disklabel.* \ $backup_dir/disklabel.* 2>/dev/null`; do d880 1 a880 1 disks=`iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d|dk|st|nfs/ { print $1; }'` d887 1 a887 1 disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d/ { print $1; }'` d895 1 a895 1 disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d|cgd|ofdisk|r[al]|raid/ { print $1; }'` @ 1.107 log @Add the fetch_pkg_vulnerabilities option to the daily script to keep the packages vulnerability database up to date. This will only fetch the file from the server if it has changed since the last run. Add the check_pkg_vulnerabilities and check_pkg_signatures options to the security script to check that the installed packages are sane. All of these options are enabled by default but they will only run if there is, at least, one installed package. @ text @d3 1 a3 1 # $NetBSD: security,v 1.106 2009/01/27 10:32:18 haad Exp $ a27 1 pkgdb_dir=${pkgdb_dir:-/var/db/pkg} # TODO Inherit from daily.conf. d65 10 d922 1 a922 1 if checkyesno check_pkgs && [ -d $pkgdb_dir ]; then d925 3 a927 1 ( cd $pkgdb_dir d1006 1 a1006 1 if pkg_info -K ${pkgdb_dir} -q -E '*'; then d1008 1 a1008 1 pkg_admin -K ${pkgdb_dir} audit >${OUTPUT} 2>&1 d1016 1 a1016 1 pkg_admin -K ${pkgdb_dir} check >${OUTPUT} 2>&1 @ 1.106 log @Add support for lvm to security script. Backup lvm configuration to /var/backup/lvm with other system backups. Disable lvm check until MKLVM is enabled by default. no objections on tech-userlevel@@. @ text @d3 1 a3 1 # $NetBSD: security,v 1.105 2007/11/23 15:51:27 dholland Exp $ d28 1 a28 1 pkgdb_dir=${pkgdb_dir:-/var/db/pkg} d995 18 @ 1.105 log @Handle non-trivial NIS compat entries (like +joe:::::::::) in the password file. Fixes (my own) PR bin/33138. reviewed: christos @ text @d3 1 a3 1 # $NetBSD: security,v 1.104 2007/08/27 19:57:02 adrianp Exp $ d61 1 a65 1 d898 13 d944 2 @ 1.105.4.1 log @file security was added on branch mjf-devfs on 2007-11-23 15:51:28 +0000 @ text @d1 986 @ 1.105.4.2 log @Handle non-trivial NIS compat entries (like +joe:::::::::) in the password file. Fixes (my own) PR bin/33138. reviewed: christos @ text @a0 986 #!/bin/sh - # # $NetBSD: security,v 1.105 2007/11/23 15:51:27 dholland Exp $ # from: @@(#)security 8.1 (Berkeley) 6/9/93 # PATH=/sbin:/usr/sbin:/bin:/usr/bin rcvar_manpage='security.conf(5)' if [ -f /etc/rc.subr ]; then . /etc/rc.subr else echo "Can't read /etc/rc.subr; aborting." exit 1; fi umask 077 TZ=UTC; export TZ if [ -s /etc/security.conf ]; then . /etc/security.conf fi # Set reasonable defaults (if they're not set in security.conf) # backup_dir=${backup_dir:-/var/backups} pkgdb_dir=${pkgdb_dir:-/var/db/pkg} max_loginlen=${max_loginlen:-8} max_grouplen=${max_grouplen:-8} pkg_info=${pkg_info:-/usr/sbin/pkg_info} # Other configurable variables # special_files="/etc/mtree/special /etc/mtree/special.local" MP=/etc/master.passwd CHANGELIST="" work_dir=$backup_dir/work if [ ! -d "$work_dir" ]; then mkdir -p "$work_dir" fi SECUREDIR=$(mktemp -d -t _securedir) || exit 1 trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE if ! cd "$SECUREDIR"; then echo "Can not cd to $SECUREDIR". exit 1 fi ERR=err.$$ TMP1=tmp1.$$ TMP2=tmp2.$$ MPBYUID=mpbyuid.$$ MPBYPATH=mpbypath.$$ LIST=list.$$ OUTPUT=output.$$ LABELS=labels.$$ PKGS=pkgs.$$ CHANGEFILES=changefiles.$$ SPECIALSPEC=specialspec.$$ # migrate_file old new # Determine if the "${old}" path name needs to be migrated to the # "${new}" path. Also checks if "${old}.current" needs migrating, # and if so, migrate it and possibly "${old}.current,v" and # "${old}.backup". # migrate_file() { _old=$1 _new=$2 if [ -z "$_old" -o -z "$_new" ]; then err 3 "USAGE: migrate_file old new" fi if [ ! -d "${_new%/*}" ]; then mkdir -p "${_new%/*}" fi if [ -f "${_old}" -a ! -f "${_new}" ]; then echo "==> migrating ${_old}" echo " to ${_new}" mv "${_old}" "${_new}" fi if [ -f "${_old}.current" -a ! -f "${_new}.current" ]; then echo "==> migrating ${_old}.current" echo " to ${_new}.current" mv "${_old}.current" "${_new}.current" if [ -f "${_old}.current,v" -a ! -f "${_new}.current,v" ]; then echo "==> migrating ${_old}.current,v" echo " to ${_new}.current,v" mv "${_old}.current,v" "${_new}.current,v" fi if [ -f "${_old}.backup" -a ! -f "${_new}.backup" ]; then echo "==> migrating ${_old}.backup" echo " to ${_new}.backup" mv "${_old}.backup" "${_new}.backup" fi fi } # backup_and_diff file printdiff # Determine if file needs backing up, and if so, do it. # If printdiff is yes, display the diffs, otherwise # just print a message saying "[changes omitted]". # backup_and_diff() { _file=$1 _printdiff=$2 if [ -z "$_file" -o -z "$_printdiff" ]; then err 3 "USAGE: backup_and_diff file printdiff" fi ! checkyesno _printdiff _printdiff=$? _old=$backup_dir/${_file##*/} case "$_file" in $work_dir/*) _new=$_file migrate_file "$backup_dir/$_old" "$_new" migrate_file "$_old" "$_new" ;; *) _new=$backup_dir/$_file migrate_file "$_old" "$_new" ;; esac CUR=${_new}.current BACK=${_new}.backup if [ -f $_file ]; then if [ -f $CUR ] ; then if [ "$_printdiff" -ne 0 ]; then diff ${diff_options} $CUR $_file > $OUTPUT else if ! cmp -s $CUR $_file; then echo "[changes omitted]" fi > $OUTPUT fi if [ -s $OUTPUT ] ; then printf \ "\n======\n%s diffs (OLD < > NEW)\n======\n" $_file cat $OUTPUT backup_file update $_file $CUR $BACK fi else printf "\n======\n%s added\n======\n" $_file if [ "$_printdiff" -ne 0 ]; then diff ${diff_options} /dev/null $_file else echo "[changes omitted]" fi backup_file add $_file $CUR $BACK fi else if [ -f $CUR ]; then printf "\n======\n%s removed\n======\n" $_file if [ "$_printdiff" -ne 0 ]; then diff ${diff_options} $CUR /dev/null else echo "[changes omitted]" fi backup_file remove $_file $CUR $BACK fi fi } # These are used several times. # awk -F: '!/^\+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH for file in $special_files; do [ -s $file ] && cat $file done | mtree -CM -k all > $SPECIALSPEC || exit 1 # Check the master password file syntax. # if checkyesno check_passwd; then # XXX: the sense of permit_star is reversed; the code works as # implemented, but usage needs to be negated. checkyesno check_passwd_permit_star && permit_star=0 || permit_star=1 checkyesno check_passwd_permit_nonalpha \ && permit_nonalpha=1 || permit_nonalpha=0 awk -v "len=$max_loginlen" \ -v "nowarn_shells_list=$check_passwd_nowarn_shells" \ -v "nowarn_users_list=$check_passwd_nowarn_users" \ -v "permit_star=$permit_star" \ -v "permit_nonalpha=$permit_nonalpha" \ ' BEGIN { while ( getline < "/etc/shells" > 0 ) { if ($0 ~ /^\#/ || $0 ~ /^$/ ) continue; shells[$1]++; } split(nowarn_shells_list, a); for (i in a) nowarn_shells[a[i]]++; split(nowarn_users_list, a); for (i in a) nowarn_users[a[i]]++; uid0_users_list="root toor" split(uid0_users_list, a); for (i in a) uid0_users[a[i]]++; FS=":"; } { if ($0 ~ /^[ ]*$/) { printf "Line %d is a blank line.\n", NR; next; } # NIS compat entry? compatline = $1 ~ "^[\\+-]"; if (compatline) { if ($1 == "+" && NF == 1) { next; } sub("^.", "", $1); } if (NF != 10) printf "Line %d has the wrong number of fields.\n", NR; if (compatline) { if ($3 == 0) printf "Line %d includes entries with uid 0.\n", NR; if ($1 == "") next; } if (!permit_nonalpha && $1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/) printf "Login %s has non-alphanumeric characters.\n", $1; if (length($1) > len) printf "Login %s has more than "len" characters.\n", $1; if ($2 == "" && !compatline && !nowarn_users[$1]) printf "Login %s has no password.\n", $1; if (!nowarn_shells[$10] && !nowarn_users[$1]) { if (length($2) != 13 && length($2) != 20 && $2 !~ /^\$1/ && $2 !~ /^\$2/ && $2 !~ /^\$sha1/ && $2 != "" && (permit_star || $2 != "*") && $2 !~ /^\*[A-z-]+$/ && $1 != "toor") { if ($10 == "" || shells[$10]) printf "Login %s is off but still has "\ "a valid shell (%s)\n", $1, $10; } else if (compatline && $10 == "") { # nothing } else if (! shells[$10]) printf "Login %s does not have a valid "\ "shell (%s)\n", $1, $10; } if ($3 == 0 && !uid0_users[$1] && !nowarn_users[$1]) printf "Login %s has a user id of 0.\n", $1; if ($3 != "" && $3 < 0) printf "Login %s has a negative user id.\n", $1; if ($4 != "" && $4 < 0) printf "Login %s has a negative group id.\n", $1; }' < $MP > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking the $MP file:\n" cat $OUTPUT fi awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT if [ -s $OUTPUT ] ; then printf "\n$MP has duplicate user names.\n" column $OUTPUT fi # To not exclude 'toor', a standard duplicate root account, from the duplicate # account test, uncomment the line below (without egrep in it)and comment # out the line (with egrep in it) below it. # # < $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2 < $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 if [ -s $TMP2 ] ; then printf "\n$MP has duplicate user id's.\n" while read uid; do grep -w $uid $MPBYUID done < $TMP2 | column fi fi # Check the group file syntax. # if checkyesno check_group; then GRP=/etc/group awk -F: -v "len=$max_grouplen" '{ if ($0 ~ /^[ ]*$/) { printf "Line %d is a blank line.\n", NR; next; } if (NF != 4 && ($1 != "+" || NF != 1)) printf "Line %d has the wrong number of fields.\n", NR; if ($1 == "+" ) { next; } if ($1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/) printf "Group %s has non-alphanumeric characters.\n", $1; if (length($1) > len) printf "Group %s has more than "len" characters.\n", $1; if ($3 !~ /[0-9]*/) printf "Login %s has a negative group id.\n", $1; }' < $GRP > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking the $GRP file:\n" cat $OUTPUT fi awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT if [ -s $OUTPUT ] ; then printf "\n$GRP has duplicate group names.\n" column $OUTPUT fi fi # Check for root paths, umask values in startup files. # The check for the root paths is problematical -- it's likely to fail # in other environments. Once the shells have been modified to warn # of '.' in the path, the path tests should go away. # if checkyesno check_rootdotfiles; then rhome=~root umaskset=no list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" for i in $list ; do if [ -f $i ] ; then if egrep '^[ \t]*umask[ \t]+[0-7]+' $i > /dev/null ; then umaskset=yes fi # Double check the umask value itself; ensure that # both the group and other write bits are set. # egrep '^[ \t]*umask[ \t]+[0-7]+' $i | awk '{ if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) { print "\tRoot umask is group writable" } if ($2 ~ /[^2367]$/) { print "\tRoot umask is other writable" } }' | sort -u SAVE_PATH=$PATH unset PATH /bin/csh -f -s << end-of-csh > /dev/null 2>&1 source $i /bin/ls -ldgT \$path > $TMP1 end-of-csh export PATH=$SAVE_PATH awk '{ if ($10 ~ /^\.$/) { print "\tThe root path includes ."; next; } } $1 ~ /^d....w/ \ { print "\tRoot path directory " $10 " is group writable." } \ $1 ~ /^d.......w/ \ { print "\tRoot path directory " $10 " is other writable." }' \ < $TMP1 fi done > $OUTPUT if [ $umaskset = "no" -o -s $OUTPUT ] ; then printf "\nChecking root csh paths, umask values:\n$list\n\n" if [ -s $OUTPUT ]; then cat $OUTPUT fi if [ $umaskset = "no" ] ; then printf "\tRoot csh startup files do not set the umask.\n" fi fi umaskset=no list="/etc/profile ${rhome}/.profile" for i in $list; do if [ -f $i ] ; then if egrep umask $i > /dev/null ; then umaskset=yes fi egrep umask $i | awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \ { print "\tRoot umask is group writable" } \ $2 ~ /[^2367]$/ \ { print "\tRoot umask is other writable" }' SAVE_PATH=$PATH unset PATH /bin/sh << end-of-sh > /dev/null 2>&1 . $i list=\`echo \$PATH | /usr/bin/sed -e \ 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\` /bin/ls -ldgT \$list > $TMP1 end-of-sh export PATH=$SAVE_PATH awk '{ if ($10 ~ /^\.$/) { print "\tThe root path includes ."; next; } } $1 ~ /^d....w/ \ { print "\tRoot path directory " $10 " is group writable." } \ $1 ~ /^d.......w/ \ { print "\tRoot path directory " $10 " is other writable." }' \ < $TMP1 fi done > $OUTPUT if [ $umaskset = "no" -o -s $OUTPUT ] ; then printf "\nChecking root sh paths, umask values:\n$list\n" if [ -s $OUTPUT ]; then cat $OUTPUT fi if [ $umaskset = "no" ] ; then printf "\tRoot sh startup files do not set the umask.\n" fi fi fi # Root and uucp should both be in /etc/ftpusers. # if checkyesno check_ftpusers; then list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID` for i in $list; do if /usr/libexec/ftpd -C $i ; then printf "\t$i is not denied\n" fi done > $OUTPUT if [ -s $OUTPUT ]; then printf "\nChecking the /etc/ftpusers configuration:\n" cat $OUTPUT fi fi # Uudecode should not be in the /etc/mail/aliases file. # if checkyesno check_aliases; then for f in /etc/mail/aliases /etc/aliases; do if [ -f $f ] && egrep '^[^#]*(uudecode|decode).*\|' $f; then printf "\nEntry for uudecode in $f file.\n" fi done fi # Files that should not have + signs. # if checkyesno check_rhosts; then list="/etc/hosts.equiv /etc/hosts.lpd" for f in $list ; do if [ -f $f ] && egrep '\+' $f > /dev/null ; then printf "\nPlus sign in $f file.\n" fi done # Check for special users with .rhosts files. Only root and toor should # have .rhosts files. Also, .rhosts files should not have plus signs. awk -F: '$1 != "root" && $1 != "toor" && \ ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ { print $1 " " $9 }' $MP | sort -k2 | while read uid homedir; do if [ -f ${homedir}/.rhosts ] ; then rhost=`ls -ldgT ${homedir}/.rhosts` printf -- "$uid: $rhost\n" fi done > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking for special users with .rhosts files.\n" cat $OUTPUT fi while read uid homedir; do if [ -f ${homedir}/.rhosts -a -r ${homedir}/.rhosts ] && \ cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null ; then printf -- "$uid: + in .rhosts file.\n" fi done < $MPBYPATH > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking .rhosts files syntax.\n" cat $OUTPUT fi fi # Check home directories. Directories should not be owned by someone else # or writable. # if checkyesno check_homes; then checkyesno check_homes_permit_usergroups && \ permit_usergroups=1 || permit_usergroups=0 while read uid homedir; do if [ -d ${homedir}/ ] ; then file=`ls -ldgT ${homedir}` printf -- "$uid $file\n" fi done < $MPBYPATH | awk -v "usergroups=$permit_usergroups" ' $1 != $4 && $4 != "root" \ { print "user " $1 " home directory is owned by " $4 } $2 ~ /^d....w/ && (!usergroups || $5 != $1) \ { print "user " $1 " home directory is group writable" } $2 ~ /^d.......w/ \ { print "user " $1 " home directory is other writable" }' \ > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking home directories.\n" cat $OUTPUT fi # Files that should not be owned by someone else or readable. list=".Xauthority .netrc .ssh/id_dsa .ssh/id_rsa .ssh/identity" while read uid homedir; do for f in $list ; do file=${homedir}/${f} if [ -f $file ] ; then printf -- "$uid $f `ls -ldgT $file`\n" fi done done < $MPBYPATH | awk -v "usergroups=$permit_usergroups" ' $1 != $5 && $5 != "root" \ { print "user " $1 " " $2 " file is owned by " $5 } $3 ~ /^-...r/ && (!usergroups || $6 != $1) \ { print "user " $1 " " $2 " file is group readable" } $3 ~ /^-......r/ \ { print "user " $1 " " $2 " file is other readable" } $3 ~ /^-....w/ && (!usergroups || $6 != $1) \ { print "user " $1 " " $2 " file is group writable" } $3 ~ /^-.......w/ \ { print "user " $1 " " $2 " file is other writable" }' \ > $OUTPUT # Files that should not be owned by someone else or writable. list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \ .cshrc .emacs .exrc .forward .history .k5login .klogin .login \ .logout .profile .qmail .rc_history .rhosts .shosts ssh .tcshrc \ .twmrc .xinitrc .xsession .ssh/authorized_keys \ .ssh/authorized_keys2 .ssh/config .ssh/id_dsa.pub \ .ssh/id_rsa.pub .ssh/identity.pub .ssh/known_hosts \ .ssh/known_hosts2" while read uid homedir; do for f in $list ; do file=${homedir}/${f} if [ -f $file ] ; then printf -- "$uid $f `ls -ldgT $file`\n" fi done done < $MPBYPATH | awk -v "usergroups=$permit_usergroups" ' $1 != $5 && $5 != "root" \ { print "user " $1 " " $2 " file is owned by " $5 } $3 ~ /^-....w/ && (!usergroups || $6 != $1) \ { print "user " $1 " " $2 " file is group writable" } $3 ~ /^-.......w/ \ { print "user " $1 " " $2 " file is other writable" }' \ >> $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking dot files.\n" cat $OUTPUT fi fi # Mailboxes should be owned by user and unreadable. # if checkyesno check_varmail; then ls -lA /var/mail | \ awk ' NR == 1 { next; } $9 ~ /^\./ {next; } $3 != $9 { print "user " $9 " mailbox is owned by " $3 } $1 != "-rw-------" { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking mailbox ownership.\n" cat $OUTPUT fi fi # NFS exports shouldn't be globally exported # if checkyesno check_nfs && [ -f /etc/exports ]; then awk '{ # ignore comments and blank lines if ($0 ~ /^\#/ || $0 ~ /^$/ ) next; # manage line continuation while ($NF ~ /^\\$/) { $NF = ""; line = $0 ""; getline; $0 = line $0 ""; } delete dir; readonly = ndir = 0; for (i = 1; i <= NF; ++i) { if ($i ~ /^\//) dir[ndir++] = $i; else if ($i ~ /^-/) { if ($i ~ /^-(ro|o)$/) readonly = 1; if ($i ~ /^-network/) next; } else next; } if (readonly) for (item in dir) rodir[nrodir++] = dir[item]; else for (item in dir) rwdir[nrwdir++] = dir[item]; } END { if (nrodir) { printf("Globally exported file system%s, read-only:\n", nrodir > 1 ? "s" : ""); for (item in rodir) printf("\t%s\n", rodir[item]); } if (nrwdir) { printf("Globally exported file system%s, read-write:\n", nrwdir > 1 ? "s" : ""); for (item in rwdir) printf("\t%s\n", rwdir[item]); } }' < /etc/exports > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking for globally exported file systems.\n" cat $OUTPUT fi fi # Display any changes in setuid files and devices. # if checkyesno check_devices; then > $ERR ( # Convert check_devices_ignore_fstypes="foo !bar bax" # into "-fstype foo -o ! -fstype bar -o -fstype bax" # and check_devices_ignore_paths="/foo !/bar /bax" # into " -path /foo -o ! -path /bar -o -path /bax" # ignexpr=$(\ echo $check_devices_ignore_fstypes | \ sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -fstype \2/g' ; \ echo $check_devices_ignore_paths | \ sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -path \2/g' \ ) # Massage the expression into ( $ignexpr ) -a -prune -o if [ -n "${ignexpr}" ]; then ignexpr=$(\ echo $ignexpr | \ sed -e 's/^-o /( /' \ -e 's/$/ ) -a -prune -o/' \ ) fi find / $ignexpr \ \( \( -perm -u+s -a ! -type d \) -o \ \( -perm -g+s -a ! -type d \) -o \ -type b -o -type c \) -print0 | \ xargs -0 ls -ldgTq | sort +9 > $LIST ) 2> $OUTPUT # Display any errors that occurred during system file walk. if [ -s $OUTPUT ] ; then printf "Setuid/device find errors:\n" >> $ERR cat $OUTPUT >> $ERR printf "\n" >> $ERR fi # Display any changes in the setuid file list. egrep -v '^[bc]' $LIST > $TMP1 if [ -s $TMP1 ] ; then # Check to make sure uudecode isn't setuid. if grep -w uudecode $TMP1 > /dev/null ; then printf "\nUudecode is setuid.\n" >> $ERR fi file=$work_dir/setuid migrate_file "$backup_dir/setuid" "$file" CUR=${file}.current BACK=${file}.backup if [ -s $CUR ] ; then if cmp -s $CUR $TMP1 ; then : else > $TMP2 join -110 -210 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Setuid additions:\n" >> $ERR tee -a $TMP2 < $OUTPUT >> $ERR printf "\n" >> $ERR fi join -110 -210 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Setuid deletions:\n" >> $ERR tee -a $TMP2 < $OUTPUT >> $ERR printf "\n" >> $ERR fi sort -k10 $TMP2 $CUR $TMP1 | \ sed -e 's/[ ][ ]*/ /g' | \ uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then printf "Setuid changes:\n" >> $ERR column -t $OUTPUT >> $ERR printf "\n" >> $ERR fi backup_file update $TMP1 $CUR $BACK fi else printf "Setuid additions:\n" >> $ERR column -t $TMP1 >> $ERR printf "\n" >> $ERR backup_file add $TMP1 $CUR $BACK fi fi # Check for block and character disk devices that are readable or # writable or not owned by root.operator. >$TMP1 DISKLIST="ccd ch hk hp ld md ra raid rb rd rl rx \ sd se ss uk up vnd wd xd xy" # DISKLIST="$DISKLIST ct mt st wt" for i in $DISKLIST; do egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 done awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ { printf "Disk %s is user %s, group %s, permissions %s.\n", \ $11, $3, $4, $1; }' < $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking disk ownership and permissions.\n" >> $ERR cat $OUTPUT >> $ERR printf "\n" >> $ERR fi # Display any changes in the device file list. egrep '^[bc]' $LIST | sort -k11 > $TMP1 if [ -s $TMP1 ] ; then file=$work_dir/device migrate_file "$backup_dir/device" "$file" CUR=${file}.current BACK=${file}.backup if [ -s $CUR ] ; then if cmp -s $CUR $TMP1 ; then : else > $TMP2 join -111 -211 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Device additions:\n" >> $ERR tee -a $TMP2 < $OUTPUT >> $ERR printf "\n" >> $ERR fi join -111 -211 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Device deletions:\n" >> $ERR tee -a $TMP2 < $OUTPUT >> $ERR printf "\n" >> $ERR fi # Report any block device change. Ignore # character devices, only the name is # significant. cat $TMP2 $CUR $TMP1 | \ sed -e '/^c/d' | \ sort -k11 | \ sed -e 's/[ ][ ]*/ /g' | \ uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then printf "Block device changes:\n" >> $ERR column -t $OUTPUT >> $ERR printf "\n" >> $ERR fi backup_file update $TMP1 $CUR $BACK fi else printf "Device additions:\n" >> $ERR column -t $TMP1 >> $ERR printf "\n" >> $ERR backup_file add $TMP1 $CUR $BACK >> $ERR fi fi if [ -s $ERR ] ; then printf "\nChecking setuid files and devices:\n" cat $ERR printf "\n" fi fi # Check special files. # Check system binaries. # # Create the mtree tree specifications using: # mtree -cx -pDIR -kmd5,uid,gid,mode,nlink,size,link,time > DIR.secure # chown root:wheel DIR.secure # chmod u+r,go= DIR.secure # # Note, this is not complete protection against Trojan horsed binaries, as # the hacker can modify the tree specification to match the replaced binary. # For details on really protecting yourself against modified binaries, see # the mtree(8) manual page. # if checkyesno check_mtree; then if checkyesno check_mtree_follow_symlinks; then check_mtree_flags="-L" else check_mtree_flags="" fi mtree -e -l -p / $check_mtree_flags -f $SPECIALSPEC 3>&1 >$OUTPUT 2>&3 | grep -v '^mtree: dev/tty: Device not configured$' >&2 if [ -s $OUTPUT ]; then printf "\nChecking special files and directories.\n" cat $OUTPUT fi for file in /etc/mtree/*.secure; do [ $file = '/etc/mtree/*.secure' ] && continue tree=`sed -n -e '3s/.* //p' -e 3q $file` mtree $check_mtree_flags -f $file -p $tree > $TMP1 if [ -s $TMP1 ]; then printf "\nChecking $tree:\n" cat $TMP1 fi done > $OUTPUT if [ -s $OUTPUT ]; then printf "\nChecking system binaries:\n" cat $OUTPUT fi fi # Backup disklabels of available disks # if checkyesno check_disklabels; then # migrate old disklabels for file in `ls -1d $backup_dir/$backup_dir/disklabel.* \ $backup_dir/disklabel.* 2>/dev/null`; do migrate_file "$file" "$work_dir/${file##*/}" done # generate list of old disklabels, fdisks & wedges and remove them ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null | egrep -v '\.(backup|current)(,v)?$' > $LABELS xargs rm < $LABELS # generate disklabels of all disks excluding: cd dk fd md st disks=`iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d|dk|st|nfs/ { print $1; }'` for i in $disks; do disklabel $i > "$work_dir/disklabel.$i" 2>/dev/null done # if fdisk is available, generate fdisks for: ed ld sd wd if [ -x /sbin/fdisk ]; then disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d/ { print $1; }'` for i in $disks; do /sbin/fdisk $i > "$work_dir/fdisk.$i" 2>/dev/null done fi # if dkctl is available, generate dkctl listwedges for: ed ld sd wd cgd ofdisk ra rl raid if [ -x /sbin/dkctl ]; then disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d|cgd|ofdisk|r[al]|raid/ { print $1; }'` for i in $disks; do /sbin/dkctl $i listwedges > "$work_dir/wedges.$i" 2>/dev/null done fi # append list of new disklabels, fdisks and wedges ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null | egrep -v '\.(backup|current)(,v)?$' >> $LABELS CHANGELIST="$LABELS $CHANGELIST" fi # Check for changes in the list of installed pkgs # if checkyesno check_pkgs && [ -d $pkgdb_dir ]; then pkgs=$work_dir/pkgs migrate_file "$backup_dir/pkgs" "$pkgs" ( cd $pkgdb_dir $pkg_info | sort echo "" find . \( -name +REQUIRED_BY -o -name +CONTENTS \) -print0 | xargs -0 ls -ldgTq | sort -t. +1 | sed -e 's, \./, ,' ) > $pkgs echo "$pkgs" > $PKGS CHANGELIST="$PKGS $CHANGELIST" fi # List of files that get backed up and checked for any modifications. # Any changes cause the files to rotate. # if checkyesno check_changelist ; then mtree -D -k type -f $SPECIALSPEC -E exclude | sed '/^type=file/!d ; s/type=file \.//' | unvis > $CHANGEFILES ( # Add other files which might dynamically exist: # /etc/ifconfig.* # /etc/raid*.conf # /etc/rc.d/* # /etc/rc.conf.d/* # echo "/etc/ifconfig.*" echo "/etc/raid*.conf" echo "/etc/rc.d/*" echo "/etc/rc.conf.d/*" # Add /etc/changelist # if [ -s /etc/changelist ]; then grep -v '^#' /etc/changelist fi ) | while read file; do case "$file" in *[\*\?\[]*) # If changelist line is a glob ... # ... expand possible backup files # ls -1d $(echo $backup_dir/${file}.current) 2>/dev/null \ | sed "s,^$backup_dir/,, ; s,\.current$,," # ... expand possible files # ls -1d $(echo $file) 2>/dev/null ;; *) # Otherwise, just print the filename echo $file ;; esac done >> $CHANGEFILES CHANGELIST="$CHANGEFILES $CHANGELIST" fi # Special case backups, including the master password file and # ssh private host keys. The normal backup mechanisms for # $check_changelist (see below) also print out the actual file # differences and we don't want to do that for these files # echo $MP > $TMP1 # always add /etc/master.passwd mtree -D -k type -f $SPECIALSPEC -I nodiff | sed '/^type=file/!d ; s/type=file \.//' | unvis >> $TMP1 grep -v '^$' $TMP1 | sort -u > $TMP2 while read file; do backup_and_diff "$file" no done < $TMP2 if [ -n "$CHANGELIST" ]; then grep -h -v '^$' $CHANGELIST | sort -u > $TMP1 comm -23 $TMP1 $TMP2 | while read file; do backup_and_diff "$file" yes done fi if [ -f /etc/security.local ]; then . /etc/security.local > $OUTPUT 2>&1 if [ -s $OUTPUT ] ; then printf "\nRunning /etc/security.local:\n" cat $OUTPUT fi fi @ 1.104 log @The location of the pkg_info binary can now be specified in /etc/security.conf. The default remains as /usr/sbin/pkg_info. This should fix PR# 36746. @ text @d3 1 a3 1 # $NetBSD: security,v 1.103 2007/08/09 07:50:58 tron Exp $ d217 10 a226 1 if (NF != 10 && ($1 != "+" || NF != 1)) d228 2 a229 2 if ($1 == "+" ) { if (NF != 1 && $3 == 0) d232 2 a233 1 next; d242 1 a242 1 if ($2 == "" && !nowarn_users[$1]) d257 2 d265 1 a265 1 if ($3 < 0) d267 1 a267 1 if ($4 < 0) @ 1.103 log @Add code to monitor the disk wedges (see dk(4)) configured on the system. Based on a patch contributed by Andreas Wrede in PR misc/36747. @ text @d3 1 a3 1 # $NetBSD: security,v 1.102 2007/06/06 13:30:48 martti Exp $ d31 1 d892 1 a892 1 pkg_info | sort @ 1.103.2.1 log @sync with HEAD @ text @d3 1 a3 1 # $NetBSD: security,v 1.104 2007/08/27 19:57:02 adrianp Exp $ a30 1 pkg_info=${pkg_info:-/usr/sbin/pkg_info} d891 1 a891 1 $pkg_info | sort @ 1.103.2.2 log @sync with HEAD @ text @d3 1 a3 1 # $NetBSD$ d217 1 a217 10 # NIS compat entry? compatline = $1 ~ "^[\\+-]"; if (compatline) { if ($1 == "+" && NF == 1) { next; } sub("^.", "", $1); } if (NF != 10) d219 2 a220 2 if (compatline) { if ($3 == 0) d223 1 a223 2 if ($1 == "") next; d232 1 a232 1 if ($2 == "" && !compatline && !nowarn_users[$1]) a246 2 } else if (compatline && $10 == "") { # nothing d253 1 a253 1 if ($3 != "" && $3 < 0) d255 1 a255 1 if ($4 != "" && $4 < 0) @ 1.102 log @Use "mktemp -d -t xxx" to create the temporary directories. This will use TMPDIR environment variable if set, otherwise use /tmp. (misc/35544) @ text @d3 1 a3 1 # $NetBSD: security,v 1.101 2007/03/27 08:37:58 jnemeth Exp $ d852 2 a853 2 # generate list of old disklabels & fdisks and remove them ls -1d $work_dir/disklabel.* $work_dir/fdisk.* 2>/dev/null | d857 2 a858 2 # generate disklabels of all disks excluding: cd fd md st disks=`iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d|st|nfs/ { print $1; }'` d871 10 a880 2 # append list of new disklabels and fdisks ls -1d $work_dir/disklabel.* $work_dir/fdisk.* 2>/dev/null | @ 1.101 log @PR/36058 -- fix check for group/other writable home directories from Jukka Salmi @ text @d3 1 a3 1 # $NetBSD: security,v 1.100 2006/09/26 08:32:40 tron Exp $ d43 1 a43 1 SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1 @ 1.100 log @Improve security check for "/etc/exports": 1.) Properly handle line continuation and network exports. 2.) Make the report more compact. Patch contributed by Jukka Salmi in PR bin/24583. @ text @d3 1 a3 1 # $NetBSD: security,v 1.99 2006/09/23 04:07:01 jmcneill Exp $ d498 1 a498 1 $2 ~ /^-....w/ && (!usergroups || $5 != $1) \ d500 1 a500 1 $2 ~ /^-.......w/ \ @ 1.100.2.1 log @Pull up following revision(s) (requested by jnemeth in ticket #627): etc/security: revision 1.101 PR/36058 -- fix check for group/other writable home directories from Jukka Salmi @ text @d3 1 a3 1 # $NetBSD$ d498 1 a498 1 $2 ~ /^d....w/ && (!usergroups || $5 != $1) \ d500 1 a500 1 $2 ~ /^d.......w/ \ @ 1.100.2.1.2.1 log @Sync w/ NetBSD-4-RC_1 @ text @d3 1 a3 1 # $NetBSD: security,v 1.100.2.3 2007/08/24 16:32:01 liamjfoy Exp $ d43 1 a43 1 SECUREDIR=$(mktemp -d -t _securedir) || exit 1 d852 2 a853 2 # generate list of old disklabels, fdisks & wedges and remove them ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null | d857 2 a858 2 # generate disklabels of all disks excluding: cd dk fd md st disks=`iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d|dk|st|nfs/ { print $1; }'` d871 2 a872 10 # if dkctl is available, generate dkctl listwedges for: ed ld sd wd cgd ofdisk ra rl raid if [ -x /sbin/dkctl ]; then disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d|cgd|ofdisk|r[al]|raid/ { print $1; }'` for i in $disks; do /sbin/dkctl $i listwedges > "$work_dir/wedges.$i" 2>/dev/null done fi # append list of new disklabels, fdisks and wedges ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null | @ 1.100.2.1.2.2 log @Catch up with netbsd-4. @ text @d3 1 a3 1 # $NetBSD: security,v 1.100.2.1.2.1 2007/09/03 06:57:48 wrstuden Exp $ a30 1 pkg_info=${pkg_info:-/usr/sbin/pkg_info} d891 1 a891 1 $pkg_info | sort @ 1.100.2.2 log @Pull up following revision(s) (requested by martti in ticket #708): etc/monthly: revision 1.11 etc/weekly: revision 1.23 etc/security: revision 1.102 etc/daily: revision 1.70 Use "mktemp -d -t xxx" to create the temporary directories. This will use TMPDIR environment variable if set, otherwise use /tmp. (misc/35544) @ text @d43 1 a43 1 SECUREDIR=$(mktemp -d -t _securedir) || exit 1 @ 1.100.2.3 log @Pull up following revision(s) (requested by tron in ticket #824): etc/security: revision 1.103 Add code to monitor the disk wedges (see dk(4)) configured on the system. Based on a patch contributed by Andreas Wrede in PR misc/36747. @ text @d3 1 a3 1 # $NetBSD: security,v 1.100.2.2 2007/06/06 14:58:14 liamjfoy Exp $ d852 2 a853 2 # generate list of old disklabels, fdisks & wedges and remove them ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null | d857 2 a858 2 # generate disklabels of all disks excluding: cd dk fd md st disks=`iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d|dk|st|nfs/ { print $1; }'` d871 2 a872 10 # if dkctl is available, generate dkctl listwedges for: ed ld sd wd cgd ofdisk ra rl raid if [ -x /sbin/dkctl ]; then disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d|cgd|ofdisk|r[al]|raid/ { print $1; }'` for i in $disks; do /sbin/dkctl $i listwedges > "$work_dir/wedges.$i" 2>/dev/null done fi # append list of new disklabels, fdisks and wedges ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null | @ 1.100.2.4 log @Pull up following revision(s) (requested by adrianp in ticket #883): etc/defaults/security.conf: revision 1.20 etc/security: revision 1.104 The location of the pkg_info binary can now be specified in /etc/security.conf. The default remains as /usr/sbin/pkg_info. This should fix PR# 36746. @ text @d3 1 a3 1 # $NetBSD$ a30 1 pkg_info=${pkg_info:-/usr/sbin/pkg_info} d891 1 a891 1 $pkg_info | sort @ 1.99 log @PR #26490: /etc/security is not aware of sha1 passwords @ text @d3 1 a3 1 # $NetBSD: security,v 1.98 2006/05/25 02:38:10 lukem Exp $ d586 7 d594 9 a602 8 readonly = 0; for (i = 2; i <= NF; ++i) { if ($i ~ /-ro/) readonly = 1; else if ($i ~ /^-network=/) next; else if ($i !~ /^-/) next; d605 2 a606 1 print "File system " $1 " globally exported, read-only." d608 18 a625 1 print "File system " $1 " globally exported, read-write." @ 1.98 log @Implement check_devices_ignore_paths, which is a list of paths to avoid traversing during check_devices. @ text @d3 1 a3 1 # $NetBSD: security,v 1.97 2006/04/17 07:38:53 veego Exp $ d238 1 @ 1.97 log @Don't try to backup a 'nfs' disklabel, which will happen because of the recent iostat changes. Patch supplied in pr# 33274 by Geoff C. Wing. @ text @d3 1 a3 1 # $NetBSD: security,v 1.96 2006/01/29 23:17:24 rpaulo Exp $ d611 23 a633 5 # Turn "foo !bar bax" into "-fstype foo -o ! -fstype bar -o -fstype bax" ignfstypes=`echo $check_devices_ignore_fstypes | \ sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -fstype \2/g' \ -e's/^-o //'` find / \( $ignfstypes \) -a -prune -o \ d637 3 a639 1 xargs -0 ls -ldgTq | sort +9 > $LIST) 2> $OUTPUT @ 1.96 log @PR 32666: /etc/security may cause tapes to rewind. By Duncan McEwan. @ text @d3 1 a3 1 # $NetBSD: security,v 1.95 2005/04/11 15:46:42 peter Exp $ d811 1 a811 1 disks=`iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d|st/ { print $1; }'` @ 1.95 log @Allow an underscore as first character and embedded underscores & dots for login and group names. Fixes PR misc/29913 from Arto Selonen. @ text @d3 1 a3 1 # $NetBSD: security,v 1.94 2005/02/05 15:26:37 jdolecek Exp $ d810 2 a811 2 # generate disklabels of all disks excluding: cd fd md disks=`iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d/ { print $1; }'` @ 1.94 log @add a check_passwd_permin_nonalpha option, which changes the passwd test to permit non-alphanumeric characters in login names @ text @d3 1 a3 1 # $NetBSD: security,v 1.93 2004/11/21 19:00:12 kim Exp $ d225 1 a225 1 $1 !~ /^[A-Za-z0-9]([-A-Za-z0-9]*[A-Za-z0-9])*$/) d295 1 a295 1 if ($1 !~ /^[A-Za-z0-9]([-A-Za-z0-9]*[A-Za-z0-9])*$/) @ 1.94.2.1 log @Pull up revision 1.95 (requested by peter in ticket #135): Allow an underscore as first character and embedded underscores & dots for login and group names. Fixes PR misc/29913 from Arto Selonen. @ text @d3 1 a3 1 # $NetBSD$ d225 1 a225 1 $1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/) d295 1 a295 1 if ($1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/) @ 1.94.2.1.2.1 log @Pull up following revision(s) (requested by jnemeth in ticket #1777): etc/security: revision 1.101 PR/36058 -- fix check for group/other writable home directories from Jukka Salmi @ text @d497 1 a497 1 $2 ~ /^d....w/ && (!usergroups || $5 != $1) \ d499 1 a499 1 $2 ~ /^d.......w/ \ @ 1.94.2.1.2.2 log @Pull up following revision(s) (requested by martti in ticket #1800): etc/monthly: revision 1.11 etc/weekly: revision 1.23 etc/security: revision 1.102 etc/daily: revision 1.70 Use "mktemp -d -t xxx" to create the temporary directories. This will use TMPDIR environment variable if set, otherwise use /tmp. (misc/35544) @ text @d43 1 a43 1 SECUREDIR=$(mktemp -d -t _securedir) || exit 1 @ 1.94.2.1.2.3 log @Pull up following revision(s) (requested by adrianp in ticket #1841): etc/defaults/security.conf: revision 1.20 etc/security: revision 1.104 The location of the pkg_info binary can now be specified in /etc/security.conf. The default remains as /usr/sbin/pkg_info. This should fix PR# 36746. @ text @a30 1 pkg_info=${pkg_info:-/usr/sbin/pkg_info} d836 1 a836 1 $pkg_info | sort @ 1.94.2.2 log @Pull up following revision(s) (requested by lukem in ticket #1377): etc/security: revision 1.98 share/man/man5/security.conf.5: revision 1.30 by patch etc/defaults/security.conf: revision 1.18 Implement check_devices_ignore_paths, which is a list of paths to avoid traversing during check_devices. @ text @d611 5 a615 23 # Convert check_devices_ignore_fstypes="foo !bar bax" # into "-fstype foo -o ! -fstype bar -o -fstype bax" # and check_devices_ignore_paths="/foo !/bar /bax" # into " -path /foo -o ! -path /bar -o -path /bax" # ignexpr=$(\ echo $check_devices_ignore_fstypes | \ sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -fstype \2/g' ; \ echo $check_devices_ignore_paths | \ sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -path \2/g' \ ) # Massage the expression into ( $ignexpr ) -a -prune -o if [ -n "${ignexpr}" ]; then ignexpr=$(\ echo $ignexpr | \ sed -e 's/^-o /( /' \ -e 's/$/ ) -a -prune -o/' \ ) fi find / $ignexpr \ d619 1 a619 3 xargs -0 ls -ldgTq | sort +9 > $LIST ) 2> $OUTPUT @ 1.94.2.3 log @Pull up following revision(s) (requested by tron in ticket #1532): etc/security: revision 1.100 Improve security check for "/etc/exports": 1.) Properly handle line continuation and network exports. 2.) Make the report more compact. Patch contributed by Jukka Salmi in PR bin/24583. @ text @a584 7 # manage line continuation while ($NF ~ /^\\$/) { $NF = ""; line = $0 ""; getline; $0 = line $0 ""; } d586 8 a593 9 delete dir; readonly = ndir = 0; for (i = 1; i <= NF; ++i) { if ($i ~ /^\//) dir[ndir++] = $i; else if ($i ~ /^-/) { if ($i ~ /^-(ro|o)$/) readonly = 1; if ($i ~ /^-network/) next; } else next; d596 1 a596 2 for (item in dir) rodir[nrodir++] = dir[item]; d598 1 a598 18 for (item in dir) rwdir[nrwdir++] = dir[item]; } END { if (nrodir) { printf("Globally exported file system%s, read-only:\n", nrodir > 1 ? "s" : ""); for (item in rodir) printf("\t%s\n", rodir[item]); } if (nrwdir) { printf("Globally exported file system%s, read-write:\n", nrwdir > 1 ? "s" : ""); for (item in rwdir) printf("\t%s\n", rwdir[item]); } @ 1.94.2.3.2.1 log @Pull up following revision(s) (requested by jnemeth in ticket #1777): etc/security: revision 1.101 PR/36058 -- fix check for group/other writable home directories from Jukka Salmi @ text @d497 1 a497 1 $2 ~ /^d....w/ && (!usergroups || $5 != $1) \ d499 1 a499 1 $2 ~ /^d.......w/ \ @ 1.94.2.3.2.2 log @Pull up following revision(s) (requested by martti in ticket #1800): etc/monthly: revision 1.11 etc/weekly: revision 1.23 etc/security: revision 1.102 etc/daily: revision 1.70 Use "mktemp -d -t xxx" to create the temporary directories. This will use TMPDIR environment variable if set, otherwise use /tmp. (misc/35544) @ text @d43 1 a43 1 SECUREDIR=$(mktemp -d -t _securedir) || exit 1 @ 1.94.2.3.2.3 log @Pull up following revision(s) (requested by adrianp in ticket #1841): etc/defaults/security.conf: revision 1.20 etc/security: revision 1.104 The location of the pkg_info binary can now be specified in /etc/security.conf. The default remains as /usr/sbin/pkg_info. This should fix PR# 36746. @ text @a30 1 pkg_info=${pkg_info:-/usr/sbin/pkg_info} d882 1 a882 1 $pkg_info | sort @ 1.94.2.4 log @Pull up following revision(s) (requested by jnemeth in ticket #1777): etc/security: revision 1.101 PR/36058 -- fix check for group/other writable home directories from Jukka Salmi @ text @d497 1 a497 1 $2 ~ /^d....w/ && (!usergroups || $5 != $1) \ d499 1 a499 1 $2 ~ /^d.......w/ \ @ 1.94.2.5 log @Pull up following revision(s) (requested by martti in ticket #1800): etc/monthly: revision 1.11 etc/weekly: revision 1.23 etc/security: revision 1.102 etc/daily: revision 1.70 Use "mktemp -d -t xxx" to create the temporary directories. This will use TMPDIR environment variable if set, otherwise use /tmp. (misc/35544) @ text @d43 1 a43 1 SECUREDIR=$(mktemp -d -t _securedir) || exit 1 @ 1.94.2.6 log @Pull up following revision(s) (requested by adrianp in ticket #1841): etc/defaults/security.conf: revision 1.20 etc/security: revision 1.104 The location of the pkg_info binary can now be specified in /etc/security.conf. The default remains as /usr/sbin/pkg_info. This should fix PR# 36746. @ text @a30 1 pkg_info=${pkg_info:-/usr/sbin/pkg_info} d882 1 a882 1 $pkg_info | sort @ 1.93 log @When checking /etc/exports, account for "-network=XXX" as restricting the mount (i.e. it is not considered globally exported). Fixes PR: 26890 @ text @d3 1 a3 1 # $NetBSD: security,v 1.92 2004/09/28 15:03:58 erh Exp $ d186 3 d192 3 a194 1 -v "permit_star=$permit_star" ' d224 2 a225 1 if ($1 !~ /^[A-Za-z0-9]([-A-Za-z0-9]*[A-Za-z0-9])*$/) @ 1.92 log @PR misc/7716: add configuration options find_core_ignore_fstypes and check_devices_ignore_fstypes to allow the filesystem types that are ignored during the daily and security runs to be adjusted. @ text @d3 1 a3 1 # $NetBSD: security,v 1.91 2004/07/23 06:12:16 lukem Exp $ d584 2 @ 1.91 log @Merge /etc/mtree/special & /etc/mtree/special.local using "mtree -M". This allows users to override mtree/special entries in mtree/special.local, which is useful if you've replaced a directory with a symlink (for example). This effectively makes $check_mtree_follow_symlinks=YES pointless, but I'm retaining that for compatibility reasons. Fix bug in generation of $MPBYUID (used "/^+/" instead of "/^\+/" as a regex), which has existed for a long time but only failed with our awk; GNU awk seems to have permitted this. (This meant that the duplicate UID check was broken when using our awk.) Rename some temp files to more accurately reflect their purpose, to aid debugging. @ text @d3 1 a3 1 # $NetBSD: security,v 1.90 2004/04/09 17:33:35 kim Exp $ d602 6 a607 3 (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ -o -fstype null \ -o -fstype procfs \) -a -prune -o \ @ 1.90 log @Catch STDERR from /etc/security.local (not just STDOUT). @ text @d3 1 a3 1 # $NetBSD: security,v 1.89 2004/04/02 13:13:47 jmmv Exp $ d52 11 a62 10 ERR=secure1.$$ TMP1=secure2.$$ TMP2=secure3.$$ MPBYUID=secure4.$$ MPBYPATH=secure5.$$ LIST=secure6.$$ OUTPUT=secure7.$$ LABELS=secure8.$$ PKGS=secure9.$$ CHANGEFILES=secure10.$$ d173 1 a173 1 awk -F: '!/^+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID d175 3 d763 1 a763 4 for file in $special_files; do [ ! -s $file ] && continue mtree -e -l -p / $check_mtree_flags -f $file done 3>&1 >$OUTPUT 2>&3 | d838 2 a839 5 for file in $special_files; do [ ! -s $file ] && continue mtree -D -k type -f $file -E exclude | sed '/^type=file/!d ; s/type=file \.//' done > $CHANGEFILES d885 2 a886 5 for file in $special_files; do [ ! -s $file ] && continue mtree -D -k type -f $file -I nodiff | sed '/^type=file/!d ; s/type=file \.//' done >> $TMP1 @ 1.89 log @Introduce and use the rcvar_manpage variable, which contains the manual page name where the user should look at for documentation about rcvar. It defaults to 'rc.subr(5)', as rc.subr is mainly used by rc.d scripts. This variable is useful to let the daily, weekly, monthly and security scripts tune the warning message shown when any of the variables they handle is not properly set. Closes PR misc/23908. @ text @d3 1 a3 1 # $NetBSD: security,v 1.88 2004/02/09 09:04:13 jdolecek Exp $ d907 1 a907 1 . /etc/security.local > $OUTPUT @ 1.88 log @add missing && in the home directory group writability condition; gawk somehow coped even without (defaults to && ?), but nawk printed bogus warnings (defaults to || ?) @ text @d3 1 a3 1 # $NetBSD: security,v 1.87 2003/11/19 20:28:19 jhawk Exp $ d9 2 @ 1.88.6.1 log @Pull up following revision(s) (requested by jnemeth in ticket #11309): etc/security: revision 1.101 PR/36058 -- fix check for group/other writable home directories from Jukka Salmi @ text @d3 1 a3 1 # $NetBSD$ d485 1 a485 1 $2 ~ /^d....w/ && (!usergroups || $5 != $1) \ d487 1 a487 1 $2 ~ /^d.......w/ \ @ 1.88.6.2 log @Pull up following revision(s) (requested by adrianp in ticket #11367): etc/defaults/security.conf: revision 1.20 etc/security: revision 1.104 The location of the pkg_info binary can now be specified in /etc/security.conf. The default remains as /usr/sbin/pkg_info. This should fix PR# 36746. @ text @a28 1 pkg_info=${pkg_info:-/usr/sbin/pkg_info} d822 1 a822 1 $pkg_info | sort @ 1.88.2.1 log @Pull up following revision(s) (requested by jnemeth in ticket #11309): etc/security: revision 1.101 PR/36058 -- fix check for group/other writable home directories from Jukka Salmi @ text @d3 1 a3 1 # $NetBSD$ d485 1 a485 1 $2 ~ /^d....w/ && (!usergroups || $5 != $1) \ d487 1 a487 1 $2 ~ /^d.......w/ \ @ 1.88.2.2 log @Pull up following revision(s) (requested by adrianp in ticket #11367): etc/defaults/security.conf: revision 1.20 etc/security: revision 1.104 The location of the pkg_info binary can now be specified in /etc/security.conf. The default remains as /usr/sbin/pkg_info. This should fix PR# 36746. @ text @a28 1 pkg_info=${pkg_info:-/usr/sbin/pkg_info} d822 1 a822 1 $pkg_info | sort @ 1.88.4.1 log @Pull up following revision(s) (requested by jnemeth in ticket #11309): etc/security: revision 1.101 PR/36058 -- fix check for group/other writable home directories from Jukka Salmi @ text @d3 1 a3 1 # $NetBSD$ d485 1 a485 1 $2 ~ /^d....w/ && (!usergroups || $5 != $1) \ d487 1 a487 1 $2 ~ /^d.......w/ \ @ 1.88.4.2 log @Pull up following revision(s) (requested by adrianp in ticket #11367): etc/defaults/security.conf: revision 1.20 etc/security: revision 1.104 The location of the pkg_info binary can now be specified in /etc/security.conf. The default remains as /usr/sbin/pkg_info. This should fix PR# 36746. @ text @a28 1 pkg_info=${pkg_info:-/usr/sbin/pkg_info} d822 1 a822 1 $pkg_info | sort @ 1.87 log @Provide a workaround for PR bin/12900. When /dev is an fdesc, and /dev/tty is stat()ed without a controlling tty, a "Device not configured" error is returned. Filter mtree's stderr to ignore this error. If fdesc is fixed to not behave in this fashion, this workaround can be removed; bin/12900 should remain open until that time. @ text @d3 1 a3 1 # $NetBSD: security,v 1.86 2003/11/18 03:30:40 jhawk Exp $ d485 1 a485 1 $2 ~ /^-....w/ (!usergroups || $5 != $1) \ @ 1.86 log @In check_varmail (mailbox ownership/permissions check): Make ls -A explicit, to help n debugging when not run as root (-A is implied when ls is run as root) Ignore dotfiles, as they are not mailboxes (e.g. .jhawk.pop) @ text @d3 1 a3 1 # $NetBSD: security,v 1.85 2003/11/18 03:23:53 jhawk Exp $ d760 2 a761 1 done > $OUTPUT @ 1.85 log @XXX: note pairwise cascaded test inversion in permit_star. Add checkyesno check_homes_permit_usergroups to allow group writability when the groupname matches the username. Defaults to off. @ text @d3 1 a3 1 # $NetBSD: security,v 1.84 2003/10/01 04:29:03 jhawk Exp $ d551 1 a551 1 ls -l /var/mail | \ d553 1 @ 1.84 log @Suppress output when running security.local if it produces no output. /etc/security should produce no output (and thus suppress the report) when nothing is wrong. While we're here, use printf instead of two echos, like the rest of the script. @ text @d3 1 a3 1 # $NetBSD: security,v 1.83 2003/02/21 22:47:51 jhawk Exp $ d177 2 d474 2 d482 2 a483 1 awk '$1 != $4 && $4 != "root" \ d485 1 a485 1 $2 ~ /^-....w/ \ d505 2 a506 1 awk '$1 != $5 && $5 != "root" \ d508 1 a508 1 $3 ~ /^-...r/ \ d512 1 a512 1 $3 ~ /^-....w/ \ d534 2 a535 1 awk '$1 != $5 && $5 != "root" \ d537 1 a537 1 $3 ~ /^-....w/ \ @ 1.83 log @Use $diff_options when running diff in /etc/security. Default diff_options to -u, for unified-format context diffs, because context is essential to a useful evaluation of differences. This represents a behavior change. Implements change-request PR security/17247 from Takahiro Kambe . @ text @d3 1 a3 1 # $NetBSD: security,v 1.82 2003/02/13 02:42:06 jhawk Exp $ d896 5 a900 3 echo "" echo "Running /etc/security.local:" . /etc/security.local @ 1.82 log @Under check_mtree, invoke mtree with -L if check_mtree_follow_symlinks is set. Apparently mtree -L is imperfect, but it is far better than the lack thereof if symlinks are involved reaching files mtree verifies. @ text @d3 1 a3 1 # $NetBSD: security,v 1.81 2003/02/13 01:55:10 jhawk Exp $ d133 1 a133 1 diff $CUR $_file > $OUTPUT d148 1 a148 1 diff /dev/null $_file d158 1 a158 1 diff $CUR /dev/null @ 1.81 log @Add some flexibility to /etc/security, by way of security.conf options: check_passwd_nowarn_shells Don't warn about these non-/etc/shells shells check_passwd_nowarn_users Don't warn about these users check_passwd_permit_star Don't warn about "*" in the $2 field Behavior change: check_passwd_nowarn_shells defaults to /sbin/nologin and /usr/libexec/uucp/uucico, so that it will not warn about the default master.passwd. The rationale here is that an administrator who chooses to permit these warnable conditions should not be warned about them day after day, yet should not be forced to disable check_passwd entirely. check_passwd_permit_star is primarily of interest to sites who use *'d entries for Kerberos or ssh logins, despite the fact that we permit "*ssh" (etc.) for this purpose (legacy). @ text @d3 1 a3 1 # $NetBSD: security,v 1.80 2003/01/06 20:30:30 wiz Exp $ d744 5 d751 1 a751 1 mtree -e -l -p / -f $file d761 1 a761 1 mtree -f $file -p $tree > $TMP1 @ 1.80 log @writable, not writeable. @ text @d3 1 a3 1 # $NetBSD: security,v 1.79 2002/08/20 07:53:51 elric Exp $ d177 5 a181 1 awk -v "len=$max_loginlen" ' d188 7 d207 2 a208 1 printf "Line %d includes entries with uid 0.\n", NR; d215 21 a235 17 printf "Login %s has more than "len" characters.\n", $1; if ($2 == "") printf "Login %s has no password.\n", $1; if (length($2) != 13 && length($2) != 20 && $2 !~ /^\$1/ && $2 !~ /^\$2/ && $2 != "" && $2 !~ /^\*[A-z-]+$/ && $1 != "toor") { if ($10 == "" || shells[$10]) printf "Login %s is off but still has a valid shell (%s)\n", $1, $10; } else if (! shells[$10]) printf "Login %s does not have a valid shell (%s)\n", $1, $10; if ($3 == 0 && $1 != "root" && $1 != "toor") @ 1.79 log @Added .k5login to the list of files that are checked in each user's home directory. Addresses PR: security/18000 @ text @d3 1 a3 1 # $NetBSD: security,v 1.78 2002/06/18 22:43:53 itojun Exp $ d306 1 a306 1 print "\tRoot umask is group writeable" d309 1 a309 1 print "\tRoot umask is other writeable" d326 1 a326 1 { print "\tRoot path directory " $10 " is group writeable." } \ d328 1 a328 1 { print "\tRoot path directory " $10 " is other writeable." }' \ d351 1 a351 1 { print "\tRoot umask is group writeable" } \ d353 1 a353 1 { print "\tRoot umask is other writeable" }' d370 1 a370 1 { print "\tRoot path directory " $10 " is group writeable." } \ d372 1 a372 1 { print "\tRoot path directory " $10 " is other writeable." }' \ d453 1 a453 1 # or writeable. d465 1 a465 1 { print "user " $1 " home directory is group writeable" } d467 1 a467 1 { print "user " $1 " home directory is other writeable" }' \ d491 1 a491 1 { print "user " $1 " " $2 " file is group writeable" } d493 1 a493 1 { print "user " $1 " " $2 " file is other writeable" }' \ d496 1 a496 1 # Files that should not be owned by someone else or writeable. d515 1 a515 1 { print "user " $1 " " $2 " file is group writeable" } d517 1 a517 1 { print "user " $1 " " $2 " file is other writeable" }' \ d638 1 a638 1 # writeable or not owned by root.operator. @ 1.78 log @md5/bcrypt password starts with $[12], so use ^ in regex @ text @d3 1 a3 1 # $NetBSD: security,v 1.77 2002/06/18 22:21:43 itojun Exp $ d498 6 a503 5 .cshrc .emacs .exrc .forward .history .klogin .login .logout \ .profile .qmail .rc_history .rhosts .shosts ssh .tcshrc .twmrc \ .xinitrc .xsession .ssh/authorized_keys .ssh/authorized_keys2 \ .ssh/config .ssh/id_dsa.pub .ssh/id_rsa.pub .ssh/identity.pub \ .ssh/known_hosts .ssh/known_hosts2" @ 1.77 log @recognize md5/bcrypt password. noted by: Eric Jacoboni @ text @d3 1 a3 1 # $NetBSD: security,v 1.76 2002/06/10 16:04:48 atatat Exp $ d208 2 a209 2 $2 !~ /\$1/ && $2 !~ /\$2/ && @ 1.76 log @The check_rootdotfiles section mucks with the PATH setting, but never puts it back properly. As such, jobs run later that expect there to be a path will lose badly (eg, run lintpkgsrc -i from security.local). Let's just re-export the PATH. @ text @d3 1 a3 1 # $NetBSD: security,v 1.75 2002/05/21 13:50:46 lukem Exp $ d208 2 a209 1 length($2) != 34 && @ 1.75 log @Support shell metacharacters (`*', '?', '[') in /etc/changelist lines, including checks for "backups that exist when actual file is deleted", a la the existing mechanism used for "/etc/ifconfig.*" ... "/etc/rc.d/*" checks. This resolves [security/15798] from Bob Kemp . @ text @d3 1 a3 1 # $NetBSD: security,v 1.74 2001/12/18 00:44:20 lukem Exp $ d317 1 a317 1 PATH=$SAVE_PATH d361 1 a361 1 PATH=$SAVE_PATH @ 1.75.2.1 log @Pull up revision 1.76 (requested by atatat in ticket #235): The check_rootdotfiles section mucks with the PATH setting, but never puts it back properly. As such, jobs run later that expect there to be a path will lose badly (eg, run lintpkgsrc -i from security.local). Let's just re-export the PATH. @ text @d3 1 a3 1 # $NetBSD$ d317 1 a317 1 export PATH=$SAVE_PATH d361 1 a361 1 export PATH=$SAVE_PATH @ 1.75.2.2 log @Pull up revisions 1.77-1.78 (requested by itojun in ticket #631): 1.77: recognize md5/bcrypt password. noted by: Eric Jacoboni 1.78: md5/bcrypt password starts with $[12], so use ^ in regex @ text @d208 1 a208 2 $2 !~ /^\$1/ && $2 !~ /^\$2/ && @ 1.74 log @Add nullfs to the list of file system types to skip during the "big finds". Fix from Alan Barrett in [misc/14957]. @ text @d3 1 a3 1 # $NetBSD: security,v 1.73 2001/11/09 09:01:20 lukem Exp $ d809 1 d816 4 a819 11 ls -1d $backup_dir/etc/ifconfig.*.current \ $backup_dir/etc/raid*.conf.current \ $backup_dir/etc/rc.d/*.current \ $backup_dir/etc/rc.conf.d/*.current \ 2>/dev/null | sed "s,^$backup_dir/,/, ; s,\.current$,," >> $CHANGEFILES ls -1d /etc/ifconfig.* \ /etc/raid*.conf \ /etc/rc.d/* \ /etc/rc.conf.d/* \ 2>/dev/null >> $CHANGEFILES d823 21 a843 4 if [ -s /etc/changelist ]; then grep -v '^#' /etc/changelist >> $CHANGEFILES fi @ 1.73 log @remove blank lines from the lists of files to backup_and_diff @ text @d3 1 a3 1 # $NetBSD: security,v 1.72 2001/10/18 16:08:24 lukem Exp $ d571 1 @ 1.72 log @add -dgq to check_pkgs ls(1). suggested by @@@@@@ @ text @d3 1 a3 1 # $NetBSD: security,v 1.71 2001/10/18 14:50:17 taca Exp $ d846 1 a846 1 sort -u $TMP1 > $TMP2 d854 1 a854 1 cat $CHANGELIST | sort -u > $TMP1 @ 1.71 log @Add -T option to ls(1) when -l option is specified. This fixes none-changed files under ${backup_dir}/pkgs as bellow: ====== /var/backups/pkgs diffs (OLD < > NEW) ====== 159c159 < -rw-r--r-- 1 root wheel 528 Apr 19 01:11 ja-less-332/+CONTENTS --- > -rw-r--r-- 1 root wheel 528 Apr 19 2001 ja-less-332/+CONTENTS @ text @d3 1 a3 1 # $NetBSD: security,v 1.70 2001/10/15 03:00:22 lukem Exp $ d792 1 a792 1 xargs -0 ls -lT | sort -t. +1 | sed -e 's, \./, ,' @ 1.70 log @Use "nodiff" instead of "nomail" for the tag which is used to exclude files from having the changes diff generated. Suggested by Michael Graff. @ text @d3 1 a3 1 # $NetBSD: security,v 1.69 2001/10/14 00:42:31 lukem Exp $ d792 1 a792 1 xargs -0 ls -l | sort -t. +1 | sed -e 's, \./, ,' @ 1.69 log @minor optimisation suggested by christos @ text @d3 1 a3 1 # $NetBSD: security,v 1.68 2001/10/13 14:22:11 lukem Exp $ d843 1 a843 1 mtree -D -k type -f $file -I nomail | @ 1.68 log @A few more changes, from more discussions with Andrew Brown. - Resurrect /etc/changelist, even if it's an "empty" file by default, because it's easier to use than /etc/mtree/special.local for adding a couple of simple files. Back by popular demand (hi @@@@@@! :-) - Add /etc/rc.d/* to the list of "dynamic" files; this notices changes in user-added scripts - Only calculate the mtree -I nomail list once, and re-use - Use "cat foo | while read file" instead of "for file in `cat foo`" ; handles whitespace better... @ text @d3 1 a3 1 # $NetBSD: security,v 1.67 2001/10/12 05:18:23 lukem Exp $ d848 1 a848 1 cat $TMP2 | while read file; do d850 1 a850 1 done @ 1.67 log @Major overhaul, with help from Andrew Brown . Features: - Add a bunch of stuff to /etc/mtree/special to enable removal of /etc/changelist: - files which we want to monitor for changes but don't want to see the diffs of (master.passwd, ssh_host_key, ...) are tagged with "nomail" - files which we don't want to monitor are tagged with "exclude" (such as netgroup.db, kvm.db, ...) - monitor /etc/mtree/special.local, /root/.ssh/* - remove /etc/changelist, and a bunch of XXX comments - use mtree(8)'s -D, -I, and -E to generate lists of files to actually do the changelist stuff on. - support /etc/mtree/special.local as an optional user-provided version of /etc/mtree/special (effectively, an enhanced /etc/changelist) - Add code to monitor: /etc/ifconfig.* /etc/raid*.conf /etc/rc.conf.d/* including support for these files being added and removed at will. - If /sbin/fdisk exists, backup the output of "fdisk $disk" for all the active disk drives as part of $check_disklabels - Check permissions on: ~/.ssh/* ~/.shosts Details: - Reorder initialisation of defaults - Remove special case for /etc/master.passwd "monitor but don't email diffs" with general case for other similar files. - Keep all `autogenerated' files (such as disklabel.*, setuid.current, ...) in "$backup_dir/work", to minimise name clashes. - Add migrate_file(old, new) to do the hard work of migrating files from the old `top level' /var/backups mechanism to the `full path' mechanism recently added. Use this appropriately. - Add backup_and_diff(file, printdiffs), to the hard work of backing-up and diff-ing files. - Cleanup use of shell redirects - /bin/sh supports ~root globbing, so use it. - Improve umask checking; use awk regex rather than awk math @ text @d3 1 a3 1 # $NetBSD: security,v 1.66 2001/10/05 01:06:17 lukem Exp $ d808 1 a808 1 # Add other files which might dynamically exist, including: d811 1 d813 6 a818 3 ls -1d $backup_dir/etc/ifconfig.*.current \ $backup_dir/etc/raid*.conf.current \ $backup_dir/etc/rc.conf.d/*.current 2>/dev/null | d820 4 a823 1 ls -1d /etc/ifconfig.* /etc/raid*.conf /etc/rc.conf.d/* \ d826 6 d846 3 a848 1 for file in `sort -u $TMP1`; do d855 1 a855 10 echo "$MP" > $TMP2 # always exclude /etc/master.passwd for file in $special_files; do [ ! -s $file ] && continue mtree -D -k type -f $file -I nomail | sed '/^type=file/!d ; s/type=file \.//' done >> $TMP2 sort -u -o $TMP2 $TMP2 for file in `comm -23 $TMP1 $TMP2`; do @ 1.66 log @minor whitespace fix @ text @d3 1 a3 1 # $NetBSD: security,v 1.65 2001/10/03 15:41:25 lukem Exp $ d23 18 d43 1 a43 1 trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT a49 8 if [ -z "$max_loginlen" ];then max_loginlen=8 fi if [ -z "$max_grouplen" ]; then max_grouplen=8 fi d59 2 d62 104 a165 4 # Handle backup_dir not being set in .conf file backup_dir=${backup_dir:-/var/backups} CHANGELIST="" pkgdb_dir=${pkgdb_dir:-/var/db/pkg} a166 1 MP=/etc/master.passwd d168 2 a169 1 # these is used several times. d173 1 a249 16 # Backup the master password file; a special case, the normal backup # mechanisms also print out file differences and we don't want to do # that because this file has encrypted passwords in it. # CUR=$backup_dir/${MP##*/}.current BACK=$backup_dir/${MP##*/}.backup if [ -s $CUR ] ; then if cmp -s $CUR $MP; then : else backup_file update $MP $CUR $BACK fi else backup_file add $MP $CUR $BACK fi d290 1 a290 2 > $OUTPUT rhome=`csh -fc "echo ~root"` d295 2 a296 1 if egrep '^[ \t]*umask[ \t]+[0-7]+' $i > /dev/null ; then d300 2 a301 5 # both the 020 and 002 bits are set. # We handle this in decimal initially to extract the # digits, and then extract the `2' bit of each digit. # This is made especially painful because # bitwise operations were left out of awk. d304 1 a304 5 g= ($2 % 100) - ($2 % 10); g /= 10; g = g % 4; g -= g % 2; if (g != 2) { d307 1 a307 4 o = ($2 % 10); o = o % 4; o -= o % 2; if (o != 2) { d310 1 a310 1 }' | sort -u >> $OUTPUT d328 1 a328 1 < $TMP1 >> $OUTPUT d330 1 a330 1 done a340 2 > $OUTPUT rhome=/root d349 1 a349 1 awk '$2 % 100 < 20 \ d351 2 a352 3 $2 % 10 < 2 \ { print "\tRoot umask is other writeable" }' \ >> $OUTPUT d372 1 a372 1 < $TMP1 >> $OUTPUT d375 1 a375 1 done a389 1 > $OUTPUT d393 1 a393 1 printf "\t$i is not denied\n" >> $OUTPUT d395 1 a395 1 done d474 1 a474 1 list=".Xauthority .netrc" d498 4 a501 2 .profile .qmail .rc_history .rhosts .tcshrc .twmrc .xinitrc \ .xsession" d592 4 a595 3 CUR=$backup_dir/setuid.current BACK=$backup_dir/setuid.backup d657 4 a660 2 CUR=$backup_dir/device.current BACK=$backup_dir/device.backup d715 1 a715 2 # # mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure d717 1 a717 1 # chmod 600 DIR.secure d725 4 a728 1 mtree -e -l -p / -f /etc/mtree/special > $OUTPUT a733 1 > $OUTPUT d739 2 a740 2 printf "\nChecking $tree:\n" >> $OUTPUT cat $TMP1 >> $OUTPUT d742 1 a742 1 done d752 8 a759 2 # generate list of old disklabels and remove them ls -1d $backup_dir/disklabel.* 2>/dev/null | d763 1 d766 1 a766 2 dlf="$backup_dir/disklabel.$i" disklabel $i > $dlf 2>/dev/null d769 10 a778 2 # append list of new disklabels, sort list ls -1d $backup_dir/disklabel.* 2>/dev/null | a779 1 sort -u -o $LABELS $LABELS d786 2 a787 1 pkgs=$backup_dir/pkgs d794 1 a794 1 echo $pkgs > $PKGS d798 1 a798 2 # List of files that get backed up and checked for any modifications. Each # file is expected to have two backups, $backup_dir/file.{current,backup}. d801 36 a836 3 if checkyesno check_changelist && [ -s /etc/changelist ] ; then CHANGELIST="/etc/changelist $CHANGELIST" fi d839 12 a850 41 for file in `egrep -hv "^#|$MP" $CHANGELIST`; do # old changelist backup names OCUR=$backup_dir/${file##*/}.current OBACK=$backup_dir/${file##*/}.backup # new changelist backup names CUR=$backup_dir$file.current BACK=$backup_dir$file.backup # roll over old backups if [ ! -d ${CUR%/*} ]; then mkdir -p ${CUR%/*} fi if [ -f $OCUR -a ! -f $CUR ]; then mv $OCUR $CUR fi if [ -f $OCUR,v -a ! -f $CUR,v ]; then mv $OCUR,v $CUR,v fi if [ -f $OBACK -a ! -f $BACK ]; then mv $OBACK $BACK fi # and down to work if [ -f $file ]; then if [ -f $CUR ] ; then diff $CUR $file > $OUTPUT if [ -s $OUTPUT ] ; then printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file cat $OUTPUT backup_file update $file $CUR $BACK fi else printf "\n======\n%s added\n======\n" $file diff /dev/null $file backup_file add $file $CUR $BACK fi else if [ -f $CUR ]; then printf "\n======\n%s removed\n======\n" $file diff $CUR /dev/null backup_file remove $file $CUR $BACK fi fi @ 1.65 log @replace "pkg_dbdir" with "pkgdb_dir", to be consistent with "backup_dir" @ text @d3 1 a3 1 # $NetBSD: security,v 1.64 2001/10/03 07:04:32 cjs Exp $ d93 2 a94 2 if (length($2) != 13 && length($2) != 20 && d206 1 a206 1 # This is made especially painful because @ 1.64 log @Since we store the output of ls for use later, make sure that we have TZ=UTC. (Otherwise time zone changes cause us to believe that files have changed when they have not.) @ text @d3 1 a3 1 # $NetBSD: security,v 1.63 2001/10/03 00:12:17 lukem Exp $ d53 1 a53 1 pkg_dbdir=${pkg_dbdir:-/var/db/pkg} d683 1 a683 1 if checkyesno check_pkgs && [ -d $pkg_dbdir ]; then d685 1 a685 1 ( cd $pkg_dbdir @ 1.63 log @- clean up a couple of comments - reformat some awk blocks - replace "sed 1d | awk '...'" with "awk 'NR==1 {next;} ...'" @ text @d3 1 a3 1 # $NetBSD: security,v 1.62 2001/10/01 02:21:20 atatat Exp $ d17 1 @ 1.62 log @Add a chunk of code to check the installed pkgs list by making a list of all installed pkgs and their +CONTENTS and +REQUIRED_BY files (if they have one) and handling this file along with all the other CHANGELIST stuff. Greg Woods gets points for coming up with the idea. Luke Mewburn asked me to do it, and provided lots of criticism along the way. @ text @d3 1 a3 1 # $NetBSD: security,v 1.61 2001/09/24 03:19:43 lukem Exp $ d201 5 a205 5 # double check the umask value itself; ensure that both the # 020 and 002 bits are set. # we handle this in decimal initially to extract the digits, # and then extract the `2' bit of each digit. # this is made especially painful because d208 15 a222 10 awk '{ g= ($2 % 100) - ($2 % 10); g /= 10; g = g % 4; g -= g % 2; if (g != 2) { print "\tRoot umask is group writeable" } o = ($2 % 10); o = o % 4; o -= o % 2; if (o != 2) { print "\tRoot umask is other writeable" } }' | sort -u >> $OUTPUT d440 8 a447 5 ls -l /var/mail | sed 1d | \ awk '$3 != $9 \ { print "user " $9 " mailbox is owned by " $3 } $1 != "-rw-------" \ { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT d667 1 a667 1 disks=`iostat -x | sed 1d | awk '$1 !~ /^[cfm]d/ { print $1; }'` @ 1.61 log @remove acd (non existant), add ld (for hw raid logical drives) @ text @d3 1 a3 1 # $NetBSD: security,v 1.60 2001/09/23 19:51:20 perry Exp $ d47 1 d51 2 a650 2 CHANGELIST="" d669 15 a683 1 CHANGELIST=$LABELS @ 1.60 log @add raid, remove cd drives and floppy drives from the nightly disk permissions checks. note: This whole thing needs to be rototilled. And yes, I'm volunteering to do it. @ text @d3 1 a3 1 # $NetBSD: security,v 1.59 2001/09/23 19:10:25 perry Exp $ d539 1 a539 1 DISKLIST="acd ccd ch hk hp md ra raid rb rd rl rx \ @ 1.59 log @Update the password sanity checking thusly: 1) If a password entry is of the form \*[A-z-]+, do not complain that the account is off but has a valid password. Thus you can do passwords like *ssh to indicate ssh only logins. We should come up with a standard scheme for what various *keywords mean. Note that if the field length is 13, 20 or 34 you'll still get bitched at. This code should be cleaned up. (So should the password scheme.) 2) If the entry is for "toor", don't complain that the account is off but has a valid shell. We ship with toor:*:, there is no point in complaining about it. Part of the campaign against spurious security warning output. @ text @d3 1 a3 1 # $NetBSD: security,v 1.58 2001/09/22 04:06:23 perry Exp $ d539 1 a539 1 DISKLIST="acd ccd cd ch fd hk hp mcd md ra rb rd rl rx \ @ 1.58 log @run mtree on the special file using the new -l option, so it will not complain about things like files set 444 instead of 644. part of the campaign against spurious output in the nightly security run. @ text @d3 1 a3 1 # $NetBSD: security,v 1.57 2001/08/26 11:55:38 simonb Exp $ d89 6 a94 1 if (length($2) != 13 && length($2) != 20 && length($2) != 34 && $2 != "") { @ 1.57 log @Remove rz/tz support for pmax, switch to MI SCSI. @ text @d3 1 a3 1 # $NetBSD: security,v 1.56 2001/06/18 10:54:02 lukem Exp $ d621 1 a621 1 mtree -e -p / -f /etc/mtree/special > $OUTPUT @ 1.56 log @use mktemp(1) to create temporary directories, and ensure that cleanup traps are setup asap. @ text @d3 1 a3 1 # $NetBSD: security,v 1.55 2001/06/14 07:50:07 lukem Exp $ d534 2 a535 2 DISKLIST="acd ccd cd ch fd hk hp mcd md ra rb rd rl rx rz \ sd se ss tz uk up vnd wd xd xy" @ 1.55 log @use symbolic signal names instead of numbers @ text @d3 1 a3 1 # $NetBSD: security,v 1.54 2001/05/10 14:19:27 atatat Exp $ d22 3 a24 5 SECUREDIR=/tmp/_securedir.$$ if ! mkdir $SECUREDIR; then echo can not create $SECUREDIR. exit 1 fi d26 2 a27 2 if ! cd $SECUREDIR; then echo can not chdir to $SECUREDIR. d32 1 a32 1 max_loginlen=8 d36 1 a36 1 max_grouplen=8 a46 2 trap '/bin/rm -rf $SECUREDIR ; exit 0' EXIT INT QUIT @ 1.54 log @When backing files listed in /etc/changelist, instead of truncating to the basename of the file, use the whole path with $backup_dir prepended, in effect mirrorring the directory tree. This eliminates the possibility of a name collision. Closes pr bin/12727. @ text @d3 1 a3 1 # $NetBSD: security,v 1.53 2001/05/10 14:10:15 atatat Exp $ d50 1 a50 1 trap '/bin/rm -rf $SECUREDIR ; exit 0' 0 2 3 @ 1.53 log @Allow embedded hyphens in user names (and group names), just not as the first or last character. @ text @d3 1 a3 1 # $NetBSD: security,v 1.52 2001/04/04 03:17:19 atatat Exp $ d680 20 a699 2 CUR=$backup_dir/${file##*/}.current BACK=$backup_dir/${file##*/}.backup @ 1.52 log @Provide the capability of storing backups via RCS instead of just a "current" and a "last" (which is useless if you wanna know what you changed last week). Set the default to on. @ text @d3 1 a3 1 # $NetBSD: security,v 1.51 2001/03/15 02:23:47 hubertf Exp $ d86 1 a86 1 if ($1 !~ /^[A-Za-z0-9]*$/) d162 1 a162 1 if ($1 !~ /^[A-za-z0-9]*$/) @ 1.51 log @Run skeyaudit (only) from /etc/daily instead of /etc/security, else there's some risk that the users don't get warned if an admin turns off running /etc/security (by putting run_security=no into daily.conf). Fixes PR 12267. @ text @d3 1 a3 1 # $NetBSD: security,v 1.50 2001/03/12 16:48:13 atatat Exp $ d142 1 a142 3 cp -p $CUR $BACK cp -p $MP $CUR chown root:wheel $CUR d145 1 a145 2 cp -p $MP $CUR chown root:wheel $CUR d525 1 a525 2 cp $CUR $BACK cp $TMP1 $CUR d531 1 a531 1 cp $TMP1 $CUR d594 1 a594 2 cp $CUR $BACK cp $TMP1 $CUR d600 1 a600 1 cp $TMP1 $CUR >> $ERR d654 1 a654 1 egrep -v '\.(backup|current)$' > $LABELS d665 1 a665 1 egrep -v '\.(backup|current)$' >> $LABELS d688 1 a688 3 mv -f $CUR $BACK cp -p $file $CUR chown root:wheel $CUR d693 1 a693 2 cp -p $file $CUR chown root:wheel $CUR d699 1 a699 1 mv -f $CUR $BACK @ 1.50 log @Allow md5 passwords of length 34 as passwords @ text @d3 1 a3 1 # $NetBSD: security,v 1.49 2001/02/11 09:55:09 jdolecek Exp $ a710 6 fi # run skeyaudit to inform users of ready to expire S/Keys # if checkyesno run_skeyaudit; then skeyaudit @ 1.49 log @Introduce max_grouplen - this determines the maximum permitted length of group names, similarily to max_loginlen @ text @d3 1 a3 1 # $NetBSD: security,v 1.48 2001/01/09 17:30:29 abs Exp $ d93 1 a93 1 if (length($2) != 13 && length($2) != 20 && $2 != "") { @ 1.48 log @Add a new variable 'backup_dir', which can be used to change the backup directory from /var/backup (useful for those of us who have a separate /var and would like to have our backup disklabels on the root filesystem). Default behaviour unchanged. backup_dir being unset is taken as /var/backup. @ text @d3 1 a3 1 # $NetBSD: security,v 1.47 2000/10/07 07:36:56 lukem Exp $ d37 4 d155 1 a155 1 awk -F: '{ d168 2 a169 2 if (length($1) > 8) printf "Group %s has more than 8 characters.\n", $1; @ 1.47 log @use ${foo##*/} instead of `basename $foo`. as suggested (with minor variation) by Toru Nishimura @ text @d3 1 a3 1 # $NetBSD: security,v 1.46 2000/09/10 21:27:50 christos Exp $ d48 3 d132 2 a133 2 CUR=/var/backups/${MP##*/}.current BACK=/var/backups/${MP##*/}.backup d493 2 a494 2 CUR=/var/backups/setuid.current BACK=/var/backups/setuid.backup d558 2 a559 2 CUR=/var/backups/device.current BACK=/var/backups/device.backup d654 1 a654 1 ls -1d /var/backups/disklabel.* 2>/dev/null | d660 1 a660 1 dlf="/var/backups/disklabel.$i" d665 1 a665 1 ls -1d /var/backups/disklabel.* 2>/dev/null | d672 1 a672 1 # file is expected to have two backups, /var/backups/file.{current,backup}. d681 2 a682 2 CUR=/var/backups/${file##*/}.current BACK=/var/backups/${file##*/}.backup @ 1.46 log @PR/10982: kilbi@@rad.rwth-aachen.de: Don't confuse printf with usernames that start with -. @ text @d3 1 a3 1 # $NetBSD: security,v 1.45 2000/07/02 22:27:47 sommerfeld Exp $ d129 2 a130 2 CUR=/var/backups/`basename $MP`.current BACK=/var/backups/`basename $MP`.backup d678 2 a679 2 CUR=/var/backups/`basename $file`.current BACK=/var/backups/`basename $file`.backup @ 1.45 log @Fix pr9320: improve umask checking for root's dotfiles. Now even notices bogus umasks like 044 @ text @d3 1 a3 1 # $NetBSD: security,v 1.44 2000/05/26 17:08:21 ad Exp $ d334 1 a334 1 printf "$uid: $rhost\n" d345 1 a345 1 printf "$uid: + in .rhosts file.\n" d361 1 a361 1 printf "$uid $file\n" d382 1 a382 1 printf "$uid $f `ls -ldgT $file`\n" d407 1 a407 1 printf "$uid $f `ls -ldgT $file`\n" @ 1.44 log @We may as well allow local additions to /etc/security, since it gets done for the other periodic checks. @ text @d3 1 a3 1 # $NetBSD: security,v 1.43 2000/05/05 18:28:53 itojun Exp $ d190 1 a190 1 if egrep umask $i > /dev/null ; then d193 17 a209 6 egrep umask $i | awk '$2 % 100 < 20 \ { print "\tRoot umask is group writeable" } $2 % 10 < 2 \ { print "\tRoot umask is other writeable" }' \ >> $OUTPUT @ 1.44.4.1 log @pullup 1.45: fix root umask check to have a chance of working. approved by thorpej @ text @d3 1 a3 1 # $NetBSD: security,v 1.45 2000/07/02 22:27:47 sommerfeld Exp $ d190 1 a190 1 if egrep '^[ \t]*umask[ \t]+[0-7]+' $i > /dev/null ; then d193 6 a198 17 # double check the umask value itself; ensure that both the # 020 and 002 bits are set. # we handle this in decimal initially to extract the digits, # and then extract the `2' bit of each digit. # this is made especially painful because # bitwise operations were left out of awk. egrep '^[ \t]*umask[ \t]+[0-7]+' $i | awk '{ g= ($2 % 100) - ($2 % 10); g /= 10; g = g % 4; g -= g % 2; if (g != 2) { print "\tRoot umask is group writeable" } o = ($2 % 10); o = o % 4; o -= o % 2; if (o != 2) { print "\tRoot umask is other writeable" } }' | sort -u >> $OUTPUT @ 1.44.4.2 log @Pull up revision 1.58 (requested by lukem): Run mtree on the special file using the new ``-l'' option, so it will not complain about things like files set to 444 instead of 644. @ text @d3 1 a3 1 # $NetBSD: security,v 1.44.4.1 2000/07/03 02:27:20 sommerfeld Exp $ d623 1 a623 1 mtree -e -l -p / -f /etc/mtree/special > $OUTPUT @ 1.44.4.3 log @pullup 1.77-1.78 via patch (itojun) understand md5 password @ text @d3 1 a3 1 # $NetBSD: security,v 1.44.4.2 2001/12/09 17:44:18 he Exp $ d86 1 a86 2 if (length($2) != 13 && length($2) != 20 && $2 !~ /^\$1/ && $2 !~ /^\$2/ && $2 != "") { @ 1.43 log @check /etc/mail/aliases on check_aliases. /etc/aliases will be checked as well, if exists (for backward compatibility). @ text @d3 1 a3 1 # $NetBSD: security,v 1.42 2000/04/24 23:46:37 fair Exp $ d699 6 @ 1.42 log @Add skeyaudit to /etc/security (with a variable to disable) per PR 5871 @ text @d3 1 a3 1 # $NetBSD: security,v 1.41 2000/01/15 01:15:12 christos Exp $ d294 1 a294 1 # Uudecode should not be in the /etc/aliases file. d297 5 a301 3 if egrep '^[^#]*(uudecode|decode).*\|' /etc/aliases; then printf "\nEntry for uudecode in /etc/aliases file.\n" fi @ 1.41 log @Use cat -f to avoid denial of service attacks by people who make .rhosts files fifos. @ text @d3 1 a3 1 # $NetBSD: security,v 1.40 1999/09/05 15:11:42 perry Exp $ d691 6 @ 1.40 log @We already had logic not to try to grab the disklabels of md's and fd's -- add cd's to the list. @ text @d3 1 a3 1 # $NetBSD: security,v 1.39 1999/07/22 00:47:50 hubertf Exp $ d331 1 a331 1 egrep '\+' ${homedir}/.rhosts > /dev/null ; then @ 1.39 log @Use standard variable "$0" for the whole line instead of the non-standard, undocumented "$LINE". Submitted in PR 7041 by Greg A. Woods @ text @d3 1 a3 1 # $NetBSD: security,v 1.38 1999/04/23 08:20:28 kleink Exp $ d642 1 a642 1 disks=`iostat -x | sed 1d | awk '$1 !~ /^[mf]d/ { print $1; }'` @ 1.38 log @Get rid of old-style chown operands. @ text @d3 1 a3 1 # $NetBSD: security,v 1.37 1999/03/17 19:11:05 wrstuden Exp $ d60 1 a60 1 if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) d430 1 a430 1 if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) @ 1.37 log @Add a commented-out duplicate id checker which doesn't exclude toor, and add a comment saying how to switch it on. @ text @d3 1 a3 1 # $NetBSD: security,v 1.36 1999/03/17 02:58:11 wrstuden Exp $ d137 1 a137 1 chown root.wheel $CUR d141 1 a141 1 chown root.wheel $CUR d601 1 a601 1 # chown root.wheel DIR.secure d675 1 a675 1 chown root.wheel $CUR d681 1 a681 1 chown root.wheel $CUR @ 1.37.2.1 log @Pull up revision 1.40: Don't try to grab disklabels from CDs. (perry) @ text @d3 1 a3 1 # $NetBSD: security,v 1.37 1999/03/17 19:11:05 wrstuden Exp $ d642 1 a642 1 disks=`iostat -x | sed 1d | awk '$1 !~ /^[cfm]d/ { print $1; }'` @ 1.36 log @Modify duplicate user id check to exclude "toor". Any other uid 0 accounts will generate a message with that (those) account names, root, and toor present in the list. @ text @d3 1 a3 1 # $NetBSD: security,v 1.35 1999/03/16 06:18:17 fair Exp $ d111 5 a115 2 # the corner case of a "toor " account is caught in the invalid character # test above. @ 1.35 log @Fix PR 5068 - scanning ~user/.rhosts files on NFS mounted home directories with -maproot=nobody on the server. The argument to be made is that if NetBSD's root can't read these files, it shouldn't try to check them. @ text @d3 1 a3 1 # $NetBSD: security,v 1.34 1999/02/18 18:53:33 abs Exp $ d111 3 a113 1 < $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2 @ 1.34 log @Handle + in master.passwd (From PR#4802). Also, handle + in group and allow max_loginlen to be configurable. @ text @d3 1 a3 1 # $NetBSD: security,v 1.33 1998/09/14 19:42:42 tv Exp $ d325 1 a325 1 if [ -f ${homedir}/.rhosts ] && \ @ 1.33 log @Nix "Login %s is off but still has a valid shell" warning for 20-character encrypted passwords generated by the NEWSALT option to passwd(1). @ text @d3 1 a3 1 # $NetBSD: security,v 1.32 1998/08/25 13:47:29 lukem Exp $ d33 4 d51 1 a51 1 awk -F: '{ print $1 " " $3 }' $MP | sort -k2n > $MPBYUID d57 1 a57 1 awk ' d72 1 a72 1 if (NF != 10) d74 5 d82 2 a83 2 if (length($1) > 8) printf "Login %s has more than 8 characters.\n", $1; d148 1 a148 1 if (NF != 4) d150 3 @ 1.32 log @* if $check_disklabels=YES, backup and compare of disklabels of current disks. should detect added or removed disks as well. backup labels go in /var/backups/disklabel.XXX (XXX = disk name, e.g., sd0), and the changelist style backups have .current or .backup suffixes * minor whitespace, formatting, and comment cleanup @ text @d3 1 a3 1 # $NetBSD: security,v 1.31 1998/01/26 12:02:55 lukem Exp $ d77 1 a77 1 if (length($2) != 13 && $2 != "") { @ 1.31 log @include rc.subr and use appropriately @ text @d3 1 a3 1 # $NetBSD: security,v 1.30 1997/10/08 16:13:44 mycroft Exp $ d40 1 d51 1 d114 1 d131 1 d165 1 d262 1 d278 1 d286 1 d326 1 d395 1 d408 4 a411 4 if checkyesno check_nfs; then if [ -f /etc/exports ]; then # File systems should not be globally exported. awk '{ d427 2 a428 2 }' < /etc/exports > $OUTPUT if [ -s $OUTPUT ] ; then a430 1 fi d435 1 d591 1 d615 23 d641 1 d643 5 a647 1 for file in `egrep -v "^#|$MP" /etc/changelist`; do @ 1.30 log @Deal with files in the changelist that are added or removed. * When a file is removed, move its .current file to .backup. * When a file is added, create its .current file. * In either case, send a diff against /dev/null. Mostly from Jim Bernard in PR 4183, with the removal case fixed. @ text @d3 1 a3 1 # $NetBSD: security,v 1.29 1997/09/23 14:36:56 lukem Exp $ d9 7 d50 1 a50 1 if [ "$check_passwd" = YES ]; then d128 1 a128 1 if [ "$check_group" = YES ]; then d161 1 a161 1 if [ "$check_rootdotfiles" = YES ]; then d257 1 a257 1 if [ "$check_ftpusers" = YES ]; then d272 1 a272 1 if [ "$check_aliases" = YES ]; then d279 1 a279 1 if [ "$check_rhosts" = YES ]; then d318 1 a318 1 if [ "$check_homes" = YES ]; then d386 1 a386 1 if [ "$check_varmail" = YES ]; then d398 1 a398 1 if [ "$check_nfs" = YES ]; then d426 1 a426 1 if [ "$check_devices" = YES ]; then d581 1 a581 1 if [ "$check_mtree" = YES ]; then d607 1 a607 1 if [ "$check_changelist" = YES ] && [ -s /etc/changelist ] ; then @ 1.29 log @- use 'ftpd -C user' to check the format of /etc/ftpusers. closes [security/4061] - rename $MPPATH to $MPBYPATH, to clarify its use @ text @d3 1 a3 1 # $NetBSD: security,v 1.28 1997/09/18 05:16:19 lukem Exp $ d604 2 a605 2 if [ -s $file ]; then if [ -s $CUR ] ; then d610 1 a610 1 cp -p $CUR $BACK d612 1 a612 1 chown root.wheel $CUR $BACK d615 2 d619 6 @ 1.28 log @- don't print "Checking setuid files and devices:" if no problems found (solves [security/4047]) - minor cleanup (rename a couple of variables, etc) @ text @d3 1 a3 1 # $NetBSD: security,v 1.27 1997/08/22 09:40:17 lukem Exp $ d30 1 a30 1 MPPATH=secure5.$$ d40 1 a40 1 awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPPATH a249 1 # XXX This should be updated to support the new format... d254 2 a255 2 if ! egrep "^$i$" /etc/ftpusers > /dev/null ; then printf "\t$i is not present\n" \ >> $OUTPUT d302 1 a302 1 done < $MPPATH > $OUTPUT d317 1 a317 1 done < $MPPATH | d339 1 a339 1 done < $MPPATH | d364 1 a364 1 done < $MPPATH | @ 1.27 log @- correct use of generated temporary files. - clean up comments and generated output. - clean up $SECUREDIR if SIGINT or SIGQUIT received. - .rhosts may have to be world readable in NFS environments, so allow it to be. - update list of disks to check for reasonable permissions - don't show differences in /etc/master.passwd, as the encrypted strings may be sent. From reading comments earlier in the script, this was the intention anyway. Fix from Jim Bernard in [security/3994]. - when checking /etc/ftpusers, skip comment lines and only match full usernames. XXX: this should be enhanced to check lines of the enhanced ftpusers format. @ text @d3 1 a3 1 # $NetBSD: security,v 1.26 1997/08/19 12:08:35 lukem Exp $ d29 1 a29 1 MPUID=secure4.$$ d39 1 a39 1 awk -F: '{ print $1 " " $3 }' $MP | sort -k2n > $MPUID d93 1 a93 1 < $MPUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2 d97 1 a97 1 grep -w $uid $MPUID d155 1 a155 1 cp /dev/null $OUTPUT d200 1 a200 1 cp /dev/null $OUTPUT d252 2 a253 1 list="root uucp" d256 1 a256 1 printf "\n$i is not listed in /etc/ftpusers file.\n" d259 4 d421 1 a421 1 printf "\nChecking setuid files and devices:\n" d431 3 a433 3 printf "Setuid/device find errors:\n" cat $OUTPUT printf "\n" d441 1 a441 1 printf "\nUudecode is setuid.\n" d454 3 a456 3 printf "Setuid additions:\n" tee -a $TMP2 < $OUTPUT printf "\n" d461 3 a463 3 printf "Setuid deletions:\n" tee -a $TMP2 < $OUTPUT printf "\n" d470 3 a472 3 printf "Setuid changes:\n" column -t $OUTPUT printf "\n" d479 3 a481 3 printf "Setuid additions:\n" column -t $TMP1 printf "\n" d501 3 a503 3 printf "\nChecking disk ownership and permissions.\n" cat $OUTPUT printf "\n" d519 3 a521 3 printf "Device additions:\n" tee -a $TMP2 < $OUTPUT printf "\n" d526 3 a528 3 printf "Device deletions:\n" tee -a $TMP2 < $OUTPUT printf "\n" d540 3 a542 3 printf "Block device changes:\n" column -t $OUTPUT printf "\n" d549 4 a552 4 printf "Device additions:\n" column -t $TMP1 printf "\n" cp $TMP1 $CUR d554 5 @ 1.26 log @* ensure that check for '.' in root's $PATH doesn't yield a false positive. fix from Jim Bernard in [security/3995] * detect empty :: elements as '.' in a sh(1) path (leading :, trailing :, or ::) @ text @d3 1 a3 1 # $NetBSD: security,v 1.25 1997/06/24 02:32:38 lukem Exp $ d29 4 a32 3 TMP3=secure4.$$ LIST=secure5.$$ OUTPUT=secure6.$$ d34 1 a34 1 trap 'rm -rf $SECUREDIR' 0 d38 3 a40 2 # this is used several times. awk -F: '{ print $1 " " $3 }' $MP | sort -k2n > $TMP1 d70 1 a70 1 printf "Login %s is off but still has a valid shell (%s)\n", d93 1 a93 1 < $TMP1 uniq -d -f 1 | awk '{ print $2 }' > $TMP2 d97 1 a97 1 grep -w $uid $TMP1 d166 1 a166 1 { print "Root umask is group writeable" } d168 2 a169 1 { print "Root umask is other writeable" }' >> $OUTPUT d179 1 a179 1 print "The root path includes ."; d184 1 a184 1 { print "Root path directory " $10 " is group writeable." } \ d186 1 a186 1 { print "Root path directory " $10 " is other writeable." }' \ d191 1 a191 1 printf "\nChecking root csh paths, umask values:\n$list\n" d196 1 a196 1 printf "\nRoot csh startup files do not set the umask.\n" d211 1 a211 1 { print "Root umask is group writeable" } \ d213 2 a214 1 { print "Root umask is other writeable" }' >> $OUTPUT d226 1 a226 1 print "The root path includes ."; d231 1 a231 1 { print "Root path directory " $10 " is group writeable." } \ d233 1 a233 1 { print "Root path directory " $10 " is other writeable." }' \ d244 1 a244 1 printf "\nRoot sh startup files do not set the umask.\n" d250 1 d252 6 a257 10 if egrep root /etc/ftpusers > /dev/null ; then : else printf "\nRoot not listed in /etc/ftpusers file.\n" fi if egrep uucp /etc/ftpusers > /dev/null ; then : else printf "\nUucp not listed in /etc/ftpusers file.\n" fi a292 2 awk -F: '{ print $1 " " $9 }' $MP | sort -k2 | d298 1 a298 1 done > $OUTPUT a307 2 awk -F: '{ print $1 " " $9 }' $MP | sort -k2 | d313 1 a313 1 done | d319 2 a320 1 { print "user " $1 " home directory is other writeable" }' > $OUTPUT d327 1 a327 3 list=".Xauthority .netrc .rhosts" awk -F: '{ print $1 " " $9 }' $MP | sort -k2 | d335 1 a335 1 done | d345 2 a346 1 { print "user " $1 " " $2 " file is other writeable" }' > $OUTPUT d351 2 a352 3 .profile .qmail .rc_history .tcshrc .twmrc .xinitrc .xsession" awk -F: '{ print $1 " " $9 }' $MP | sort -k2 | d360 1 a360 1 done | d366 2 a367 1 { print "user " $1 " " $2 " file is other writeable" }' >> $OUTPUT d462 2 a463 1 sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT d481 2 a482 2 # Check for block and character disk devices that are readable or writeable # or not owned by root.operator. d484 3 a486 1 DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx rz sd up wd xd xy" d526 3 a528 2 # Report any block device change. Ignore character # devices, only the name is significant. d530 4 a533 4 sed -e '/^c/d' | \ sort -k11 | \ sed -e 's/[ ][ ]*/ /g' | \ uniq -u > $OUTPUT d592 1 a592 1 for file in `cat /etc/changelist`; do @ 1.25 log @* when checking /etc/master.passwd, read in /etc/shells for a list of valid shells and then check each active account against that * remove unnecessary ()s in a few printf's. @ text @d3 1 a3 1 # $NetBSD: security,v 1.24 1997/06/24 01:16:47 lukem Exp $ d167 2 a169 1 unset path d173 1 d211 2 a213 1 PATH= d215 2 a216 1 list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\` d219 1 @ 1.24 log @* take advantage of xargs -0 when finding devices and set?id files * use 'ls -q' in the above, so that characters that may cause problems in the output are replaced with '?' @ text @d3 1 a3 1 # $NetBSD: security,v 1.23 1997/06/23 11:59:30 lukem Exp $ d42 11 a52 1 awk -F: '{ d54 1 a54 1 printf("Line %d is a blank line.\n", NR); d58 1 a58 1 printf("Line %d has the wrong number of fields.\n", NR); d60 2 a61 1 printf("Login %s has non-alphanumeric characters.\n", $1); d63 1 a63 1 printf("Login %s has more than 8 characters.\n", $1); d65 8 a72 3 printf("Login %s has no password.\n", $1); if (length($2) != 13 && $2 != "" && ($10 ~ /.*sh$/ || $10 == "")) printf("Login %s is off but still has a valid shell.\n", $1); d74 1 a74 1 printf("Login %s has a user id of 0.\n", $1); d76 1 a76 1 printf("Login %s has a negative user id.\n", $1); d78 1 a78 1 printf("Login %s has a negative group id.\n", $1); d123 1 a123 1 printf("Line %d is a blank line.\n", NR); d127 1 a127 1 printf("Line %d has the wrong number of fields.\n", NR); d129 2 a130 1 printf("Group %s has non-alphanumeric characters.\n", $1); d132 1 a132 1 printf("Group %s has more than 8 characters.\n", $1); d134 1 a134 1 printf("Login %s has a negative group id.\n", $1); d488 2 a489 2 { printf("Disk %s is user %s, group %s, permissions %s.\n", \ $11, $3, $4, $1); }' < $TMP1 > $OUTPUT @ 1.23 log @Also check /etc/profile for setting of umask. From Chris Jones in [misc/3763] @ text @d3 1 a3 1 # $NetBSD: security,v 1.22 1997/06/23 01:49:15 lukem Exp $ d402 2 a403 2 -type b -o -type c \) -print | \ sort | sed -e 's/^/ls -ldgT /' | sh > $LIST) 2> $OUTPUT @ 1.22 log @Ignore blank lines and comments in /etc/exports From Jaromir Dolecek in [misc/3691] @ text @d3 1 a3 1 # $NetBSD: security,v 1.21 1997/04/21 17:38:39 mycroft Exp $ d181 1 a181 1 list="${rhome}/.profile" @ 1.21 log @Don't list directories with the setuid bit set or FIFOs. @ text @d3 1 a3 1 # $NetBSD: security,v 1.20 1997/04/21 11:19:57 mycroft Exp $ d372 4 @ 1.20 log @Minor cleanup. @ text @d3 1 a3 1 # $NetBSD: security,v 1.19 1997/04/21 11:14:41 mycroft Exp $ d396 3 a398 3 \( -perm -u+s -o \( -perm -g+s -a ! -type d \) -o \ ! -type d -a ! -type f -a ! -type l -a \ ! -type s \) -print | \ @ 1.19 log @When doing security checks in user home directory, sort by home directory, to optimize lookups a little. Also, add some more files to the naughty lists. @ text @d3 1 a3 1 # $NetBSD: security,v 1.18 1997/04/17 07:42:07 mikel Exp $ d38 1 a38 1 awk -F: '{ print $1 " " $3 }' $MP | sort -n +1 > $TMP1 d257 1 a257 1 { print $1 " " $9 }' /etc/master.passwd | d270 1 a270 1 awk -F: '{ print $1 " " $9 }' /etc/master.passwd | d287 1 a287 1 awk -F: '{ print $1 " " $9 }' /etc/master.passwd | d308 1 a308 1 awk -F: '{ print $1 " " $9 }' /etc/master.passwd | d333 1 a333 1 awk -F: '{ print $1 " " $9 }' /etc/master.passwd | d438 1 a438 1 sort +9 $TMP2 $CUR $TMP1 | \ d476 1 a476 1 egrep '^[bc]' $LIST | sort +10 > $TMP1 d504 1 a504 1 sort +10 | \ @ 1.18 log @make /etc/aliases check a bit more discriminating: the line must be uncommented, and it must contain a '|' character (forwarding to program). @ text @d3 1 a3 1 # $NetBSD: security,v 1.17 1997/03/10 09:45:58 mycroft Exp $ d258 1 d270 2 a271 1 awk -F: '{ print $1 " " $9 }' /etc/master.passwd | \ d287 2 a288 1 awk -F: '{ print $1 " " $9 }' /etc/master.passwd | \ d307 3 a309 2 list=".netrc .rhosts" awk -F: '{ print $1 " " $9 }' /etc/master.passwd | \ d330 5 a334 3 list=".bashrc .cshrc .emacs .exrc .forward .klogin .login .logout \ .profile .tcshrc .qmail" awk -F: '{ print $1 " " $9 }' /etc/master.passwd | \ @ 1.17 log @Minor cleanup. @ text @d3 1 a3 1 # $NetBSD: security,v 1.16 1997/02/14 08:52:05 mikel Exp $ d239 2 a240 2 if egrep 'uudecode|decode' /etc/aliases; then printf "\nThere is an entry for uudecode in the /etc/aliases file.\n" @ 1.16 log @Don't leave logs in /etc/mtree; from Andrew Wheadon in PR misc/3106. Also fixed some comments. @ text @d3 1 a3 1 # $NetBSD: security,v 1.15 1997/01/05 11:46:12 mrg Exp $ d41 1 a41 1 if [ X"$check_passwd" = XYES ]; then d103 1 a103 1 if [ X"$check_group" = XYES ]; then d135 1 a135 1 if [ X"$check_rootdotfiles" = XYES ]; then d224 1 a224 1 if [ X"$check_ftpusers" = XYES ]; then d238 1 a238 1 if [ X"$check_aliases" = XYES ]; then d245 1 a245 1 if [ X"$check_rhosts" = XYES ]; then d284 1 a284 1 if [ X"$check_homes" = XYES ]; then d350 1 a350 1 if [ X"$check_varmail" = XYES ]; then d362 1 a362 1 if [ X"$check_nfs" = XYES ]; then d386 1 a386 1 if [ X"$check_devices" = XYES ]; then d532 1 a532 1 if [ X"$check_mtree" = XYES ]; then d558 1 a558 1 if [ X"$check_changelist" = XYES -a -s /etc/changelist ] ; then @ 1.15 log @add configuration file for security, as security.conf. the file allows each action taken by security to be turned on or off. @ text @d3 1 a3 1 # $NetBSD: security,v 1.14 1996/05/22 00:51:08 mrg Exp $ d254 1 a254 1 # have a .rhosts files. Also, .rhosts files should not have plus signs. d525 2 a526 2 # chown root.wheel DIR.SECURE # chmod 600 DIR.SECURE d532 1 a532 2 if [ X"$check_mtree" = XYES ] && cd /etc/mtree; then ( d540 2 a541 2 for file in *.secure; do [ $file = '*.secure' ] && continue a552 1 ) @ 1.14 log @ignore setgid on dirs. @ text @d3 1 a3 1 # $NetBSD: security,v 1.13 1996/01/14 00:58:25 pk Exp $ d11 25 a35 6 ERR=/tmp/_secure1.$$ TMP1=/tmp/_secure2.$$ TMP2=/tmp/_secure3.$$ TMP3=/tmp/_secure4.$$ LIST=/tmp/_secure5.$$ OUTPUT=/tmp/_secure6.$$ d37 2 a38 1 trap 'rm -f $ERR $TMP1 $TMP2 $TMP3 $LIST $OUTPUT' 0 d41 41 a81 41 MP=/etc/master.passwd awk -F: '{ if ($0 ~ /^[ ]*$/) { printf("Line %d is a blank line.\n", NR); next; } if (NF != 10) printf("Line %d has the wrong number of fields.\n", NR); if ($1 !~ /^[A-Za-z0-9]*$/) printf("Login %s has non-alphanumeric characters.\n", $1); if (length($1) > 8) printf("Login %s has more than 8 characters.\n", $1); if ($2 == "") printf("Login %s has no password.\n", $1); if (length($2) != 13 && $2 != "" && ($10 ~ /.*sh$/ || $10 == "")) printf("Login %s is off but still has a valid shell.\n", $1); if ($3 == 0 && $1 != "root" && $1 != "toor") printf("Login %s has a user id of 0.\n", $1); if ($3 < 0) printf("Login %s has a negative user id.\n", $1); if ($4 < 0) printf("Login %s has a negative group id.\n", $1); }' < $MP > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking the $MP file:\n" cat $OUTPUT fi awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT if [ -s $OUTPUT ] ; then printf "\n$MP has duplicate user names.\n" column $OUTPUT fi awk -F: '{ print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 if [ -s $TMP2 ] ; then printf "\n$MP has duplicate user id's.\n" while read uid; do grep -w $uid $TMP1 done < $TMP2 | column d103 26 a128 24 GRP=/etc/group awk -F: '{ if ($0 ~ /^[ ]*$/) { printf("Line %d is a blank line.\n", NR); next; } if (NF != 4) printf("Line %d has the wrong number of fields.\n", NR); if ($1 !~ /^[A-za-z0-9]*$/) printf("Group %s has non-alphanumeric characters.\n", $1); if (length($1) > 8) printf("Group %s has more than 8 characters.\n", $1); if ($3 !~ /[0-9]*/) printf("Login %s has a negative group id.\n", $1); }' < $GRP > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking the $GRP file:\n" cat $OUTPUT fi awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT if [ -s $OUTPUT ] ; then printf "\n$GRP has duplicate group names.\n" column $OUTPUT d135 19 a153 18 > $OUTPUT rhome=/root umaskset=no list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" for i in $list ; do if [ -f $i ] ; then if egrep umask $i > /dev/null ; then umaskset=yes fi egrep umask $i | awk '$2 % 100 < 20 \ { print "Root umask is group writeable" } $2 % 10 < 2 \ { print "Root umask is other writeable" }' >> $OUTPUT /bin/csh -f -s << end-of-csh > /dev/null 2>&1 unset path source $i /bin/ls -ldgT \$path > $TMP1 d155 21 a175 17 awk '{ if ($10 ~ /^\.$/) { print "The root path includes ."; next; } } $1 ~ /^d....w/ \ { print "Root path directory " $10 " is group writeable." } \ $1 ~ /^d.......w/ \ { print "Root path directory " $10 " is other writeable." }' \ < $TMP1 >> $OUTPUT fi done if [ $umaskset = "no" -o -s $OUTPUT ] ; then printf "\nChecking root csh paths, umask values:\n$list\n" if [ -s $OUTPUT ]; then cat $OUTPUT a176 4 if [ $umaskset = "no" ] ; then printf "\nRoot csh startup files do not set the umask.\n" fi fi d178 19 a196 19 > $OUTPUT rhome=/root umaskset=no list="${rhome}/.profile" for i in $list; do if [ -f $i ] ; then if egrep umask $i > /dev/null ; then umaskset=yes fi egrep umask $i | awk '$2 % 100 < 20 \ { print "Root umask is group writeable" } \ $2 % 10 < 2 \ { print "Root umask is other writeable" }' >> $OUTPUT /bin/sh << end-of-sh > /dev/null 2>&1 PATH= . $i list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\` /bin/ls -ldgT \$list > $TMP1 d198 11 a208 11 awk '{ if ($10 ~ /^\.$/) { print "The root path includes ."; next; } } $1 ~ /^d....w/ \ { print "Root path directory " $10 " is group writeable." } \ $1 ~ /^d.......w/ \ { print "Root path directory " $10 " is other writeable." }' \ < $TMP1 >> $OUTPUT d210 10 a219 9 fi done if [ $umaskset = "no" -o -s $OUTPUT ] ; then printf "\nChecking root sh paths, umask values:\n$list\n" if [ -s $OUTPUT ]; then cat $OUTPUT fi if [ $umaskset = "no" ] ; then printf "\nRoot sh startup files do not set the umask.\n" d224 11 a234 9 if egrep root /etc/ftpusers > /dev/null ; then : else printf "\nRoot not listed in /etc/ftpusers file.\n" fi if egrep uucp /etc/ftpusers > /dev/null ; then : else printf "\nUucp not listed in /etc/ftpusers file.\n" d238 4 a241 2 if egrep 'uudecode|decode' /etc/aliases; then printf "\nThere is an entry for uudecode in the /etc/aliases file.\n" d245 35 a279 33 list="/etc/hosts.equiv /etc/hosts.lpd" for f in $list ; do if [ -f $f ] && egrep '\+' $f > /dev/null ; then printf "\nPlus sign in $f file.\n" fi done # Check for special users with .rhosts files. Only root and toor should # have a .rhosts files. Also, .rhosts files should not plus signs. awk -F: '$1 != "root" && $1 != "toor" && \ ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ { print $1 " " $6 }' /etc/passwd | while read uid homedir; do if [ -f ${homedir}/.rhosts ] ; then rhost=`ls -ldgT ${homedir}/.rhosts` printf "$uid: $rhost\n" fi done > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking for special users with .rhosts files.\n" cat $OUTPUT fi awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do if [ -f ${homedir}/.rhosts ] && \ egrep '\+' ${homedir}/.rhosts > /dev/null ; then printf "$uid: + in .rhosts file.\n" fi done > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking .rhosts files syntax.\n" cat $OUTPUT d284 6 a289 26 awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do if [ -d ${homedir}/ ] ; then file=`ls -ldgT ${homedir}` printf "$uid $file\n" fi done | awk '$1 != $4 && $4 != "root" \ { print "user " $1 " home directory is owned by " $4 } $2 ~ /^-....w/ \ { print "user " $1 " home directory is group writeable" } $2 ~ /^-.......w/ \ { print "user " $1 " home directory is other writeable" }' > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking home directories.\n" cat $OUTPUT fi # Files that should not be owned by someone else or readable. list=".netrc .rhosts" awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do for f in $list ; do file=${homedir}/${f} if [ -f $file ] ; then printf "$uid $f `ls -ldgT $file`\n" d291 56 a346 34 done done | awk '$1 != $5 && $5 != "root" \ { print "user " $1 " " $2 " file is owned by " $5 } $3 ~ /^-...r/ \ { print "user " $1 " " $2 " file is group readable" } $3 ~ /^-......r/ \ { print "user " $1 " " $2 " file is other readable" } $3 ~ /^-....w/ \ { print "user " $1 " " $2 " file is group writeable" } $3 ~ /^-.......w/ \ { print "user " $1 " " $2 " file is other writeable" }' > $OUTPUT # Files that should not be owned by someone else or writeable. list=".bashrc .cshrc .emacs .exrc .forward .klogin .login .logout \ .profile .tcshrc" awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do for f in $list ; do file=${homedir}/${f} if [ -f $file ] ; then printf "$uid $f `ls -ldgT $file`\n" fi done done | awk '$1 != $5 && $5 != "root" \ { print "user " $1 " " $2 " file is owned by " $5 } $3 ~ /^-....w/ \ { print "user " $1 " " $2 " file is group writeable" } $3 ~ /^-.......w/ \ { print "user " $1 " " $2 " file is other writeable" }' >> $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking dot files.\n" cat $OUTPUT d350 33 a382 29 ls -l /var/mail | sed 1d | \ awk '$3 != $9 \ { print "user " $9 " mailbox is owned by " $3 } $1 != "-rw-------" \ { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking mailbox ownership.\n" cat $OUTPUT fi if [ -f /etc/exports ]; then # File systems should not be globally exported. awk '{ readonly = 0; for (i = 2; i <= NF; ++i) { if ($i ~ /-ro/) readonly = 1; else if ($i !~ /^-/) next; } if (readonly) print "File system " $1 " globally exported, read-only." else print "File system " $1 " globally exported, read-write." }' < /etc/exports > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking for globally exported file systems.\n" cat $OUTPUT fi d386 26 a411 37 printf "\nChecking setuid files and devices:\n" (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ -o -fstype procfs \) -a -prune -o \ \( -perm -u+s -o \( -perm -g+s -a ! -type d \) -o \ ! -type d -a ! -type f -a ! -type l -a \ ! -type s \) -print | \ sort | sed -e 's/^/ls -ldgT /' | sh > $LIST) 2> $OUTPUT # Display any errors that occurred during system file walk. if [ -s $OUTPUT ] ; then printf "Setuid/device find errors:\n" cat $OUTPUT printf "\n" fi # Display any changes in the setuid file list. egrep -v '^[bc]' $LIST > $TMP1 if [ -s $TMP1 ] ; then # Check to make sure uudecode isn't setuid. if grep -w uudecode $TMP1 > /dev/null ; then printf "\nUudecode is setuid.\n" fi CUR=/var/backups/setuid.current BACK=/var/backups/setuid.backup if [ -s $CUR ] ; then if cmp -s $CUR $TMP1 ; then : else > $TMP2 join -110 -210 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Setuid additions:\n" tee -a $TMP2 < $OUTPUT printf "\n" fi d413 26 a438 6 join -110 -210 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Setuid deletions:\n" tee -a $TMP2 < $OUTPUT printf "\n" fi d440 2 a441 6 sort +9 $TMP2 $CUR $TMP1 | \ sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then printf "Setuid changes:\n" column -t $OUTPUT printf "\n" d443 4 a446 2 cp $CUR $BACK d449 17 a465 3 else printf "Setuid additions:\n" column -t $TMP1 a466 1 cp $TMP1 $CUR a467 37 fi # Check for block and character disk devices that are readable or writeable # or not owned by root.operator. >$TMP1 DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx rz sd up wd" for i in $DISKLIST; do egrep "^b.*/${i}[0-9][0-9]*[a-h]$" $LIST >> $TMP1 egrep "^c.*/r${i}[0-9][0-9]*[a-h]$" $LIST >> $TMP1 done awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ { printf("Disk %s is user %s, group %s, permissions %s.\n", \ $11, $3, $4, $1); }' < $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking disk ownership and permissions.\n" cat $OUTPUT printf "\n" fi # Display any changes in the device file list. egrep '^[bc]' $LIST | sort +10 > $TMP1 if [ -s $TMP1 ] ; then CUR=/var/backups/device.current BACK=/var/backups/device.backup if [ -s $CUR ] ; then if cmp -s $CUR $TMP1 ; then : else > $TMP2 join -111 -211 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Device additions:\n" tee -a $TMP2 < $OUTPUT printf "\n" fi d469 37 a505 6 join -111 -211 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Device deletions:\n" tee -a $TMP2 < $OUTPUT printf "\n" fi d507 2 a508 11 # Report any block device change. Ignore character # devices, only the name is significant. cat $TMP2 $CUR $TMP1 | \ sed -e '/^c/d' | \ sort +10 | \ sed -e 's/[ ][ ]*/ /g' | \ uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then printf "Block device changes:\n" column -t $OUTPUT printf "\n" d510 4 a513 2 cp $CUR $BACK a515 5 else printf "Device additions:\n" column -t $TMP1 printf "\n" cp $TMP1 $CUR d532 2 a533 1 if cd /etc/mtree; then d535 1 a535 1 if [ -s $OUTPUT ] ; then d550 1 a550 1 if [ -s $OUTPUT ] ; then d554 1 d560 1 a560 1 if [ -s /etc/changelist ] ; then @ 1.13 log @Several fixes from Arne H. Juul (PR#1814). @ text @d3 1 a3 1 # $NetBSD: security,v 1.12 1995/12/17 02:01:14 thorpej Exp $ d353 2 a354 1 \( -perm -u+s -o -perm -g+s -o ! -type d -a ! -type f -a ! -type l -a \ @ 1.12 log @New-style RCS ids. @ text @d3 1 a3 1 # $NetBSD: security,v 1.11 1995/01/31 16:09:45 jtc Exp $ d35 1 a35 1 if (length($2) != 13 && ($10 ~ /.*sh$/ || $10 == "")) d219 1 a219 1 if egrep '\+' $f > /dev/null ; then d328 3 a330 2 # File systems should not be globally exported. awk '{ d342 2 a343 2 }' < /etc/exports > $OUTPUT if [ -s $OUTPUT ] ; then d346 1 d354 1 a354 1 ! -type s \) | \ d502 1 @ 1.11 log @Change .emacsrc to .emacs in list of files to be checked. From Mike Long, in PR #768. @ text @d3 1 a4 1 # $Id: security,v 1.10 1994/10/18 16:52:57 mycroft Exp $ @ 1.10 log @Fix the fstype-based pruning algorithms. Partly suggested by John Kohl. @ text @d4 1 a4 1 # $Id: security,v 1.9 1994/06/15 04:28:20 cgd Exp $ d295 1 a295 1 list=".bashrc .cshrc .emacsrc .exrc .forward .klogin .login .logout \ @ 1.9 log @update to new security script @ text @d4 1 a4 1 # $Id$ d349 2 a350 1 (find / ! -fstype local -a -prune -o \ @ 1.9.2.1 log @from trunk. @ text @d4 1 a4 1 # $Id: security,v 1.10 1994/10/18 16:52:57 mycroft Exp $ d349 1 a349 2 (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ -o -fstype procfs \) -a -prune -o \ @ 1.8 log @people importing trees from SunOS should be shot; add -d to ls. @ text @d3 2 a4 1 # @@(#)security 5.3 (Berkeley) 5/28/91 a5 1 PATH=/sbin:/bin:/usr/bin d7 1 a7 2 host=`hostname -s` echo "Subject: $host security check output" d9 1 a9 2 LOG=/var/log TMP=/tmp/_secure.$$ d11 525 a535 37 umask 027 echo "checking setuid files and devices:" # don't have ncheck, but this does the equivalent of the commented out block. MP=`mount -t ufs | sed 's;/dev/;&r;' | awk '{ print $3 }'` set $MP ls -lgdT `while test $# -ge 1; do mount=$1 shift find $mount -xdev \( \( -type f \( -perm -u+s -or -perm -g+s \) \) -or -type b -or -type c \) | sort done` > $TMP #MP=`mount -t ufs | sed 's;/dev/;&r;' | awk '{ print $1 " " $3 }'` #set $MP #ls -lgT `while test $# -ge 2; do # device=$1 # shift # mount=$1 # shift # ncheck -s $device | sed -e "/:$/d" -e "/\/dev\//d" \ # -e "s;[^/]*;$mount;" -e "s;//;/;g" | sort #done` > $TMP if cmp $LOG/setuid.today $TMP >/dev/null; then :; else echo "$host setuid/device diffs:" diff -w $LOG/setuid.today $TMP mv $LOG/setuid.today $LOG/setuid.yesterday mv $TMP $LOG/setuid.today fi rm -f $TMP echo "" echo "" echo "checking for uids of 0:" awk 'BEGIN {FS=":"} $3=="0" {print $1,$3}' /etc/master.passwd @ 1.7 log @Find only set[gu]id files and devices, like old ncheck(1). @ text @d21 1 a21 1 ls -lgT `while test $# -ge 1; do @ 1.6 log @use of xargs wasn't strictly a security hole, but could lead to fouled- up results. xargs should really have an option to automatically 'quote' input. @ text @d24 1 a24 1 find $mount -xdev \( -perm -u+s -or -perm -g+s \) | sort d40 1 a40 1 diff $LOG/setuid.today $TMP @ 1.5 log @Use xargs(1) to avoid overflowing the argument list to ls(1). @ text @d21 1 a21 1 (while test $# -ge 1; do d24 2 a25 2 find $mount -xdev -perm -u+s -or -perm -g+s | sort done) | xargs ls -lgT > $TMP @ 1.4 log @from FreeBSD: check for set*id devices in a way closer to the original. note that you can still overflow the args buffer for the ls (and it does that on lamp), but it's better than before. @ text @a17 2 # note that one of the original problem, the possibility of overrunning # the args to ls, is still here... d21 1 a21 1 ls -lgT `while test $# -ge 1; do d25 1 a25 1 done` > $TMP @ 1.3 log @Rewrite set[gu]id find command to avoid walking non-local file systems. @ text @d21 7 a27 4 ls -lgT `find / \( \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \) \ -a -prune \) \ \( -perm -u+s -or -perm -g+s \) | \ sed -e "/\/dev\//d" -e "s;//;/;g" | sort` > $TMP @ 1.2 log @updated to reflect the fact that we don't have an ncheck @ text @d21 2 a22 2 ls -lgT `find / -fstype local -a \ \( ! \( -fstype fdesc -o -fstype kernfs \) -o -prune \) \ @ 1.1 log @Initial revision @ text @d13 2 d16 20 a35 10 MP=`mount -t ufs | sed 's;/dev/;&r;' | awk '{ print $1 " " $3 }'` set $MP ls -lgT `while test $# -ge 2; do device=$1 shift mount=$1 shift ncheck -s $device | sed -e "/:$/d" -e "/\/dev\//d" \ -e "s;[^/]*;$mount;" -e "s;//;/;g" | sort done` > $TMP @ 1.1.1.1 log @initial import of 386bsd-0.1 sources @ text @@ 1.1.1.2 log @import 4.4BSD-Lite @ text @d3 1 a3 1 # @@(#)security 8.1 (Berkeley) 6/9/93 d5 1 d7 2 a8 1 PATH=/sbin:/usr/sbin:/bin:/usr/bin d10 2 a11 1 umask 077 d13 24 a36 525 ERR=/tmp/_secure1.$$ TMP1=/tmp/_secure2.$$ TMP2=/tmp/_secure3.$$ TMP3=/tmp/_secure4.$$ LIST=/tmp/_secure5.$$ OUTPUT=/tmp/_secure6.$$ trap 'rm -f $ERR $TMP1 $TMP2 $TMP3 $LIST $OUTPUT' 0 # Check the master password file syntax. MP=/etc/master.passwd awk -F: '{ if ($0 ~ /^[ ]*$/) { printf("Line %d is a blank line.\n", NR); next; } if (NF != 10) printf("Line %d has the wrong number of fields.\n", NR); if ($1 !~ /^[A-Za-z0-9]*$/) printf("Login %s has non-alphanumeric characters.\n", $1); if (length($1) > 8) printf("Login %s has more than 8 characters.\n", $1); if ($2 == "") printf("Login %s has no password.\n", $1); if (length($2) != 13 && ($10 ~ /.*sh$/ || $10 == "")) printf("Login %s is off but still has a valid shell.\n", $1); if ($3 == 0 && $1 != "root" && $1 != "toor") printf("Login %s has a user id of 0.\n", $1); if ($3 < 0) printf("Login %s has a negative user id.\n", $1); if ($4 < 0) printf("Login %s has a negative group id.\n", $1); }' < $MP > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking the $MP file:\n" cat $OUTPUT fi awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT if [ -s $OUTPUT ] ; then printf "\n$MP has duplicate user names.\n" column $OUTPUT fi awk -F: '{ print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 if [ -s $TMP2 ] ; then printf "\n$MP has duplicate user id's.\n" while read uid; do grep -w $uid $TMP1 done < $TMP2 | column fi # Backup the master password file; a special case, the normal backup # mechanisms also print out file differences and we don't want to do # that because this file has encrypted passwords in it. CUR=/var/backups/`basename $MP`.current BACK=/var/backups/`basename $MP`.backup if [ -s $CUR ] ; then if cmp -s $CUR $MP; then : else cp -p $CUR $BACK cp -p $MP $CUR chown root.wheel $CUR fi else cp -p $MP $CUR chown root.wheel $CUR fi # Check the group file syntax. GRP=/etc/group awk -F: '{ if ($0 ~ /^[ ]*$/) { printf("Line %d is a blank line.\n", NR); next; } if (NF != 4) printf("Line %d has the wrong number of fields.\n", NR); if ($1 !~ /^[A-za-z0-9]*$/) printf("Group %s has non-alphanumeric characters.\n", $1); if (length($1) > 8) printf("Group %s has more than 8 characters.\n", $1); if ($3 !~ /[0-9]*/) printf("Login %s has a negative group id.\n", $1); }' < $GRP > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking the $GRP file:\n" cat $OUTPUT fi awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT if [ -s $OUTPUT ] ; then printf "\n$GRP has duplicate group names.\n" column $OUTPUT fi # Check for root paths, umask values in startup files. # The check for the root paths is problematical -- it's likely to fail # in other environments. Once the shells have been modified to warn # of '.' in the path, the path tests should go away. > $OUTPUT rhome=/root umaskset=no list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" for i in $list ; do if [ -f $i ] ; then if egrep umask $i > /dev/null ; then umaskset=yes fi egrep umask $i | awk '$2 % 100 < 20 \ { print "Root umask is group writeable" } $2 % 10 < 2 \ { print "Root umask is other writeable" }' >> $OUTPUT /bin/csh -f -s << end-of-csh > /dev/null 2>&1 unset path source $i /bin/ls -ldgT \$path > $TMP1 end-of-csh awk '{ if ($10 ~ /^\.$/) { print "The root path includes ."; next; } } $1 ~ /^d....w/ \ { print "Root path directory " $10 " is group writeable." } \ $1 ~ /^d.......w/ \ { print "Root path directory " $10 " is other writeable." }' \ < $TMP1 >> $OUTPUT fi done if [ $umaskset = "no" -o -s $OUTPUT ] ; then printf "\nChecking root csh paths, umask values:\n$list\n" if [ -s $OUTPUT ]; then cat $OUTPUT fi if [ $umaskset = "no" ] ; then printf "\nRoot csh startup files do not set the umask.\n" fi fi > $OUTPUT rhome=/root umaskset=no list="${rhome}/.profile" for i in $list; do if [ -f $i ] ; then if egrep umask $i > /dev/null ; then umaskset=yes fi egrep umask $i | awk '$2 % 100 < 20 \ { print "Root umask is group writeable" } \ $2 % 10 < 2 \ { print "Root umask is other writeable" }' >> $OUTPUT /bin/sh << end-of-sh > /dev/null 2>&1 PATH= . $i list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\` /bin/ls -ldgT \$list > $TMP1 end-of-sh awk '{ if ($10 ~ /^\.$/) { print "The root path includes ."; next; } } $1 ~ /^d....w/ \ { print "Root path directory " $10 " is group writeable." } \ $1 ~ /^d.......w/ \ { print "Root path directory " $10 " is other writeable." }' \ < $TMP1 >> $OUTPUT fi done if [ $umaskset = "no" -o -s $OUTPUT ] ; then printf "\nChecking root sh paths, umask values:\n$list\n" if [ -s $OUTPUT ]; then cat $OUTPUT fi if [ $umaskset = "no" ] ; then printf "\nRoot sh startup files do not set the umask.\n" fi fi # Root and uucp should both be in /etc/ftpusers. if egrep root /etc/ftpusers > /dev/null ; then : else printf "\nRoot not listed in /etc/ftpusers file.\n" fi if egrep uucp /etc/ftpusers > /dev/null ; then : else printf "\nUucp not listed in /etc/ftpusers file.\n" fi # Uudecode should not be in the /etc/aliases file. if egrep 'uudecode|decode' /etc/aliases; then printf "\nThere is an entry for uudecode in the /etc/aliases file.\n" fi # Files that should not have + signs. list="/etc/hosts.equiv /etc/hosts.lpd" for f in $list ; do if egrep '\+' $f > /dev/null ; then printf "\nPlus sign in $f file.\n" fi done # Check for special users with .rhosts files. Only root and toor should # have a .rhosts files. Also, .rhosts files should not plus signs. awk -F: '$1 != "root" && $1 != "toor" && \ ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ { print $1 " " $6 }' /etc/passwd | while read uid homedir; do if [ -f ${homedir}/.rhosts ] ; then rhost=`ls -ldgT ${homedir}/.rhosts` printf "$uid: $rhost\n" fi done > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking for special users with .rhosts files.\n" cat $OUTPUT fi awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do if [ -f ${homedir}/.rhosts ] && \ egrep '\+' ${homedir}/.rhosts > /dev/null ; then printf "$uid: + in .rhosts file.\n" fi done > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking .rhosts files syntax.\n" cat $OUTPUT fi # Check home directories. Directories should not be owned by someone else # or writeable. awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do if [ -d ${homedir}/ ] ; then file=`ls -ldgT ${homedir}` printf "$uid $file\n" fi done | awk '$1 != $4 && $4 != "root" \ { print "user " $1 " home directory is owned by " $4 } $2 ~ /^-....w/ \ { print "user " $1 " home directory is group writeable" } $2 ~ /^-.......w/ \ { print "user " $1 " home directory is other writeable" }' > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking home directories.\n" cat $OUTPUT fi # Files that should not be owned by someone else or readable. list=".netrc .rhosts" awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do for f in $list ; do file=${homedir}/${f} if [ -f $file ] ; then printf "$uid $f `ls -ldgT $file`\n" fi done done | awk '$1 != $5 && $5 != "root" \ { print "user " $1 " " $2 " file is owned by " $5 } $3 ~ /^-...r/ \ { print "user " $1 " " $2 " file is group readable" } $3 ~ /^-......r/ \ { print "user " $1 " " $2 " file is other readable" } $3 ~ /^-....w/ \ { print "user " $1 " " $2 " file is group writeable" } $3 ~ /^-.......w/ \ { print "user " $1 " " $2 " file is other writeable" }' > $OUTPUT # Files that should not be owned by someone else or writeable. list=".bashrc .cshrc .emacsrc .exrc .forward .klogin .login .logout \ .profile .tcshrc" awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do for f in $list ; do file=${homedir}/${f} if [ -f $file ] ; then printf "$uid $f `ls -ldgT $file`\n" fi done done | awk '$1 != $5 && $5 != "root" \ { print "user " $1 " " $2 " file is owned by " $5 } $3 ~ /^-....w/ \ { print "user " $1 " " $2 " file is group writeable" } $3 ~ /^-.......w/ \ { print "user " $1 " " $2 " file is other writeable" }' >> $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking dot files.\n" cat $OUTPUT fi # Mailboxes should be owned by user and unreadable. ls -l /var/mail | sed 1d | \ awk '$3 != $9 \ { print "user " $9 " mailbox is owned by " $3 } $1 != "-rw-------" \ { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking mailbox ownership.\n" cat $OUTPUT fi # File systems should not be globally exported. awk '{ readonly = 0; for (i = 2; i <= NF; ++i) { if ($i ~ /-ro/) readonly = 1; else if ($i !~ /^-/) next; } if (readonly) print "File system " $1 " globally exported, read-only." else print "File system " $1 " globally exported, read-write." }' < /etc/exports > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking for globally exported file systems.\n" cat $OUTPUT fi # Display any changes in setuid files and devices. printf "\nChecking setuid files and devices:\n" (find / ! -fstype local -a -prune -o \ \( -perm -u+s -o -perm -g+s -o ! -type d -a ! -type f -a ! -type l -a \ ! -type s \) | \ sort | sed -e 's/^/ls -ldgT /' | sh > $LIST) 2> $OUTPUT # Display any errors that occurred during system file walk. if [ -s $OUTPUT ] ; then printf "Setuid/device find errors:\n" cat $OUTPUT printf "\n" fi # Display any changes in the setuid file list. egrep -v '^[bc]' $LIST > $TMP1 if [ -s $TMP1 ] ; then # Check to make sure uudecode isn't setuid. if grep -w uudecode $TMP1 > /dev/null ; then printf "\nUudecode is setuid.\n" fi CUR=/var/backups/setuid.current BACK=/var/backups/setuid.backup if [ -s $CUR ] ; then if cmp -s $CUR $TMP1 ; then : else > $TMP2 join -110 -210 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Setuid additions:\n" tee -a $TMP2 < $OUTPUT printf "\n" fi join -110 -210 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Setuid deletions:\n" tee -a $TMP2 < $OUTPUT printf "\n" fi sort +9 $TMP2 $CUR $TMP1 | \ sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then printf "Setuid changes:\n" column -t $OUTPUT printf "\n" fi cp $CUR $BACK cp $TMP1 $CUR fi else printf "Setuid additions:\n" column -t $TMP1 printf "\n" cp $TMP1 $CUR fi fi # Check for block and character disk devices that are readable or writeable # or not owned by root.operator. >$TMP1 DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx rz sd up wd" for i in $DISKLIST; do egrep "^b.*/${i}[0-9][0-9]*[a-h]$" $LIST >> $TMP1 egrep "^c.*/r${i}[0-9][0-9]*[a-h]$" $LIST >> $TMP1 done awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ { printf("Disk %s is user %s, group %s, permissions %s.\n", \ $11, $3, $4, $1); }' < $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking disk ownership and permissions.\n" cat $OUTPUT printf "\n" fi # Display any changes in the device file list. egrep '^[bc]' $LIST | sort +10 > $TMP1 if [ -s $TMP1 ] ; then CUR=/var/backups/device.current BACK=/var/backups/device.backup if [ -s $CUR ] ; then if cmp -s $CUR $TMP1 ; then : else > $TMP2 join -111 -211 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Device additions:\n" tee -a $TMP2 < $OUTPUT printf "\n" fi join -111 -211 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Device deletions:\n" tee -a $TMP2 < $OUTPUT printf "\n" fi # Report any block device change. Ignore character # devices, only the name is significant. cat $TMP2 $CUR $TMP1 | \ sed -e '/^c/d' | \ sort +10 | \ sed -e 's/[ ][ ]*/ /g' | \ uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then printf "Block device changes:\n" column -t $OUTPUT printf "\n" fi cp $CUR $BACK cp $TMP1 $CUR fi else printf "Device additions:\n" column -t $TMP1 printf "\n" cp $TMP1 $CUR fi fi # Check special files. # Check system binaries. # # Create the mtree tree specifications using: # # mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure # chown root.wheel DIR.SECURE # chmod 600 DIR.SECURE # # Note, this is not complete protection against Trojan horsed binaries, as # the hacker can modify the tree specification to match the replaced binary. # For details on really protecting yourself against modified binaries, see # the mtree(8) manual page. if cd /etc/mtree; then mtree -e -p / -f /etc/mtree/special > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking special files and directories.\n" cat $OUTPUT fi > $OUTPUT for file in *.secure; do tree=`sed -n -e '3s/.* //p' -e 3q $file` mtree -f $file -p $tree > $TMP1 if [ -s $TMP1 ]; then printf "\nChecking $tree:\n" >> $OUTPUT cat $TMP1 >> $OUTPUT fi done if [ -s $OUTPUT ] ; then printf "\nChecking system binaries:\n" cat $OUTPUT fi fi # List of files that get backed up and checked for any modifications. Each # file is expected to have two backups, /var/backups/file.{current,backup}. # Any changes cause the files to rotate. if [ -s /etc/changelist ] ; then for file in `cat /etc/changelist`; do CUR=/var/backups/`basename $file`.current BACK=/var/backups/`basename $file`.backup if [ -s $file ]; then if [ -s $CUR ] ; then diff $CUR $file > $OUTPUT if [ -s $OUTPUT ] ; then printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file cat $OUTPUT cp -p $CUR $BACK cp -p $file $CUR chown root.wheel $CUR $BACK fi else cp -p $file $CUR chown root.wheel $CUR fi fi done fi @