To detect changes of system files, use SHA-256 rather than MD5,

taking advantage of naddy@'s recent mtree(8) modernization.
While here, do not provide an example protecting a home directory
from file changes; protect some system binaries instead.
ok naddy@ jmc@

3 files changed, 37 insertions, 36 deletions

diff --git a/libexec/security/security b/libexec/security/security
index 1060bcd72bd..f9b9eddef2b 100644
--- a/libexec/security/security
+++ b/libexec/security/security
@@ -1,8 +1,8 @@
 #!/usr/bin/perl -T
 
-# $OpenBSD: security,v 1.18 2012/05/17 16:06:03 pascal Exp $
+# $OpenBSD: security,v 1.19 2012/07/08 21:48:38 schwarze Exp $
 #
-# Copyright (c) 2011 Ingo Schwarze <schwarze@openbsd.org>
+# Copyright (c) 2011, 2012 Ingo Schwarze <schwarze@openbsd.org>
 # Copyright (c) 2011 Andrew Fresh <andrew@afresh1.com>
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -20,7 +20,7 @@
 use warnings;
 use strict;
 
-require Digest::MD5;
+use Digest::SHA qw(sha256_hex);
 use Errno qw(ENOENT);
 use Fcntl qw(:mode);
 use File::Basename qw(basename);
@@ -689,7 +689,7 @@ sub check_disks {
 #
 # Create the mtree tree specifications using:
 #
-#       mtree -cx -p DIR -K md5digest,type >/etc/mtree/DIR.secure
+#       mtree -cx -p DIR -K sha256digest,type > /etc/mtree/DIR.secure
 #       chown root:wheel /etc/mtree/DIR.secure
 #       chmod 600 /etc/mtree/DIR.secure
 #
@@ -764,56 +764,57 @@ sub backup_if_changed {
 	}
 }
 
-sub backup_md5 {
+sub backup_digest {
 	my ($orig) = @_;
 
 	my ($backup) = $orig =~ m{^/?(.*)};
 	$backup =~ s{/}{_}g;
-	my $current = BACKUP_DIR . "$backup.current.md5";
-	$backup = BACKUP_DIR . "$backup.backup.md5";
+	my $current = BACKUP_DIR . "$backup.current.sha256";
+	$backup = BACKUP_DIR . "$backup.backup.sha256";
 
-	my $md5_new = 0;
+	my $digest_new = 0;
 	if (-s $orig) {
 		if (open my $fh, '<', $orig) {
 			binmode $fh;
-			$md5_new = Digest::MD5->new->addfile($fh)->hexdigest;
+			local $/;
+			$digest_new = sha256_hex(<$fh>);
 			close $fh;
 		} else { nag 1, "open: $orig: $!"; }
 	}
 
-	my $md5_old = 0;
+	my $digest_old = 0;
 	if (-s $current) {
 		if (open my $fh, '<', $current) {
-			$md5_old = <$fh>;
+			$digest_old = <$fh>;
 			close $fh;
-			chomp $md5_old;
+			chomp $digest_old;
 		} else { nag 1, "open: $current: $!"; }
 	}
 
-	return if $md5_old eq $md5_new;
+	return if $digest_old eq $digest_new;
 
-	if ($md5_old && $md5_new) {
+	if ($digest_old && $digest_new) {
 		copy $current, $backup;
 		chown 0, 0, $backup;
 		chmod 0600, $backup;
-	} elsif ($md5_old) {
-		$check_title = "======\n$orig removed MD5 checksum\n======";
+	} elsif ($digest_old) {
+		$check_title = "======\n$orig removed SHA-256 checksum\n======";
 		unlink $current;
-	} elsif ($md5_new) {
-		$check_title = "======\n$orig new MD5 checksum\n======";
+	} elsif ($digest_new) {
+		$check_title = "======\n$orig new SHA-256 checksum\n======";
 	}
 
-	if ($md5_new) {
+	if ($digest_new) {
 		if (open my $fh, '>', $current) {
-			print $fh "$md5_new\n";
+			print $fh "$digest_new\n";
 			close $fh;
 		} else { nag 1, "open: $current: $!\n"; }
 		chown 0, 0, $current;
 		chmod 0600, $current;
 	}
 
-	nag $md5_old, "OLD: $md5_old";
-	nag $md5_new, "NEW: $md5_new";
+	nag $digest_old, "OLD: $digest_old";
+	nag $digest_new, "NEW: $digest_new";
 }
 
 # List of files that get backed up and checked for any modifications.  Each
@@ -842,8 +843,8 @@ sub check_changelist {
 
 			if ($plus) {
 				$check_title =
-				    "======\n$_ MD5 checksums\n======";
-				backup_md5 $_;
+				    "======\n$_ SHA-256 checksums\n======";
+				backup_digest $_;
 			} else {
 				$check_title =
 				    "======\n$_ diffs (-OLD  +NEW)\n======";
diff --git a/share/man/man5/changelist.5 b/share/man/man5/changelist.5
index fb0d133f1f5..b67ae0b3a27 100644
--- a/share/man/man5/changelist.5
+++ b/share/man/man5/changelist.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: changelist.5,v 1.7 2011/04/18 23:58:45 schwarze Exp $
+.\"	$OpenBSD: changelist.5,v 1.8 2012/07/08 21:48:38 schwarze Exp $
 .\"
 .\" Copyright (c) 2003 Jason McIntyre <jmc@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 18 2011 $
+.Dd $Mdocdate: July 8 2012 $
 .Dt CHANGELIST 5
 .Os
 .Sh NAME
@@ -85,12 +85,12 @@ beginning with a
 character
 .Pq generally non-text files
 are stored as
-.Xr md5 1
+.Xr sha256 1
 checksums.
 Results are mailed in the following format:
 .Bd -unfilled -offset indent
 ======
-/etc/ssh/ssh_host_key MD5 checksums
+/etc/ssh/ssh_host_key SHA-256 checksums
 ======
 OLD:
 NEW:
@@ -113,7 +113,7 @@ Directory containing file backups.
 .El
 .Sh SEE ALSO
 .Xr diff 1 ,
-.Xr md5 1 ,
+.Xr sha256 1 ,
 .Xr daily 8 ,
 .Xr security 8
 .Sh HISTORY
diff --git a/share/man/man8/security.8 b/share/man/man8/security.8
index bc69b39fac1..0c44815a118 100644
--- a/share/man/man8/security.8
+++ b/share/man/man8/security.8
@@ -1,8 +1,8 @@
-.\" $OpenBSD: security.8,v 1.20 2011/04/19 05:17:24 jmc Exp $
+.\" $OpenBSD: security.8,v 1.21 2012/07/08 21:48:38 schwarze Exp $
 .\"
 .\" David Leonard, 2001. Public Domain.
 .\"
-.Dd $Mdocdate: April 19 2011 $
+.Dd $Mdocdate: July 8 2012 $
 .Dt SECURITY 8
 .Os
 .Sh NAME
@@ -79,12 +79,12 @@ These lists should be kept in
 and filenames must have the suffix
 .Dq .secure .
 The following example shows how to create such a list,
-to protect the home directory of user
-.Dq bob :
+to protect the programs in
+.Pa /bin :
 .Bd -literal -offset 4n
-# mtree -cx -p /home/bob -K md5digest,type \*(Gt/etc/mtree/bob.secure
-# chown root:wheel /etc/mtree/bob.secure
-# chmod 600 /etc/mtree/bob.secure
+# mtree -cx -p /bin -K sha256digest,type > /etc/mtree/bin.secure
+# chown root:wheel /etc/mtree/bin.secure
+# chmod 600 /etc/mtree/bin.secure
 .Ed
 .Pp
 .Sy Note: