summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIngo Schwarze <schwarze@cvs.openbsd.org>2011-03-25 02:30:34 +0000
committerIngo Schwarze <schwarze@cvs.openbsd.org>2011-03-25 02:30:34 +0000
commit11590058261f6c91bbf847f54be36f51364f28c2 (patch)
tree4558ae54ea1dbba712b3e4598704d15f4875d6ab
parentc01d4d94c4e5578b553bf9bfbfb153e27c42c84d (diff)
home directory checks;
large parts from a submission by Andrew Fresh <andrew at afresh1 dot com>
-rw-r--r--libexec/security/security90
1 files changed, 89 insertions, 1 deletions
diff --git a/libexec/security/security b/libexec/security/security
index afe52747108..4aebdad77c5 100644
--- a/libexec/security/security
+++ b/libexec/security/security
@@ -1,8 +1,9 @@
#!/usr/bin/perl -T
-# $OpenBSD: security,v 1.2 2011/03/24 21:54:32 schwarze Exp $
+# $OpenBSD: security,v 1.3 2011/03/25 02:30:33 schwarze Exp $
#
# Copyright (c) 2011 Ingo Schwarze <schwarze@openbsd.org>
+# Copyright (c) 2011 Andrew Fresh <andrew@afresh1.com>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -237,6 +238,86 @@ sub check_rhosts {
}
}
+# Home directories should not be owned by someone else or writeable.
+sub check_homedir {
+ my ($name, $uid, $home) = @_;
+ return if $name =~ /^[+-]/; # skip YP lines
+ return unless -d $home;
+ my (undef, undef, $mode, undef, $fuid) = stat(_);
+ nag $fuid && $fuid != $uid,
+ "user $name home directory is owned by " .
+ ((getpwuid $fuid)[0] || $fuid);
+ nag $mode & S_IWGRP,
+ "user $name home directory is group writable";
+ nag $mode & S_IWOTH,
+ "user $name home directory is other writable";
+}
+
+# Files that should not be owned by someone else or readable.
+sub check_dot_readable {
+ my ($name, $uid, $home) = @_;
+ return if $name =~ /^[+-]/; # skip YP lines
+ foreach my $f qw(
+ .netrc .rhosts .gnupg/secring.gpg .gnupg/random_seed
+ .pgp/secring.pgp .shosts .ssh/identity .ssh/id_dsa .ssh/id_rsa
+ ) {
+ next unless -e "$home/$f";
+ my (undef, undef, $mode, undef, $fuid) = stat(_);
+ nag $fuid && $fuid != $uid,
+ "user $name $f file is owned by " .
+ ((getpwuid $fuid)[0] || $fuid);
+ nag $mode & S_IRGRP,
+ "user $name $f file is group readable";
+ nag $mode & S_IROTH,
+ "user $name $f file is other readable";
+ nag $mode & S_IWGRP,
+ "user $name $f file is group writable";
+ nag $mode & S_IWOTH,
+ "user $name $f file is other writable";
+ }
+}
+
+# Files that should not be owned by someone else or writeable.
+sub check_dot_writeable {
+ my ($name, $uid, $home) = @_;
+ return if $name =~ /^[+-]/; # skip YP lines
+ foreach my $f qw(
+ .bashrc .bash_profile .bash_login .bash_logout .cshrc
+ .emacs .exrc .forward .fvwmrc .inputrc .klogin .kshrc .login
+ .logout .nexrc .profile .screenrc .ssh .ssh/config
+ .ssh/authorized_keys .ssh/authorized_keys2 .ssh/environment
+ .ssh/known_hosts .ssh/rc .tcshrc .twmrc .xsession .xinitrc
+ .Xdefaults .Xauthority
+ ) {
+ next unless -e "$home/$f";
+ my (undef, undef, $mode, undef, $fuid) = stat(_);
+ nag $fuid && $fuid != $uid,
+ "user $name $f file is owned by " .
+ ((getpwuid $fuid)[0] || $fuid);
+ nag $mode & S_IWGRP,
+ "user $name $f file is group writable";
+ nag $mode & S_IWOTH,
+ "user $name $f file is other writable";
+ }
+}
+
+# Mailboxes should be owned by the user and unreadable.
+sub check_mailboxes {
+ my $dir = '/var/mail';
+ nag !opendir(my $dh, $dir), "opendir: $dir: $!" and return;
+ foreach my $name (readdir $dh) {
+ next if $name =~ /^\.\.?$/;
+ my (undef, undef, $mode, undef, $fuid) = stat "$dir/$name";
+ my $fname = (getpwuid $fuid)[0] || $fuid;
+ nag $fname ne $name,
+ "user $name mailbox is owned by $fname";
+ nag S_IMODE($mode) != (S_IRUSR | S_IWUSR),
+ sprintf 'user %s mailbox permissions are %04o',
+ $name, S_IMODE($mode);
+ }
+ closedir $dh;
+}
+
# main program
check_passwd;
backup_passwd;
@@ -249,6 +330,13 @@ check_hosts_equiv;
$check_title = "Checking for special users with .rhosts/.shosts files.";
my $homes = find_homes;
check_rhosts(@$_) foreach @$homes;
+$check_title = "Checking home directories.";
+check_homedir(@$_) foreach @$homes;
+$check_title = "Checking dot files.";
+check_dot_readable(@$_) foreach @$homes;
+check_dot_writeable(@$_) foreach @$homes;
+$check_title = "Checking mailbox ownership.";
+check_mailboxes;
$check_title = "Status";
nag 'right now', 'not yet ready';