diff options
author | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2011-03-25 02:30:34 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2011-03-25 02:30:34 +0000 |
commit | 11590058261f6c91bbf847f54be36f51364f28c2 (patch) | |
tree | 4558ae54ea1dbba712b3e4598704d15f4875d6ab | |
parent | c01d4d94c4e5578b553bf9bfbfb153e27c42c84d (diff) |
home directory checks;
large parts from a submission by Andrew Fresh <andrew at afresh1 dot com>
-rw-r--r-- | libexec/security/security | 90 |
1 files changed, 89 insertions, 1 deletions
diff --git a/libexec/security/security b/libexec/security/security index afe52747108..4aebdad77c5 100644 --- a/libexec/security/security +++ b/libexec/security/security @@ -1,8 +1,9 @@ #!/usr/bin/perl -T -# $OpenBSD: security,v 1.2 2011/03/24 21:54:32 schwarze Exp $ +# $OpenBSD: security,v 1.3 2011/03/25 02:30:33 schwarze Exp $ # # Copyright (c) 2011 Ingo Schwarze <schwarze@openbsd.org> +# Copyright (c) 2011 Andrew Fresh <andrew@afresh1.com> # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -237,6 +238,86 @@ sub check_rhosts { } } +# Home directories should not be owned by someone else or writeable. +sub check_homedir { + my ($name, $uid, $home) = @_; + return if $name =~ /^[+-]/; # skip YP lines + return unless -d $home; + my (undef, undef, $mode, undef, $fuid) = stat(_); + nag $fuid && $fuid != $uid, + "user $name home directory is owned by " . + ((getpwuid $fuid)[0] || $fuid); + nag $mode & S_IWGRP, + "user $name home directory is group writable"; + nag $mode & S_IWOTH, + "user $name home directory is other writable"; +} + +# Files that should not be owned by someone else or readable. +sub check_dot_readable { + my ($name, $uid, $home) = @_; + return if $name =~ /^[+-]/; # skip YP lines + foreach my $f qw( + .netrc .rhosts .gnupg/secring.gpg .gnupg/random_seed + .pgp/secring.pgp .shosts .ssh/identity .ssh/id_dsa .ssh/id_rsa + ) { + next unless -e "$home/$f"; + my (undef, undef, $mode, undef, $fuid) = stat(_); + nag $fuid && $fuid != $uid, + "user $name $f file is owned by " . + ((getpwuid $fuid)[0] || $fuid); + nag $mode & S_IRGRP, + "user $name $f file is group readable"; + nag $mode & S_IROTH, + "user $name $f file is other readable"; + nag $mode & S_IWGRP, + "user $name $f file is group writable"; + nag $mode & S_IWOTH, + "user $name $f file is other writable"; + } +} + +# Files that should not be owned by someone else or writeable. +sub check_dot_writeable { + my ($name, $uid, $home) = @_; + return if $name =~ /^[+-]/; # skip YP lines + foreach my $f qw( + .bashrc .bash_profile .bash_login .bash_logout .cshrc + .emacs .exrc .forward .fvwmrc .inputrc .klogin .kshrc .login + .logout .nexrc .profile .screenrc .ssh .ssh/config + .ssh/authorized_keys .ssh/authorized_keys2 .ssh/environment + .ssh/known_hosts .ssh/rc .tcshrc .twmrc .xsession .xinitrc + .Xdefaults .Xauthority + ) { + next unless -e "$home/$f"; + my (undef, undef, $mode, undef, $fuid) = stat(_); + nag $fuid && $fuid != $uid, + "user $name $f file is owned by " . + ((getpwuid $fuid)[0] || $fuid); + nag $mode & S_IWGRP, + "user $name $f file is group writable"; + nag $mode & S_IWOTH, + "user $name $f file is other writable"; + } +} + +# Mailboxes should be owned by the user and unreadable. +sub check_mailboxes { + my $dir = '/var/mail'; + nag !opendir(my $dh, $dir), "opendir: $dir: $!" and return; + foreach my $name (readdir $dh) { + next if $name =~ /^\.\.?$/; + my (undef, undef, $mode, undef, $fuid) = stat "$dir/$name"; + my $fname = (getpwuid $fuid)[0] || $fuid; + nag $fname ne $name, + "user $name mailbox is owned by $fname"; + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR), + sprintf 'user %s mailbox permissions are %04o', + $name, S_IMODE($mode); + } + closedir $dh; +} + # main program check_passwd; backup_passwd; @@ -249,6 +330,13 @@ check_hosts_equiv; $check_title = "Checking for special users with .rhosts/.shosts files."; my $homes = find_homes; check_rhosts(@$_) foreach @$homes; +$check_title = "Checking home directories."; +check_homedir(@$_) foreach @$homes; +$check_title = "Checking dot files."; +check_dot_readable(@$_) foreach @$homes; +check_dot_writeable(@$_) foreach @$homes; +$check_title = "Checking mailbox ownership."; +check_mailboxes; $check_title = "Status"; nag 'right now', 'not yet ready'; |