diff options
| author | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2009-05-24 22:25:13 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2009-05-24 22:25:13 +0000 |
| commit | 44a9661c6aa75fd6c937aa5a543f851dee5ace08 (patch) | |
| tree | 27402005e14f442d297ffea87f0b31886bebf649 | |
| parent | 8e951b71677d1a3ab306927ca4b9fbb780374746 (diff) | |
new variable SUIDSKIP to exclude paths from setuid and device checks,
useful for example for release(8) DESTDIRs, ro-mounted foreign OS
partitions, nosuid+nodev-mounted backup areas and the like
while here, do not call ls w/o args in case find returns nothing
based on a patch from halex@, re-implemented by me; variable naming by jmc@
ok halex@ jmc@
| -rw-r--r-- | etc/security | 12 | ||||
| -rw-r--r-- | share/man/man8/security.8 | 13 |
2 files changed, 19 insertions, 6 deletions
diff --git a/etc/security b/etc/security index 66a54c86786..4b53e6459fd 100644 --- a/etc/security +++ b/etc/security @@ -1,5 +1,5 @@ # -# $OpenBSD: security,v 1.86 2009/05/18 19:37:47 schwarze Exp $ +# $OpenBSD: security,v 1.87 2009/05/24 22:25:12 schwarze Exp $ # from: @(#)security 8.1 (Berkeley) 6/9/93 # @@ -420,11 +420,15 @@ fi # Display any changes in setuid/setgid files and devices. next_part "Setuid/device find errors:" -find / \( ! -fstype local \ - -o -fstype procfs -o -fstype afs -o -fstype xfs \) -a -prune -o \ +( set -o noglob + find / \ + \( ! -fstype local -o -fstype procfs -o -fstype afs -o -fstype xfs \ + `for f in $SUIDSKIP; do echo -o -path $f; done` \ + \) -a -prune -o \ -type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \ ! -type d -a ! -type f -a ! -type l -a ! -type s -a ! -type p \ - -print0 | xargs -0 ls -ldgT | sort +9 > $LIST + -print0 | xargs -0 -r ls -ldgT | sort +9 > $LIST +) # Display any changes in the setuid/setgid file list. next_part "Checking setuid/setgid files and devices:" diff --git a/share/man/man8/security.8 b/share/man/man8/security.8 index 7baed3a725a..8d701b8bed7 100644 --- a/share/man/man8/security.8 +++ b/share/man/man8/security.8 @@ -1,8 +1,8 @@ -.\" $OpenBSD: security.8,v 1.16 2009/05/20 22:46:48 schwarze Exp $ +.\" $OpenBSD: security.8,v 1.17 2009/05/24 22:25:12 schwarze Exp $ .\" .\" David Leonard, 2001. Public Domain. .\" -.Dd $Mdocdate: May 20 2009 $ +.Dd $Mdocdate: May 24 2009 $ .Dt SECURITY 8 .Os .Sh NAME @@ -116,6 +116,15 @@ file permissions. The intent of the .Nm script is to point out some obvious holes to the system administrator. +.Sh ENVIRONMENT +The following variables can be set in +.Pa /etc/daily.local : +.Pp +.Bl -tag -width "SUIDSKIP" -compact +.It Ev SUIDSKIP +A whitespace-separated list of absolute paths to be skipped +in setuid/setgid file checks and in device special file checks. +.El .Sh FILES .Bl -tag -width /dev/changelist -compact .It Pa /etc/changelist |