Teach security(8) to check for world-readable hostname.if files.

An increasing number of types of these files (e.g. ppp, carp and
wlan adapters) may contain secrets.

ok deraadt oga johan

2 files changed, 16 insertions, 3 deletions

diff --git a/etc/security b/etc/security
index f4c8a9f383b..fd758c1b6cc 100644
--- a/etc/security
+++ b/etc/security
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$OpenBSD: security,v 1.79 2007/10/23 11:19:58 sthen Exp $
+#	$OpenBSD: security,v 1.80 2008/04/17 19:49:16 sthen Exp $
 #	from: @(#)security	8.1 (Berkeley) 6/9/93
 #
 
@@ -299,6 +299,15 @@ if egrep 'uudecode|decode' /etc/mail/aliases; then
 	echo "\nThere is an entry for uudecode in the /etc/mail/aliases file."
 fi
 
+# hostname.if files may contain secrets and should not be
+# world-readable.
+
+for f in /etc/hostname.* ; do
+	if [ "$(stat -f "%SLp" $f)" != "---" ]; then
+		echo "\n$f is world readable."
+	fi
+done
+
 # Files that should not have + signs.
 list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd"
 for f in $list ; do
diff --git a/share/man/man8/security.8 b/share/man/man8/security.8
index ba3070c479b..8993a32e28e 100644
--- a/share/man/man8/security.8
+++ b/share/man/man8/security.8
@@ -1,8 +1,8 @@
-.\" $OpenBSD: security.8,v 1.13 2007/10/23 14:02:38 jmc Exp $
+.\" $OpenBSD: security.8,v 1.14 2008/04/17 19:49:16 sthen Exp $
 .\"
 .\" David Leonard, 2001. Public Domain.
 .\"
-.Dd $Mdocdate: October 23 2007 $
+.Dd $Mdocdate: April 17 2008 $
 .Dt SECURITY 8
 .Os
 .Sh NAME
@@ -110,6 +110,10 @@ Check for changes to the disklabels of mounted disks.
 .It
 Report on the installation or removal of any system
 .Xr package 5 .
+.It
+Check
+.Xr hostname.if 5
+file permissions.
 .El
 .Pp
 The intent of the