summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--etc/security95
1 files changed, 49 insertions, 46 deletions
diff --git a/etc/security b/etc/security
index 464981e2291..50e1965d934 100644
--- a/etc/security
+++ b/etc/security
@@ -1,7 +1,9 @@
#!/bin/sh -
#
-# $OpenBSD: security,v 1.12 1996/11/23 19:10:43 millert Exp $
+# $OpenBSD: security,v 1.13 1996/11/30 17:50:58 millert Exp $
+# from: @(#)security 8.1 (Berkeley) 6/9/93
#
+
PATH=/sbin:/usr/sbin:/bin:/usr/bin
umask 077
@@ -14,7 +16,6 @@ TMP3=$DIR/_secure4
LIST=$DIR/_secure5
OUTPUT=$DIR/_secure6
-
if ! mkdir $DIR ; then
printf "tmp directory %s already exists, looks like:\n" $DIR
ls -alF $DIR
@@ -35,7 +36,7 @@ awk -F: '{
if ($1 ~ /^[+-].*$/)
next;
if ($1 == "")
- printf("Line %d has an empty login field.\n",NR);
+ printf("Line %d has an empty login field.\n", NR);
else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_-]*$/)
printf("Login %s has non-alphanumeric characters.\n", $1);
if (length($1) > 8)
@@ -104,7 +105,7 @@ awk -F: '{
next;
if (NF != 4)
printf("Line %d has the wrong number of fields.\n", NR);
- if ($1 !~ /^[A-za-z0-9]*$/)
+ if ($1 !~ /^[A-za-z0-9][A-za-z0-9_-]*$/)
printf("Group %s has non-alphanumeric characters.\n", $1);
if (length($1) > 8)
printf("Group %s has more than 8 characters.\n", $1);
@@ -160,7 +161,7 @@ end-of-csh
done
if [ $umaskset = "no" -o -s $OUTPUT ] ; then
printf "\nChecking root csh paths, umask values:\n$list\n"
- if [ -s $OUTPUT ]; then
+ if [ -s $OUTPUT ] ; then
cat $OUTPUT
fi
if [ $umaskset = "no" ] ; then
@@ -204,7 +205,7 @@ end-of-sh
done
if [ $umaskset = "no" -o -s $OUTPUT ] ; then
printf "\nChecking root sh paths, umask values:\n$list\n"
- if [ -s $OUTPUT ]; then
+ if [ -s $OUTPUT ] ; then
cat $OUTPUT
fi
if [ $umaskset = "no" ] ; then
@@ -234,17 +235,17 @@ list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd"
for f in $list ; do
if [ -s $f ] ; then
awk '{
- if ($0 ~ /^\+@.*$/ )
+ if ($0 ~ /^\+@.*$/)
next;
- if ($0 ~ /^\+.*$/ )
+ if ($0 ~ /^\+.*$/)
printf("\nPlus sign in %s file.\n", FILENAME);
}' $f
fi
done
-# Check for special users with .rhosts/.shosts files. Only root should
-# have .rhosts/.shosts files. Also, .rhosts/.shosts files
-# should not have plus signs.
+# Check for special users with .rhosts/.shosts files. Only root
+# should have .rhosts/.shosts files. Also, .rhosts/.shosts
+# files should not have plus signs.
awk -F: '$1 != "root" && $1 !~ /^[+-].*$/ && \
($3 < 100 || $1 == "ftp" || $1 == "uucp") \
{ print $1 " " $6 }' /etc/passwd |
@@ -264,13 +265,13 @@ fi
awk -F: '{ print $1 " " $6 }' /etc/passwd | \
while read uid homedir; do
for j in .rhosts .shosts; do
- if [ -f ${homedir}/$j ] ; then
+ if [ -s ${homedir}/$j ] ; then
awk '{
if ($0 ~ /^+@.*$/ )
next;
if ($0 ~ /^\+[ ]*$/ )
printf("%s has + sign in it.\n",
- FILENAME);
+ FILENAME);
}' ${homedir}/$j
fi
done
@@ -282,7 +283,7 @@ fi
# Check home directories. Directories should not be owned by someone else
# or writeable.
-awk -F: '{ if ( $1 !~ /^[+-].*$/ ) print $1 " " $6 }' /etc/passwd | \
+awk -F: '{ if ($1 !~ /^[+-].*$/) print $1 " " $6 }' /etc/passwd | \
while read uid homedir; do
if [ -d ${homedir}/ ] ; then
file=`ls -ldgT ${homedir}`
@@ -313,6 +314,8 @@ while read uid homedir; do
done |
awk '$1 != $5 && $5 != "root" \
{ print "user " $1 " " $2 " file is owned by " $5 }
+ $3 ~ /^-...r/ \
+ { print "user " $1 " " $2 " file is group readable" }
$3 ~ /^-......r/ \
{ print "user " $1 " " $2 " file is other readable" }
$3 ~ /^-....w/ \
@@ -354,36 +357,36 @@ if [ -s $OUTPUT ] ; then
cat $OUTPUT
fi
-if [ -f /etc/exports ]; then
- # File systems should not be globally exported.
- awk '{
- if ($1 ~ /^#/)
- next;
- readonly = 0;
- for (i = 2; i <= NF; ++i) {
- if ($i ~ /-ro/)
- readonly = 1;
- else if ($i !~ /^-/)
+# File systems should not be globally exported.
+if [ -s /etc/exports ] ; then
+ awk '{
+ if ($1 ~ /^#/)
next;
- }
- if (readonly)
- print "File system " $1 " globally exported, read-only."
- else
- print "File system " $1 " globally exported, read-write."
- }' < /etc/exports > $OUTPUT
- if [ -s $OUTPUT ] ; then
- printf "\nChecking for globally exported file systems.\n"
- cat $OUTPUT
- fi
+ readonly = 0;
+ for (i = 2; i <= NF; ++i) {
+ if ($i ~ /-ro/)
+ readonly = 1;
+ else if ($i !~ /^-/)
+ next;
+ }
+ if (readonly)
+ print "File system " $1 " globally exported, read-only."
+ else
+ print "File system " $1 " globally exported, read-write."
+ }' < /etc/exports > $OUTPUT
+ if [ -s $OUTPUT ] ; then
+ printf "\nChecking for globally exported file systems.\n"
+ cat $OUTPUT
+ fi
fi
# Display any changes in setuid/setgid files and devices.
pending="\nChecking setuid/setgid files and devices:\n"
(find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \
- -o -fstype procfs \) -a -prune -o \
- -type f -a \( -perm -u+s -o -perm -g+s \) -ls -o \
- ! -type d -a ! -type f -a ! -type l -a ! -type s -ls | \
-sort > $LIST) 2> $OUTPUT
+ -o -fstype procfs \) -a -prune -o \
+ -type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \
+ ! -type d -a ! -type f -a ! -type l -a ! -type s -print0 | \
+xargs -0 ls -ldgT | sort +9 > $LIST) 2> $OUTPUT
# Display any errors that occurred during system file walk.
if [ -s $OUTPUT ] ; then
@@ -394,7 +397,7 @@ if [ -s $OUTPUT ] ; then
fi
# Display any changes in the setuid/setgid file list.
-egrep -v '^ *[0-9]+ +[0-9]+ +[bc]' $LIST > $TMP1
+egrep -v '^[bc]' $LIST > $TMP1
if [ -s $TMP1 ] ; then
# Check to make sure uudecode isn't setuid.
if grep -w uudecode $TMP1 > /dev/null ; then
@@ -410,7 +413,7 @@ if [ -s $TMP1 ] ; then
:
else
> $TMP2
- join -112 -212 -v2 $CUR $TMP1 > $OUTPUT
+ join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
if [ -s $OUTPUT ] ; then
printf "${pending}Setuid additions:\n"
pending=
@@ -418,7 +421,7 @@ if [ -s $TMP1 ] ; then
printf "\n"
fi
- join -112 -212 -v1 $CUR $TMP1 > $OUTPUT
+ join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
if [ -s $OUTPUT ] ; then
printf "${pending}Setuid deletions:\n"
pending=
@@ -426,7 +429,7 @@ if [ -s $TMP1 ] ; then
printf "\n"
fi
- sort +11 $TMP2 $CUR $TMP1 | \
+ sort +9 $TMP2 $CUR $TMP1 | \
sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT
if [ -s $OUTPUT ] ; then
printf "${pending}Setuid changes:\n"
@@ -450,7 +453,7 @@ fi
# Check for block and character disk devices that are readable or writeable
# or not owned by root.operator.
>$TMP1
-DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx xd rz sd up wd vnd ccd"
+DISKLIST="ccd dk fd hd hk hp jb kra ra rb rd rl rx rz sd up vnd wd xd"
for i in $DISKLIST; do
egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1
egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1
@@ -527,7 +530,7 @@ fi
# the hacker can modify the tree specification to match the replaced binary.
# For details on really protecting yourself against modified binaries, see
# the mtree(8) manual page.
-if [ -d /etc/mtree ]; then
+if [ -d /etc/mtree ] ; then
cd /etc/mtree
mtree -e -p / -f /etc/mtree/special > $OUTPUT
if [ -s $OUTPUT ] ; then
@@ -540,7 +543,7 @@ if [ -d /etc/mtree ]; then
[ $file = '*.secure' ] && continue
tree=`sed -n -e '3s/.* //p' -e 3q $file`
mtree -f $file -p $tree > $TMP1
- if [ -s $TMP1 ]; then
+ if [ -s $TMP1 ] ; then
printf "\nChecking $tree:\n" >> $OUTPUT
cat $TMP1 >> $OUTPUT
fi
@@ -560,7 +563,7 @@ if [ -s /etc/changelist ] ; then
for file in `cat /etc/changelist`; do
CUR=/var/backups/`basename $file`.current
BACK=/var/backups/`basename $file`.backup
- if [ -s $file ]; then
+ if [ -s $file ] ; then
if [ -s $CUR ] ; then
diff $CUR $file > $OUTPUT
if [ -s $OUTPUT ] ; then