diff options
-rw-r--r-- | etc/security | 95 |
1 files changed, 49 insertions, 46 deletions
diff --git a/etc/security b/etc/security index 464981e2291..50e1965d934 100644 --- a/etc/security +++ b/etc/security @@ -1,7 +1,9 @@ #!/bin/sh - # -# $OpenBSD: security,v 1.12 1996/11/23 19:10:43 millert Exp $ +# $OpenBSD: security,v 1.13 1996/11/30 17:50:58 millert Exp $ +# from: @(#)security 8.1 (Berkeley) 6/9/93 # + PATH=/sbin:/usr/sbin:/bin:/usr/bin umask 077 @@ -14,7 +16,6 @@ TMP3=$DIR/_secure4 LIST=$DIR/_secure5 OUTPUT=$DIR/_secure6 - if ! mkdir $DIR ; then printf "tmp directory %s already exists, looks like:\n" $DIR ls -alF $DIR @@ -35,7 +36,7 @@ awk -F: '{ if ($1 ~ /^[+-].*$/) next; if ($1 == "") - printf("Line %d has an empty login field.\n",NR); + printf("Line %d has an empty login field.\n", NR); else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_-]*$/) printf("Login %s has non-alphanumeric characters.\n", $1); if (length($1) > 8) @@ -104,7 +105,7 @@ awk -F: '{ next; if (NF != 4) printf("Line %d has the wrong number of fields.\n", NR); - if ($1 !~ /^[A-za-z0-9]*$/) + if ($1 !~ /^[A-za-z0-9][A-za-z0-9_-]*$/) printf("Group %s has non-alphanumeric characters.\n", $1); if (length($1) > 8) printf("Group %s has more than 8 characters.\n", $1); @@ -160,7 +161,7 @@ end-of-csh done if [ $umaskset = "no" -o -s $OUTPUT ] ; then printf "\nChecking root csh paths, umask values:\n$list\n" - if [ -s $OUTPUT ]; then + if [ -s $OUTPUT ] ; then cat $OUTPUT fi if [ $umaskset = "no" ] ; then @@ -204,7 +205,7 @@ end-of-sh done if [ $umaskset = "no" -o -s $OUTPUT ] ; then printf "\nChecking root sh paths, umask values:\n$list\n" - if [ -s $OUTPUT ]; then + if [ -s $OUTPUT ] ; then cat $OUTPUT fi if [ $umaskset = "no" ] ; then @@ -234,17 +235,17 @@ list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" for f in $list ; do if [ -s $f ] ; then awk '{ - if ($0 ~ /^\+@.*$/ ) + if ($0 ~ /^\+@.*$/) next; - if ($0 ~ /^\+.*$/ ) + if ($0 ~ /^\+.*$/) printf("\nPlus sign in %s file.\n", FILENAME); }' $f fi done -# Check for special users with .rhosts/.shosts files. Only root should -# have .rhosts/.shosts files. Also, .rhosts/.shosts files -# should not have plus signs. +# Check for special users with .rhosts/.shosts files. Only root +# should have .rhosts/.shosts files. Also, .rhosts/.shosts +# files should not have plus signs. awk -F: '$1 != "root" && $1 !~ /^[+-].*$/ && \ ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ { print $1 " " $6 }' /etc/passwd | @@ -264,13 +265,13 @@ fi awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do for j in .rhosts .shosts; do - if [ -f ${homedir}/$j ] ; then + if [ -s ${homedir}/$j ] ; then awk '{ if ($0 ~ /^+@.*$/ ) next; if ($0 ~ /^\+[ ]*$/ ) printf("%s has + sign in it.\n", - FILENAME); + FILENAME); }' ${homedir}/$j fi done @@ -282,7 +283,7 @@ fi # Check home directories. Directories should not be owned by someone else # or writeable. -awk -F: '{ if ( $1 !~ /^[+-].*$/ ) print $1 " " $6 }' /etc/passwd | \ +awk -F: '{ if ($1 !~ /^[+-].*$/) print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do if [ -d ${homedir}/ ] ; then file=`ls -ldgT ${homedir}` @@ -313,6 +314,8 @@ while read uid homedir; do done | awk '$1 != $5 && $5 != "root" \ { print "user " $1 " " $2 " file is owned by " $5 } + $3 ~ /^-...r/ \ + { print "user " $1 " " $2 " file is group readable" } $3 ~ /^-......r/ \ { print "user " $1 " " $2 " file is other readable" } $3 ~ /^-....w/ \ @@ -354,36 +357,36 @@ if [ -s $OUTPUT ] ; then cat $OUTPUT fi -if [ -f /etc/exports ]; then - # File systems should not be globally exported. - awk '{ - if ($1 ~ /^#/) - next; - readonly = 0; - for (i = 2; i <= NF; ++i) { - if ($i ~ /-ro/) - readonly = 1; - else if ($i !~ /^-/) +# File systems should not be globally exported. +if [ -s /etc/exports ] ; then + awk '{ + if ($1 ~ /^#/) next; - } - if (readonly) - print "File system " $1 " globally exported, read-only." - else - print "File system " $1 " globally exported, read-write." - }' < /etc/exports > $OUTPUT - if [ -s $OUTPUT ] ; then - printf "\nChecking for globally exported file systems.\n" - cat $OUTPUT - fi + readonly = 0; + for (i = 2; i <= NF; ++i) { + if ($i ~ /-ro/) + readonly = 1; + else if ($i !~ /^-/) + next; + } + if (readonly) + print "File system " $1 " globally exported, read-only." + else + print "File system " $1 " globally exported, read-write." + }' < /etc/exports > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "\nChecking for globally exported file systems.\n" + cat $OUTPUT + fi fi # Display any changes in setuid/setgid files and devices. pending="\nChecking setuid/setgid files and devices:\n" (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ - -o -fstype procfs \) -a -prune -o \ - -type f -a \( -perm -u+s -o -perm -g+s \) -ls -o \ - ! -type d -a ! -type f -a ! -type l -a ! -type s -ls | \ -sort > $LIST) 2> $OUTPUT + -o -fstype procfs \) -a -prune -o \ + -type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \ + ! -type d -a ! -type f -a ! -type l -a ! -type s -print0 | \ +xargs -0 ls -ldgT | sort +9 > $LIST) 2> $OUTPUT # Display any errors that occurred during system file walk. if [ -s $OUTPUT ] ; then @@ -394,7 +397,7 @@ if [ -s $OUTPUT ] ; then fi # Display any changes in the setuid/setgid file list. -egrep -v '^ *[0-9]+ +[0-9]+ +[bc]' $LIST > $TMP1 +egrep -v '^[bc]' $LIST > $TMP1 if [ -s $TMP1 ] ; then # Check to make sure uudecode isn't setuid. if grep -w uudecode $TMP1 > /dev/null ; then @@ -410,7 +413,7 @@ if [ -s $TMP1 ] ; then : else > $TMP2 - join -112 -212 -v2 $CUR $TMP1 > $OUTPUT + join -110 -210 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "${pending}Setuid additions:\n" pending= @@ -418,7 +421,7 @@ if [ -s $TMP1 ] ; then printf "\n" fi - join -112 -212 -v1 $CUR $TMP1 > $OUTPUT + join -110 -210 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "${pending}Setuid deletions:\n" pending= @@ -426,7 +429,7 @@ if [ -s $TMP1 ] ; then printf "\n" fi - sort +11 $TMP2 $CUR $TMP1 | \ + sort +9 $TMP2 $CUR $TMP1 | \ sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then printf "${pending}Setuid changes:\n" @@ -450,7 +453,7 @@ fi # Check for block and character disk devices that are readable or writeable # or not owned by root.operator. >$TMP1 -DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx xd rz sd up wd vnd ccd" +DISKLIST="ccd dk fd hd hk hp jb kra ra rb rd rl rx rz sd up vnd wd xd" for i in $DISKLIST; do egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 @@ -527,7 +530,7 @@ fi # the hacker can modify the tree specification to match the replaced binary. # For details on really protecting yourself against modified binaries, see # the mtree(8) manual page. -if [ -d /etc/mtree ]; then +if [ -d /etc/mtree ] ; then cd /etc/mtree mtree -e -p / -f /etc/mtree/special > $OUTPUT if [ -s $OUTPUT ] ; then @@ -540,7 +543,7 @@ if [ -d /etc/mtree ]; then [ $file = '*.secure' ] && continue tree=`sed -n -e '3s/.* //p' -e 3q $file` mtree -f $file -p $tree > $TMP1 - if [ -s $TMP1 ]; then + if [ -s $TMP1 ] ; then printf "\nChecking $tree:\n" >> $OUTPUT cat $TMP1 >> $OUTPUT fi @@ -560,7 +563,7 @@ if [ -s /etc/changelist ] ; then for file in `cat /etc/changelist`; do CUR=/var/backups/`basename $file`.current BACK=/var/backups/`basename $file`.backup - if [ -s $file ]; then + if [ -s $file ] ; then if [ -s $CUR ] ; then diff $CUR $file > $OUTPUT if [ -s $OUTPUT ] ; then |