summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--etc/security8
-rw-r--r--share/man/man8/security.824
2 files changed, 23 insertions, 9 deletions
diff --git a/etc/security b/etc/security
index 71ced78980f..01fe533ca06 100644
--- a/etc/security
+++ b/etc/security
@@ -1,6 +1,6 @@
#!/bin/sh -
#
-# $OpenBSD: security,v 1.68 2004/08/25 19:59:29 millert Exp $
+# $OpenBSD: security,v 1.69 2005/01/06 00:00:38 jmc Exp $
# from: @(#)security 8.1 (Berkeley) 6/9/93
#
@@ -602,9 +602,9 @@ fi
#
# Create the mtree tree specifications using:
#
-# mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure
-# chown root:wheel DIR.secure
-# chmod 600 DIR.secure
+# mtree -cx -p DIR -K md5digest,type >/etc/mtree/DIR.secure
+# chown root:wheel /etc/mtree/DIR.secure
+# chmod 600 /etc/mtree/DIR.secure
#
# Note, this is not complete protection against Trojan horsed binaries, as
# the hacker can modify the tree specification to match the replaced binary.
diff --git a/share/man/man8/security.8 b/share/man/man8/security.8
index b3e3b5885b1..2bc1f1a246e 100644
--- a/share/man/man8/security.8
+++ b/share/man/man8/security.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: security.8,v 1.9 2004/10/04 20:55:29 jmc Exp $
+.\" $OpenBSD: security.8,v 1.10 2005/01/06 00:00:38 jmc Exp $
.\"
.\" David Leonard, 2001. Public Domain.
.\"
@@ -74,11 +74,25 @@ Check disk ownership and permissions.
Check for changes in the device file list.
.It
Check for permission changes in special files and system binaries listed in
-.Pa /etc/mtree/special
-and
-.Pa "/etc/mtree/*.secure" .
+.Pa /etc/mtree/special .
+.Nm
+also provides hooks for administrators to create their own lists.
+These lists should be kept in
+.Pa /etc/mtree/
+and filenames must have the suffix
+.Dq .secure .
+The following example shows how to create such a list,
+to protect the home directory of user
+.Dq bob :
+.Bd -literal -offset 4n
+# mtree -cx -p /home/bob -K md5digest,type \*(Gt/etc/mtree/bob.secure
+# chown root:wheel /etc/mtree/bob.secure
+# chmod 600 /etc/mtree/bob.secure
+.Ed
+.Pp
.Sy Note:
-This is not complete protection against Trojan horsed binaries, as
+These checks do not provide complete protection against
+Trojan horsed binaries, as
the miscreant can modify the tree specification to match the replaced binary.
For details on really protecting yourself against modified binaries, see
.Xr mtree 8 .
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-26 06:59:55 +0000