summaryrefslogtreecommitdiff
path: root/etc/security
AgeCommit message (Collapse)Author
2001-10-01mtree -l (loose permissions check) on /etc/mtree/special. ok millert@.Jakob Schlyter
2001-04-06fix username and groupname length checks.Brad Smith
-- Patch from: wilfried@ via PR#1761 Ok'd by: deraadt@
2001-04-05Skip entries starting with '+' in duplicate user ID check so we don'tTodd C. Miller
get false positives for YP stuff. Closes PR 1755
2001-03-25Don't provide diffs of sensitive files like ssh host keys. Instead,Todd C. Miller
just save the md5 checksums so we can still determine when something change. Entries in /etc/changelist that are prefixed with a '+' will only have their md5 checksums saved, not the actual files.
2001-03-16Add ~/.ssh/id_dsa and ~/.ssh/id_rsa to the "must be owned by user andTodd C. Miller
not readable by other" block. Remove ~/.ssh/random_seed as it is not used in OpenSSH. Add ~/.ssh/authorized_keys2, and ~/.ssh/known_hosts to the "must be owned by user and not writable" block.
2001-01-31more fat utmp; ianm@cit.uws.edu.auTheo de Raadt
2000-12-22gnupg ring/data ownership/permission checking added; ok millert@Todd T. Fries
2000-12-17Todd, Aaron, Dug, and me all prefer unidiffMarco S Hyman
2000-10-20Since sh's bulitin echo(1) supports /t and /n there is no reason toTodd C. Miller
use printf(1) here. This way there is no possibility of format string problems and we use a shell builtin instead of an external command.
2000-10-18printf(1) format string fixes! checked by theo.Hugh Graham
inspiration from dynamo@ime.net. also a typo fix.
2000-10-06When including the listing of a directory in root's security mail, pass theAaron Campbell
-q flag to ls(1) so that non-printable characters will appear as '?'. This prevents a malicious user from fooling the administrator into thinking the contents of a file name are actually valid script output (note that you can put newlines in file names); deraadt@ ok
2000-07-23Add a little blurb explaing the meaning of mtree's output.Bruno Rohee
millert@ ok.
2000-06-18fix inspired by pr 744 from karls@inet.noTodd T. Fries
changed so files are e.g. backups/etc_passwd not backups/_etc_passwd
2000-05-26Capitalize 'id' to be consistent with our man pages.Aaron Campbell
2000-04-16sendmail support files now live in /etc/mailTodd C. Miller
2000-02-29existance -> existenceAaron Campbell
1999-11-22match /dev/fd{0,1,2,3}{,B,C,D,E,F,G,H}[abcdefghijklmnop] when doing device ↵Todd C. Miller
checks; closes PR #750
1999-06-19Give line printout along with line number.Marc Espie
1998-11-22make /var/backups same as mtree says; mickeyTheo de Raadt
1998-08-17don't include FIFOs in check for set[ug]id files and devices; andrew@nfr.netTodd C. Miller
1998-07-11better checks for . in path from "Denis A. Doroshenko" <cyxob@isl.vtu.lt>Marco S Hyman
1998-05-10Check a few more DOTfiles that could potentially compromise security on a perTodd T. Fries
user basis.
1998-03-22fix ksh.kshrc; check ksh.kshrc, .kshrc for owner/mode/pathMarco S Hyman
1998-02-25Deal with non-existent /etc/skeykeysTodd C. Miller
1997-12-28be more careful during terminationTheo de Raadt
1997-11-17completely avoid master.passwd in the changelist processing; ↵Theo de Raadt
jbernard@tater.mines.edu
1997-10-05handling for closed home directories; yensid@afri.imsa.eduTheo de Raadt
1997-09-29oops, detect blowfish-a as OK; yensid@imsa.edu, PR#321Theo de Raadt
1997-09-02better path handling; jbernard@tater.mines.edu, netbsd pr#3995Theo de Raadt
1997-06-23/etc/profile should be checked along with .profile for consistency withTodd C. Miller
/etc/csh.login and .login. From Chris Jones <cjones@rupert.oscs.montana.edu>
1997-06-021. ignore blank linesflipk
2. /-ro/ -> /^-ro$/ : allows hostnames containing "*-ro*" and ignores "-root"
1997-03-17Don't consider an account disabled just because the password length != 13.gene
Also, take into account users w/ the blowfish cypher.
1996-12-10blow away tmp dir on more trapsTheo de Raadt
1996-12-06check for entry in /etc/skeykeys and ~/.ssh in evil system()Todd C. Miller
1996-12-06Change some "test -f" to "test -s"Todd C. Miller
Don't bitch about star'd out logins unless they have a .rhosts/.shosts/.klogin file (ie: something that would let them in via rsh/ssh).
1996-12-06skip lines in /etc/passwd that start with + or -.Todd C. Miller
don't bitch about root-owned .rhosts since multiple system accounts share root's homedir.
1996-11-30Merged our changes back into 4.4BSD version.Todd C. Miller
Can't do "find -ls" since we need to store the date in an absolute format (ls -T). Use "find -print0" | xargs -0 instead.
1996-11-23Deal with leading whitespace in find output. Fixes problem of devicesTodd C. Miller
showing up in the setuid list ;-)
1996-10-22Update to work properly with output from find -ls; also skip commented outThorsten Lockert
lines in /etc/exports
1996-09-20names of set-uid files are no longer passed to a shell.bitblt
Thanks to deraadt for pointing out the -ls flag on find.
1996-09-16toor is gone; thanks bibtltTheo de Raadt
1996-09-15setup trap after mkdirTheo de Raadt
1996-09-15kill the races; found by bitbltTheo de Raadt
1996-07-19Would give complain that /etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpdTodd C. Miller
have '+' in them even when they don't. Escaped the + to fix.
1996-07-12setgid tooTheo de Raadt
1996-07-07only watch for pure + entriesTheo de Raadt
1996-05-26sync & labelTheo de Raadt
1995-12-18numerous improvements by arnej@pvv.unit.no, david@city.ac.uk, and myself.Theo de Raadt
complain less in normal situations, and deal better with netgroups, YP, ssh configuration files, and other rather normal configurations.
1995-10-18initial import of NetBSD treeTheo de Raadt