#!/bin/sh -
#
-# $OpenBSD: security,v 1.12 1996/11/23 19:10:43 millert Exp $
+# $OpenBSD: security,v 1.13 1996/11/30 17:50:58 millert Exp $
+# from: @(#)security 8.1 (Berkeley) 6/9/93
#
+
PATH=/sbin:/usr/sbin:/bin:/usr/bin
umask 077
LIST=$DIR/_secure5
OUTPUT=$DIR/_secure6
-
if ! mkdir $DIR ; then
printf "tmp directory %s already exists, looks like:\n" $DIR
ls -alF $DIR
if ($1 ~ /^[+-].*$/)
next;
if ($1 == "")
- printf("Line %d has an empty login field.\n",NR);
+ printf("Line %d has an empty login field.\n", NR);
else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_-]*$/)
printf("Login %s has non-alphanumeric characters.\n", $1);
if (length($1) > 8)
next;
if (NF != 4)
printf("Line %d has the wrong number of fields.\n", NR);
- if ($1 !~ /^[A-za-z0-9]*$/)
+ if ($1 !~ /^[A-za-z0-9][A-za-z0-9_-]*$/)
printf("Group %s has non-alphanumeric characters.\n", $1);
if (length($1) > 8)
printf("Group %s has more than 8 characters.\n", $1);
done
if [ $umaskset = "no" -o -s $OUTPUT ] ; then
printf "\nChecking root csh paths, umask values:\n$list\n"
- if [ -s $OUTPUT ]; then
+ if [ -s $OUTPUT ] ; then
cat $OUTPUT
fi
if [ $umaskset = "no" ] ; then
done
if [ $umaskset = "no" -o -s $OUTPUT ] ; then
printf "\nChecking root sh paths, umask values:\n$list\n"
- if [ -s $OUTPUT ]; then
+ if [ -s $OUTPUT ] ; then
cat $OUTPUT
fi
if [ $umaskset = "no" ] ; then
for f in $list ; do
if [ -s $f ] ; then
awk '{
- if ($0 ~ /^\+@.*$/ )
+ if ($0 ~ /^\+@.*$/)
next;
- if ($0 ~ /^\+.*$/ )
+ if ($0 ~ /^\+.*$/)
printf("\nPlus sign in %s file.\n", FILENAME);
}' $f
fi
done
-# Check for special users with .rhosts/.shosts files. Only root should
-# have .rhosts/.shosts files. Also, .rhosts/.shosts files
-# should not have plus signs.
+# Check for special users with .rhosts/.shosts files. Only root
+# should have .rhosts/.shosts files. Also, .rhosts/.shosts
+# files should not have plus signs.
awk -F: '$1 != "root" && $1 !~ /^[+-].*$/ && \
($3 < 100 || $1 == "ftp" || $1 == "uucp") \
{ print $1 " " $6 }' /etc/passwd |
awk -F: '{ print $1 " " $6 }' /etc/passwd | \
while read uid homedir; do
for j in .rhosts .shosts; do
- if [ -f ${homedir}/$j ] ; then
+ if [ -s ${homedir}/$j ] ; then
awk '{
if ($0 ~ /^+@.*$/ )
next;
if ($0 ~ /^\+[ ]*$/ )
printf("%s has + sign in it.\n",
- FILENAME);
+ FILENAME);
}' ${homedir}/$j
fi
done
# Check home directories. Directories should not be owned by someone else
# or writeable.
-awk -F: '{ if ( $1 !~ /^[+-].*$/ ) print $1 " " $6 }' /etc/passwd | \
+awk -F: '{ if ($1 !~ /^[+-].*$/) print $1 " " $6 }' /etc/passwd | \
while read uid homedir; do
if [ -d ${homedir}/ ] ; then
file=`ls -ldgT ${homedir}`
done |
awk '$1 != $5 && $5 != "root" \
{ print "user " $1 " " $2 " file is owned by " $5 }
+ $3 ~ /^-...r/ \
+ { print "user " $1 " " $2 " file is group readable" }
$3 ~ /^-......r/ \
{ print "user " $1 " " $2 " file is other readable" }
$3 ~ /^-....w/ \
cat $OUTPUT
fi
-if [ -f /etc/exports ]; then
- # File systems should not be globally exported.
- awk '{
- if ($1 ~ /^#/)
- next;
- readonly = 0;
- for (i = 2; i <= NF; ++i) {
- if ($i ~ /-ro/)
- readonly = 1;
- else if ($i !~ /^-/)
+# File systems should not be globally exported.
+if [ -s /etc/exports ] ; then
+ awk '{
+ if ($1 ~ /^#/)
next;
- }
- if (readonly)
- print "File system " $1 " globally exported, read-only."
- else
- print "File system " $1 " globally exported, read-write."
- }' < /etc/exports > $OUTPUT
- if [ -s $OUTPUT ] ; then
- printf "\nChecking for globally exported file systems.\n"
- cat $OUTPUT
- fi
+ readonly = 0;
+ for (i = 2; i <= NF; ++i) {
+ if ($i ~ /-ro/)
+ readonly = 1;
+ else if ($i !~ /^-/)
+ next;
+ }
+ if (readonly)
+ print "File system " $1 " globally exported, read-only."
+ else
+ print "File system " $1 " globally exported, read-write."
+ }' < /etc/exports > $OUTPUT
+ if [ -s $OUTPUT ] ; then
+ printf "\nChecking for globally exported file systems.\n"
+ cat $OUTPUT
+ fi
fi
# Display any changes in setuid/setgid files and devices.
pending="\nChecking setuid/setgid files and devices:\n"
(find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \
- -o -fstype procfs \) -a -prune -o \
- -type f -a \( -perm -u+s -o -perm -g+s \) -ls -o \
- ! -type d -a ! -type f -a ! -type l -a ! -type s -ls | \
-sort > $LIST) 2> $OUTPUT
+ -o -fstype procfs \) -a -prune -o \
+ -type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \
+ ! -type d -a ! -type f -a ! -type l -a ! -type s -print0 | \
+xargs -0 ls -ldgT | sort +9 > $LIST) 2> $OUTPUT
# Display any errors that occurred during system file walk.
if [ -s $OUTPUT ] ; then
fi
# Display any changes in the setuid/setgid file list.
-egrep -v '^ *[0-9]+ +[0-9]+ +[bc]' $LIST > $TMP1
+egrep -v '^[bc]' $LIST > $TMP1
if [ -s $TMP1 ] ; then
# Check to make sure uudecode isn't setuid.
if grep -w uudecode $TMP1 > /dev/null ; then
:
else
> $TMP2
- join -112 -212 -v2 $CUR $TMP1 > $OUTPUT
+ join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
if [ -s $OUTPUT ] ; then
printf "${pending}Setuid additions:\n"
pending=
printf "\n"
fi
- join -112 -212 -v1 $CUR $TMP1 > $OUTPUT
+ join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
if [ -s $OUTPUT ] ; then
printf "${pending}Setuid deletions:\n"
pending=
printf "\n"
fi
- sort +11 $TMP2 $CUR $TMP1 | \
+ sort +9 $TMP2 $CUR $TMP1 | \
sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT
if [ -s $OUTPUT ] ; then
printf "${pending}Setuid changes:\n"
# Check for block and character disk devices that are readable or writeable
# or not owned by root.operator.
>$TMP1
-DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx xd rz sd up wd vnd ccd"
+DISKLIST="ccd dk fd hd hk hp jb kra ra rb rd rl rx rz sd up vnd wd xd"
for i in $DISKLIST; do
egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1
egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1
# the hacker can modify the tree specification to match the replaced binary.
# For details on really protecting yourself against modified binaries, see
# the mtree(8) manual page.
-if [ -d /etc/mtree ]; then
+if [ -d /etc/mtree ] ; then
cd /etc/mtree
mtree -e -p / -f /etc/mtree/special > $OUTPUT
if [ -s $OUTPUT ] ; then
[ $file = '*.secure' ] && continue
tree=`sed -n -e '3s/.* //p' -e 3q $file`
mtree -f $file -p $tree > $TMP1
- if [ -s $TMP1 ]; then
+ if [ -s $TMP1 ] ; then
printf "\nChecking $tree:\n" >> $OUTPUT
cat $TMP1 >> $OUTPUT
fi
for file in `cat /etc/changelist`; do
CUR=/var/backups/`basename $file`.current
BACK=/var/backups/`basename $file`.backup
- if [ -s $file ]; then
+ if [ -s $file ] ; then
if [ -s $CUR ] ; then
diff $CUR $file > $OUTPUT
if [ -s $OUTPUT ] ; then
projects / openbsd / commitdiff