100.chksetuid revision 96048 
1281760Ssjg#!/bin/sh -
2281760Ssjg#
3281760Ssjg# Copyright (c) 2001  The FreeBSD Project
4281760Ssjg# All rights reserved.
5281760Ssjg#
6281760Ssjg# Redistribution and use in source and binary forms, with or without
7281760Ssjg# modification, are permitted provided that the following conditions
8281760Ssjg# are met:
9281760Ssjg# 1. Redistributions of source code must retain the above copyright
10281760Ssjg#    notice, this list of conditions and the following disclaimer.
11281760Ssjg# 2. Redistributions in binary form must reproduce the above copyright
12281760Ssjg#    notice, this list of conditions and the following disclaimer in the
13281760Ssjg#    documentation and/or other materials provided with the distribution.
14281760Ssjg#
15281760Ssjg# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16281760Ssjg# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17281760Ssjg# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18281760Ssjg# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19281760Ssjg# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20281760Ssjg# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21281760Ssjg# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22281760Ssjg# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23281760Ssjg# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24281760Ssjg# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25281760Ssjg# SUCH DAMAGE.
26281760Ssjg#
27281760Ssjg# $FreeBSD: head/etc/periodic/security/100.chksetuid 96048 2002-05-05 00:59:37Z cjc $
28281760Ssjg#
29281760Ssjg
30281760Ssjg# If there is a global system configuration file, suck it in.
31281760Ssjg#
32281760Ssjgif [ -r /etc/defaults/periodic.conf ]
33281760Ssjgthen
34281760Ssjg    . /etc/defaults/periodic.conf
35281760Ssjg    source_periodic_confs
36281760Ssjgfi
37281760Ssjg
38281760SsjgTMP=/var/run/_secure.$$
39281760SsjgLOG="${daily_status_security_logdir}"
40281760Ssjgrc=0
41281760Ssjg
42281760Ssjgcase "$daily_status_security_chksetuid_enable" in
43281760Ssjg    [Yy][Ee][Ss])
44281760Ssjg	echo ""
45281760Ssjg	echo 'Checking setuid files and devices:'
46281760Ssjg	# XXX Note that there is the possibility of overrunning the args to ls
47281760Ssjg	MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
48281760Ssjg	set ${MP}
49281760Ssjg	while [ $# -ge 1 ]; do
50281760Ssjg	    mount=$1
51281760Ssjg	    shift
52281760Ssjg	    find $mount -xdev -type f \
53281760Ssjg		    \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
54281760Ssjg		    \( -perm -u+s -or -perm -g+s \) -print0
55281760Ssjg	done | xargs -0 -n 20 ls -liTd | sed 's/^ *//' | sort +10 > ${TMP}
56281760Ssjg
57281760Ssjg	if [ ! -f ${LOG}/setuid.today ]; then
58281760Ssjg	    rc=1
59281760Ssjg	    echo "No ${LOG}/setuid.today"
60281760Ssjg	    cp ${TMP} ${LOG}/setuid.today || rc=3
61281760Ssjg	fi
62
63	if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null
64	then
65	    [ $rc -lt 1 ] && rc=1
66	    echo "${host} setuid diffs:"
67	    diff -b ${LOG}/setuid.today ${TMP}
68	    mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
69	    mv ${TMP} ${LOG}/setuid.today || rc=3
70	fi
71	rm -f ${TMP};;
72    *)	rc=0;;
73esac
74
75exit $rc
76