security revision 1.103 
1#!/bin/sh -
2#
3#	$NetBSD: security,v 1.103 2007/08/09 07:50:58 tron Exp $
4#	from: @(#)security	8.1 (Berkeley) 6/9/93
5#
6
7PATH=/sbin:/usr/sbin:/bin:/usr/bin
8
9rcvar_manpage='security.conf(5)'
10
11if [ -f /etc/rc.subr ]; then
12	. /etc/rc.subr
13else
14	echo "Can't read /etc/rc.subr; aborting."
15	exit 1;
16fi
17
18umask 077
19TZ=UTC; export TZ
20
21if [ -s /etc/security.conf ]; then
22	. /etc/security.conf
23fi
24
25# Set reasonable defaults (if they're not set in security.conf)
26#
27backup_dir=${backup_dir:-/var/backups}
28pkgdb_dir=${pkgdb_dir:-/var/db/pkg}
29max_loginlen=${max_loginlen:-8}
30max_grouplen=${max_grouplen:-8}
31
32# Other configurable variables
33#
34special_files="/etc/mtree/special /etc/mtree/special.local"
35MP=/etc/master.passwd
36CHANGELIST=""
37work_dir=$backup_dir/work
38
39if [ ! -d "$work_dir" ]; then
40	mkdir -p "$work_dir"
41fi
42
43SECUREDIR=$(mktemp -d -t _securedir) || exit 1
44
45trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE
46
47if ! cd "$SECUREDIR"; then
48	echo "Can not cd to $SECUREDIR".
49	exit 1
50fi
51
52ERR=err.$$
53TMP1=tmp1.$$
54TMP2=tmp2.$$
55MPBYUID=mpbyuid.$$
56MPBYPATH=mpbypath.$$
57LIST=list.$$
58OUTPUT=output.$$
59LABELS=labels.$$
60PKGS=pkgs.$$
61CHANGEFILES=changefiles.$$
62SPECIALSPEC=specialspec.$$
63
64
65# migrate_file old new
66#	Determine if the "${old}" path name needs to be migrated to the
67#	"${new}" path. Also checks if "${old}.current" needs migrating,
68#	and if so, migrate it and possibly "${old}.current,v" and
69#	"${old}.backup".
70#
71migrate_file()
72{
73	_old=$1
74	_new=$2
75	if [ -z "$_old" -o -z "$_new" ]; then
76		err 3 "USAGE: migrate_file old new"
77	fi
78	if [ ! -d "${_new%/*}" ]; then
79		mkdir -p "${_new%/*}"
80	fi
81	if [ -f "${_old}" -a ! -f "${_new}" ]; then
82		echo "==> migrating ${_old}"
83		echo "           to ${_new}"
84		mv "${_old}" "${_new}"
85	fi
86	if [ -f "${_old}.current" -a ! -f "${_new}.current" ]; then
87		echo "==> migrating ${_old}.current"
88		echo "           to ${_new}.current"
89		mv "${_old}.current" "${_new}.current"
90		if [ -f "${_old}.current,v" -a ! -f "${_new}.current,v" ]; then
91			echo "==> migrating ${_old}.current,v"
92			echo "           to ${_new}.current,v"
93			mv "${_old}.current,v" "${_new}.current,v"
94		fi
95		if [ -f "${_old}.backup" -a ! -f "${_new}.backup" ]; then
96			echo "==> migrating ${_old}.backup"
97			echo "           to ${_new}.backup"
98			mv "${_old}.backup" "${_new}.backup"
99		fi
100	fi
101}
102
103
104# backup_and_diff file printdiff
105#	Determine if file needs backing up, and if so, do it.
106#	If printdiff is yes, display the diffs, otherwise 
107#	just print a message saying "[changes omitted]".
108#
109backup_and_diff()
110{
111	_file=$1
112	_printdiff=$2
113	if [ -z "$_file" -o -z "$_printdiff" ]; then
114		err 3 "USAGE: backup_and_diff file printdiff"
115	fi
116	! checkyesno _printdiff
117	_printdiff=$?
118
119	_old=$backup_dir/${_file##*/}
120	case "$_file" in
121	$work_dir/*)
122		_new=$_file
123		migrate_file "$backup_dir/$_old" "$_new"
124		migrate_file "$_old" "$_new"
125		;;
126	*)
127		_new=$backup_dir/$_file
128		migrate_file "$_old" "$_new"
129		;;
130	esac
131	CUR=${_new}.current
132	BACK=${_new}.backup
133	if [ -f $_file ]; then
134		if [ -f $CUR ] ; then
135			if [ "$_printdiff" -ne 0 ]; then
136				diff ${diff_options} $CUR $_file > $OUTPUT
137			else
138				if ! cmp -s $CUR $_file; then
139					echo "[changes omitted]"
140				fi > $OUTPUT
141			fi
142			if [ -s $OUTPUT ] ; then
143				printf \
144			"\n======\n%s diffs (OLD < > NEW)\n======\n" $_file
145				cat $OUTPUT
146				backup_file update $_file $CUR $BACK
147			fi
148		else
149			printf "\n======\n%s added\n======\n" $_file
150			if [ "$_printdiff" -ne 0 ]; then
151				diff ${diff_options} /dev/null $_file
152			else
153				echo "[changes omitted]"
154			fi
155			backup_file add $_file $CUR $BACK
156		fi
157	else
158		if [ -f $CUR ]; then
159			printf "\n======\n%s removed\n======\n" $_file
160			if [ "$_printdiff" -ne 0 ]; then
161				diff ${diff_options} $CUR /dev/null
162			else
163				echo "[changes omitted]"
164			fi
165			backup_file remove $_file $CUR $BACK
166		fi
167	fi
168}
169
170
171# These are used several times.
172#
173awk -F: '!/^\+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID
174awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH
175for file in $special_files; do
176	[ -s $file ] && cat $file
177done | mtree -CM -k all > $SPECIALSPEC || exit 1
178
179
180# Check the master password file syntax.
181#
182if checkyesno check_passwd; then
183        # XXX: the sense of permit_star is reversed; the code works as
184        # implemented, but usage needs to be negated.
185	checkyesno check_passwd_permit_star && permit_star=0 || permit_star=1
186	checkyesno check_passwd_permit_nonalpha \
187		 && permit_nonalpha=1 || permit_nonalpha=0
188
189	awk -v "len=$max_loginlen" \
190	    -v "nowarn_shells_list=$check_passwd_nowarn_shells" \
191	    -v "nowarn_users_list=$check_passwd_nowarn_users" \
192	    -v "permit_star=$permit_star" \
193	    -v "permit_nonalpha=$permit_nonalpha" \
194	'
195	BEGIN {
196		while ( getline < "/etc/shells" > 0 ) {
197			if ($0 ~ /^\#/ || $0 ~ /^$/ )
198				continue;
199			shells[$1]++;
200		}
201		split(nowarn_shells_list, a);
202		for (i in a) nowarn_shells[a[i]]++;
203		split(nowarn_users_list, a);
204		for (i in a) nowarn_users[a[i]]++;
205		uid0_users_list="root toor"
206		split(uid0_users_list, a);
207		for (i in a) uid0_users[a[i]]++;
208		FS=":";
209	}
210
211	{
212		if ($0 ~ /^[	 ]*$/) {
213			printf "Line %d is a blank line.\n", NR;
214			next;
215		}
216		if (NF != 10 && ($1 != "+" || NF != 1))
217			printf "Line %d has the wrong number of fields.\n", NR;
218		if ($1 == "+" )  {
219			if (NF != 1 && $3 == 0)
220			    printf "Line %d includes entries with uid 0.\n",
221			        NR;
222			next;
223		}
224		if (!permit_nonalpha &&
225		    $1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/)
226			printf "Login %s has non-alphanumeric characters.\n",
227			    $1;
228		if (length($1) > len)
229			printf "Login %s has more than "len" characters.\n",
230			    $1;
231		if ($2 == "" && !nowarn_users[$1])
232			    printf "Login %s has no password.\n", $1;
233		if (!nowarn_shells[$10] && !nowarn_users[$1]) {
234		    if (length($2) != 13 &&
235		    	length($2) != 20 &&
236		    	$2 !~ /^\$1/ &&
237		    	$2 !~ /^\$2/ &&
238			$2 !~ /^\$sha1/ &&
239		    	$2 != "" &&
240			(permit_star || $2 != "*") &&
241		    	$2 !~ /^\*[A-z-]+$/ &&
242			$1 != "toor") {
243		    	    if ($10 == "" || shells[$10])
244				printf "Login %s is off but still has "\
245				  "a valid shell (%s)\n", $1, $10;
246		    } else if (! shells[$10])
247		    	    printf "Login %s does not have a valid "\
248			    "shell (%s)\n", $1, $10;
249		}
250		if ($3 == 0 && !uid0_users[$1] && !nowarn_users[$1])
251			printf "Login %s has a user id of 0.\n", $1;
252		if ($3 < 0)
253			printf "Login %s has a negative user id.\n", $1;
254		if ($4 < 0)
255			printf "Login %s has a negative group id.\n", $1;
256	}' < $MP > $OUTPUT
257	if [ -s $OUTPUT ] ; then
258		printf "\nChecking the $MP file:\n"
259		cat $OUTPUT
260	fi
261
262	awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
263	if [ -s $OUTPUT ] ; then
264		printf "\n$MP has duplicate user names.\n"
265		column $OUTPUT
266	fi
267
268# To not exclude 'toor', a standard duplicate root account, from the duplicate
269# account test, uncomment the line below (without egrep in it)and comment
270# out the line (with egrep in it) below it.
271#
272#	< $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2
273	< $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2
274	if [ -s $TMP2 ] ; then
275		printf "\n$MP has duplicate user id's.\n"
276		while read uid; do
277			grep -w $uid $MPBYUID
278		done < $TMP2 | column
279	fi
280fi
281
282# Check the group file syntax.
283#
284if checkyesno check_group; then
285	GRP=/etc/group
286	awk -F: -v "len=$max_grouplen" '{
287		if ($0 ~ /^[	 ]*$/) {
288			printf "Line %d is a blank line.\n", NR;
289			next;
290		}
291		if (NF != 4 && ($1 != "+" || NF != 1))
292			printf "Line %d has the wrong number of fields.\n", NR;
293		if ($1 == "+" )  {
294			next;
295		}
296		if ($1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/)
297			printf "Group %s has non-alphanumeric characters.\n",
298			    $1;
299		if (length($1) > len)
300			printf "Group %s has more than "len" characters.\n", $1;
301		if ($3 !~ /[0-9]*/)
302			printf "Login %s has a negative group id.\n", $1;
303	}' < $GRP > $OUTPUT
304	if [ -s $OUTPUT ] ; then
305		printf "\nChecking the $GRP file:\n"
306		cat $OUTPUT
307	fi
308
309	awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT
310	if [ -s $OUTPUT ] ; then
311		printf "\n$GRP has duplicate group names.\n"
312		column $OUTPUT
313	fi
314fi
315
316# Check for root paths, umask values in startup files.
317# The check for the root paths is problematical -- it's likely to fail
318# in other environments.  Once the shells have been modified to warn
319# of '.' in the path, the path tests should go away.
320#
321if checkyesno check_rootdotfiles; then
322	rhome=~root
323	umaskset=no
324	list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login"
325	for i in $list ; do
326		if [ -f $i ] ; then
327			if egrep '^[ \t]*umask[ \t]+[0-7]+' $i > /dev/null ;
328			then
329				umaskset=yes
330			fi
331			# Double check the umask value itself; ensure that
332			# both the group and other write bits are set.
333			#
334			egrep '^[ \t]*umask[ \t]+[0-7]+' $i |
335			awk '{
336				if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) {
337					print "\tRoot umask is group writable"
338				}
339				if ($2 ~ /[^2367]$/) {
340					print "\tRoot umask is other writable"
341			    	}
342			    }' | sort -u
343			SAVE_PATH=$PATH
344			unset PATH
345			/bin/csh -f -s << end-of-csh > /dev/null 2>&1
346				source $i
347				/bin/ls -ldgT \$path > $TMP1
348end-of-csh
349			export PATH=$SAVE_PATH
350			awk '{
351				if ($10 ~ /^\.$/) {
352					print "\tThe root path includes .";
353					next;
354				}
355			     }
356			     $1 ~ /^d....w/ \
357		{ print "\tRoot path directory " $10 " is group writable." } \
358			     $1 ~ /^d.......w/ \
359		{ print "\tRoot path directory " $10 " is other writable." }' \
360			< $TMP1
361		fi
362	done > $OUTPUT
363	if [ $umaskset = "no" -o -s $OUTPUT ] ; then
364		printf "\nChecking root csh paths, umask values:\n$list\n\n"
365		if [ -s $OUTPUT ]; then
366			cat $OUTPUT
367		fi
368		if [ $umaskset = "no" ] ; then
369		    printf "\tRoot csh startup files do not set the umask.\n"
370		fi
371	fi
372
373	umaskset=no
374	list="/etc/profile ${rhome}/.profile"
375	for i in $list; do
376		if [ -f $i ] ; then
377			if egrep umask $i > /dev/null ; then
378				umaskset=yes
379			fi
380			egrep umask $i |
381			awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \
382				{ print "\tRoot umask is group writable" } \
383			     $2 ~ /[^2367]$/ \
384				{ print "\tRoot umask is other writable" }'
385			SAVE_PATH=$PATH
386			unset PATH
387			/bin/sh << end-of-sh > /dev/null 2>&1
388				. $i
389				list=\`echo \$PATH | /usr/bin/sed -e \
390				    's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\`
391				/bin/ls -ldgT \$list > $TMP1
392end-of-sh
393			export PATH=$SAVE_PATH
394			awk '{
395				if ($10 ~ /^\.$/) {
396					print "\tThe root path includes .";
397					next;
398				}
399			     }
400			     $1 ~ /^d....w/ \
401		{ print "\tRoot path directory " $10 " is group writable." } \
402			     $1 ~ /^d.......w/ \
403		{ print "\tRoot path directory " $10 " is other writable." }' \
404			< $TMP1
405
406		fi
407	done > $OUTPUT
408	if [ $umaskset = "no" -o -s $OUTPUT ] ; then
409		printf "\nChecking root sh paths, umask values:\n$list\n"
410		if [ -s $OUTPUT ]; then
411			cat $OUTPUT
412		fi
413		if [ $umaskset = "no" ] ; then
414			printf "\tRoot sh startup files do not set the umask.\n"
415		fi
416	fi
417fi
418
419# Root and uucp should both be in /etc/ftpusers.
420#
421if checkyesno check_ftpusers; then
422	list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID`
423	for i in $list; do
424		if /usr/libexec/ftpd -C $i ; then
425			printf "\t$i is not denied\n"
426		fi
427	done > $OUTPUT
428	if [ -s $OUTPUT ]; then
429		printf "\nChecking the /etc/ftpusers configuration:\n"
430		cat $OUTPUT
431	fi
432fi
433
434# Uudecode should not be in the /etc/mail/aliases file.
435#
436if checkyesno check_aliases; then
437	for f in /etc/mail/aliases /etc/aliases; do
438		if [ -f $f ] && egrep '^[^#]*(uudecode|decode).*\|' $f; then
439			printf "\nEntry for uudecode in $f file.\n"
440		fi
441	done
442fi
443
444# Files that should not have + signs.
445#
446if checkyesno check_rhosts; then
447	list="/etc/hosts.equiv /etc/hosts.lpd"
448	for f in $list ; do
449		if [ -f $f ] && egrep '\+' $f > /dev/null ; then
450			printf "\nPlus sign in $f file.\n"
451		fi
452	done
453
454	# Check for special users with .rhosts files.  Only root and toor should
455	# have .rhosts files.  Also, .rhosts files should not have plus signs.
456	awk -F: '$1 != "root" && $1 != "toor" && \
457		($3 < 100 || $1 == "ftp" || $1 == "uucp") \
458			{ print $1 " " $9 }' $MP |
459	sort -k2 |
460	while read uid homedir; do
461		if [ -f ${homedir}/.rhosts ] ; then
462			rhost=`ls -ldgT ${homedir}/.rhosts`
463			printf -- "$uid: $rhost\n"
464		fi
465	done > $OUTPUT
466	if [ -s $OUTPUT ] ; then
467		printf "\nChecking for special users with .rhosts files.\n"
468		cat $OUTPUT
469	fi
470
471	while read uid homedir; do
472		if [ -f ${homedir}/.rhosts -a -r ${homedir}/.rhosts ] && \
473		    cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null ; then
474			printf -- "$uid: + in .rhosts file.\n"
475		fi
476	done < $MPBYPATH > $OUTPUT
477	if [ -s $OUTPUT ] ; then
478		printf "\nChecking .rhosts files syntax.\n"
479		cat $OUTPUT
480	fi
481fi
482
483# Check home directories.  Directories should not be owned by someone else
484# or writable.
485#
486if checkyesno check_homes; then
487	checkyesno check_homes_permit_usergroups && \
488		permit_usergroups=1 || permit_usergroups=0
489	while read uid homedir; do
490		if [ -d ${homedir}/ ] ; then
491			file=`ls -ldgT ${homedir}`
492			printf -- "$uid $file\n"
493		fi
494	done < $MPBYPATH |
495	awk -v "usergroups=$permit_usergroups" '
496	     $1 != $4 && $4 != "root" \
497		{ print "user " $1 " home directory is owned by " $4 }
498	     $2 ~ /^d....w/ && (!usergroups || $5 != $1) \
499		{ print "user " $1 " home directory is group writable" }
500	     $2 ~ /^d.......w/ \
501		{ print "user " $1 " home directory is other writable" }' \
502	    > $OUTPUT
503	if [ -s $OUTPUT ] ; then
504		printf "\nChecking home directories.\n"
505		cat $OUTPUT
506	fi
507
508	# Files that should not be owned by someone else or readable.
509	list=".Xauthority .netrc .ssh/id_dsa .ssh/id_rsa .ssh/identity"
510	while read uid homedir; do
511		for f in $list ; do
512			file=${homedir}/${f}
513			if [ -f $file ] ; then
514				printf -- "$uid $f `ls -ldgT $file`\n"
515			fi
516		done
517	done < $MPBYPATH |
518	awk  -v "usergroups=$permit_usergroups" '
519	     $1 != $5 && $5 != "root" \
520		{ print "user " $1 " " $2 " file is owned by " $5 }
521	     $3 ~ /^-...r/ && (!usergroups || $6 != $1) \
522		{ print "user " $1 " " $2 " file is group readable" }
523	     $3 ~ /^-......r/ \
524		{ print "user " $1 " " $2 " file is other readable" }
525	     $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
526		{ print "user " $1 " " $2 " file is group writable" }
527	     $3 ~ /^-.......w/ \
528		{ print "user " $1 " " $2 " file is other writable" }' \
529	    > $OUTPUT
530
531	# Files that should not be owned by someone else or writable.
532	list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \
533	      .cshrc .emacs .exrc .forward .history .k5login .klogin .login \
534	      .logout .profile .qmail .rc_history .rhosts .shosts ssh .tcshrc \
535	      .twmrc .xinitrc .xsession .ssh/authorized_keys \
536	      .ssh/authorized_keys2 .ssh/config .ssh/id_dsa.pub \
537	      .ssh/id_rsa.pub .ssh/identity.pub .ssh/known_hosts \
538	      .ssh/known_hosts2"
539	while read uid homedir; do
540		for f in $list ; do
541			file=${homedir}/${f}
542			if [ -f $file ] ; then
543				printf -- "$uid $f `ls -ldgT $file`\n"
544			fi
545		done
546	done < $MPBYPATH |
547	awk -v "usergroups=$permit_usergroups" '
548	     $1 != $5 && $5 != "root" \
549		{ print "user " $1 " " $2 " file is owned by " $5 }
550	     $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
551		{ print "user " $1 " " $2 " file is group writable" }
552	     $3 ~ /^-.......w/ \
553		{ print "user " $1 " " $2 " file is other writable" }' \
554	    >> $OUTPUT
555	if [ -s $OUTPUT ] ; then
556		printf "\nChecking dot files.\n"
557		cat $OUTPUT
558	fi
559fi
560
561# Mailboxes should be owned by user and unreadable.
562#
563if checkyesno check_varmail; then
564	ls -lA /var/mail | \
565	awk '	NR == 1 { next; }
566		$9 ~ /^\./ {next; }
567	    	$3 != $9 {
568			print "user " $9 " mailbox is owned by " $3
569		}
570		$1 != "-rw-------" {
571			print "user " $9 " mailbox is " $1 ", group " $4
572		}' > $OUTPUT
573	if [ -s $OUTPUT ] ; then
574		printf "\nChecking mailbox ownership.\n"
575		cat $OUTPUT
576	fi
577fi
578
579# NFS exports shouldn't be globally exported
580#
581if checkyesno check_nfs && [ -f /etc/exports ]; then
582	awk '{
583		# ignore comments and blank lines
584		if ($0 ~ /^\#/ || $0 ~ /^$/ )
585			next;
586		# manage line continuation
587		while ($NF ~ /^\\$/) {
588			$NF = "";
589			line = $0 "";
590			getline;
591			$0 = line $0 "";
592		}
593
594		delete dir;
595		readonly = ndir = 0;
596		for (i = 1; i <= NF; ++i) {
597			if ($i ~ /^\//) dir[ndir++] = $i;
598			else if ($i ~ /^-/) {
599				if ($i ~ /^-(ro|o)$/) readonly = 1;
600				if ($i ~ /^-network/) next;
601			}
602			else next;
603		}
604		if (readonly)
605			for (item in dir)
606				rodir[nrodir++] = dir[item];
607		else
608			for (item in dir)
609				rwdir[nrwdir++] = dir[item];
610
611	}
612
613	END {
614		if (nrodir) {
615			printf("Globally exported file system%s, read-only:\n",
616				nrodir > 1 ? "s" : "");
617			for (item in rodir)
618				printf("\t%s\n", rodir[item]);
619		}
620		if (nrwdir) {
621			printf("Globally exported file system%s, read-write:\n",
622				nrwdir > 1 ? "s" : "");
623			for (item in rwdir)
624				printf("\t%s\n", rwdir[item]);
625		}
626	}' < /etc/exports > $OUTPUT
627	if [ -s $OUTPUT ] ; then
628		printf "\nChecking for globally exported file systems.\n"
629		cat $OUTPUT
630	fi
631fi
632
633# Display any changes in setuid files and devices.
634#
635if checkyesno check_devices; then
636	> $ERR
637	(
638
639	# Convert check_devices_ignore_fstypes="foo !bar bax"
640	#    into "-fstype foo -o ! -fstype bar -o -fstype bax"
641	# and check_devices_ignore_paths="/foo !/bar /bax"
642	#    into " -path /foo -o ! -path /bar -o -path /bax"
643	#
644	ignexpr=$(\
645	    echo $check_devices_ignore_fstypes | \
646		sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -fstype \2/g' ; \
647	    echo $check_devices_ignore_paths | \
648		sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -path \2/g' \
649	)
650
651	# Massage the expression into ( $ignexpr ) -a -prune -o
652	if [ -n "${ignexpr}" ]; then
653		ignexpr=$(\
654			echo $ignexpr | \
655			    sed -e 's/^-o /( /' \
656				-e 's/$/ ) -a -prune -o/' \
657		)
658	fi
659
660	find / $ignexpr \
661	    \( \( -perm -u+s -a ! -type d \) -o \
662	       \( -perm -g+s -a ! -type d \) -o \
663	       -type b -o -type c \) -print0 | \
664	xargs -0 ls -ldgTq | sort +9 > $LIST
665
666	) 2> $OUTPUT
667
668	# Display any errors that occurred during system file walk.
669	if [ -s $OUTPUT ] ; then
670		printf "Setuid/device find errors:\n" >> $ERR
671		cat $OUTPUT >> $ERR
672		printf "\n" >> $ERR
673	fi
674
675	# Display any changes in the setuid file list.
676	egrep -v '^[bc]' $LIST > $TMP1
677	if [ -s $TMP1 ] ; then
678		# Check to make sure uudecode isn't setuid.
679		if grep -w uudecode $TMP1 > /dev/null ; then
680			printf "\nUudecode is setuid.\n" >> $ERR
681		fi
682
683		file=$work_dir/setuid
684		migrate_file "$backup_dir/setuid" "$file"
685		CUR=${file}.current
686		BACK=${file}.backup
687		if [ -s $CUR ] ; then
688			if cmp -s $CUR $TMP1 ; then
689				:
690			else
691				> $TMP2
692				join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
693				if [ -s $OUTPUT ] ; then
694					printf "Setuid additions:\n" >> $ERR
695					tee -a $TMP2 < $OUTPUT >> $ERR
696					printf "\n" >> $ERR
697				fi
698
699				join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
700				if [ -s $OUTPUT ] ; then
701					printf "Setuid deletions:\n" >> $ERR
702					tee -a $TMP2 < $OUTPUT >> $ERR
703					printf "\n" >> $ERR
704				fi
705
706				sort -k10 $TMP2 $CUR $TMP1 | \
707				    sed -e 's/[	 ][	 ]*/ /g' | \
708				    uniq -u > $OUTPUT
709				if [ -s $OUTPUT ] ; then
710					printf "Setuid changes:\n" >> $ERR
711					column -t $OUTPUT >> $ERR
712					printf "\n" >> $ERR
713				fi
714
715				backup_file update $TMP1 $CUR $BACK
716			fi
717		else
718			printf "Setuid additions:\n" >> $ERR
719			column -t $TMP1 >> $ERR
720			printf "\n" >> $ERR
721			backup_file add $TMP1 $CUR $BACK
722		fi
723	fi
724
725	# Check for block and character disk devices that are readable or
726	# writable or not owned by root.operator.
727	>$TMP1
728	DISKLIST="ccd ch hk hp ld md ra raid rb rd rl rx \
729	    sd se ss uk up vnd wd xd xy"
730#	DISKLIST="$DISKLIST ct mt st wt"
731	for i in $DISKLIST; do
732		egrep "^b.*/${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
733		egrep "^c.*/r${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
734	done
735
736	awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \
737		{ printf "Disk %s is user %s, group %s, permissions %s.\n", \
738		    $11, $3, $4, $1; }' < $TMP1 > $OUTPUT
739	if [ -s $OUTPUT ] ; then
740		printf "\nChecking disk ownership and permissions.\n" >> $ERR
741		cat $OUTPUT >> $ERR
742		printf "\n" >> $ERR
743	fi
744
745	# Display any changes in the device file list.
746	egrep '^[bc]' $LIST | sort -k11 > $TMP1
747	if [ -s $TMP1 ] ; then
748		file=$work_dir/device
749		migrate_file "$backup_dir/device" "$file"
750		CUR=${file}.current
751		BACK=${file}.backup
752
753		if [ -s $CUR ] ; then
754			if cmp -s $CUR $TMP1 ; then
755				:
756			else
757				> $TMP2
758				join -111 -211 -v2 $CUR $TMP1 > $OUTPUT
759				if [ -s $OUTPUT ] ; then
760					printf "Device additions:\n" >> $ERR
761					tee -a $TMP2 < $OUTPUT >> $ERR
762					printf "\n" >> $ERR
763				fi
764
765				join -111 -211 -v1 $CUR $TMP1 > $OUTPUT
766				if [ -s $OUTPUT ] ; then
767					printf "Device deletions:\n" >> $ERR
768					tee -a $TMP2 < $OUTPUT >> $ERR
769					printf "\n" >> $ERR
770				fi
771
772				# Report any block device change. Ignore
773				# character devices, only the name is
774				# significant.
775				cat $TMP2 $CUR $TMP1 | \
776				    sed -e '/^c/d' | \
777				    sort -k11 | \
778				    sed -e 's/[	 ][	 ]*/ /g' | \
779				    uniq -u > $OUTPUT
780				if [ -s $OUTPUT ] ; then
781					printf "Block device changes:\n" >> $ERR
782					column -t $OUTPUT >> $ERR
783					printf "\n" >> $ERR
784				fi
785
786				backup_file update $TMP1 $CUR $BACK
787			fi
788		else
789			printf "Device additions:\n" >> $ERR
790			column -t $TMP1 >> $ERR
791			printf "\n" >> $ERR
792			backup_file add $TMP1 $CUR $BACK >> $ERR
793		fi
794	fi
795	if [ -s $ERR ] ; then
796		printf "\nChecking setuid files and devices:\n"
797		cat $ERR
798		printf "\n"
799	fi
800fi
801
802# Check special files.
803# Check system binaries.
804#
805# Create the mtree tree specifications using:
806#	mtree -cx -pDIR -kmd5,uid,gid,mode,nlink,size,link,time > DIR.secure
807#	chown root:wheel DIR.secure
808#	chmod u+r,go= DIR.secure
809#
810# Note, this is not complete protection against Trojan horsed binaries, as
811# the hacker can modify the tree specification to match the replaced binary.
812# For details on really protecting yourself against modified binaries, see
813# the mtree(8) manual page.
814#
815if checkyesno check_mtree; then
816	if checkyesno check_mtree_follow_symlinks; then
817		check_mtree_flags="-L"
818	else
819		check_mtree_flags=""
820	fi
821	mtree -e -l -p / $check_mtree_flags -f $SPECIALSPEC 3>&1 >$OUTPUT 2>&3 |
822		grep -v '^mtree: dev/tty: Device not configured$' >&2
823	if [ -s $OUTPUT ]; then
824		printf "\nChecking special files and directories.\n"
825		cat $OUTPUT
826	fi
827
828	for file in /etc/mtree/*.secure; do
829		[ $file = '/etc/mtree/*.secure' ] && continue
830		tree=`sed -n -e '3s/.* //p' -e 3q $file`
831		mtree $check_mtree_flags -f $file -p $tree > $TMP1
832		if [ -s $TMP1 ]; then
833			printf "\nChecking $tree:\n"
834			cat $TMP1
835		fi
836	done > $OUTPUT
837	if [ -s $OUTPUT ]; then
838		printf "\nChecking system binaries:\n"
839		cat $OUTPUT
840	fi
841fi
842
843# Backup disklabels of available disks
844#
845if checkyesno check_disklabels; then
846		# migrate old disklabels
847	for file in `ls -1d $backup_dir/$backup_dir/disklabel.* \
848	    $backup_dir/disklabel.* 2>/dev/null`; do
849		migrate_file "$file" "$work_dir/${file##*/}"
850	done
851
852		# generate list of old disklabels, fdisks & wedges and remove them
853	ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null |
854	    egrep -v '\.(backup|current)(,v)?$' > $LABELS
855	xargs rm < $LABELS
856
857		# generate disklabels of all disks excluding:	cd dk fd md st
858	disks=`iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d|dk|st|nfs/ { print $1; }'`
859	for i in $disks; do
860		disklabel $i > "$work_dir/disklabel.$i" 2>/dev/null
861	done
862
863		# if fdisk is available, generate fdisks for:	ed ld sd wd
864	if [ -x /sbin/fdisk ]; then
865		disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d/ { print $1; }'`
866		for i in $disks; do
867			/sbin/fdisk $i > "$work_dir/fdisk.$i" 2>/dev/null
868		done
869	fi
870
871		# if dkctl is available, generate dkctl listwedges for:	ed ld sd wd cgd ofdisk ra rl raid
872	if [ -x /sbin/dkctl ]; then
873		disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d|cgd|ofdisk|r[al]|raid/ { print $1; }'`
874		for i in $disks; do
875			/sbin/dkctl $i listwedges > "$work_dir/wedges.$i" 2>/dev/null
876		done
877	fi
878
879		# append list of new disklabels, fdisks and wedges
880	ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null |
881	    egrep -v '\.(backup|current)(,v)?$' >> $LABELS
882	CHANGELIST="$LABELS $CHANGELIST"
883fi
884
885# Check for changes in the list of installed pkgs
886#
887if checkyesno check_pkgs && [ -d $pkgdb_dir ]; then
888	pkgs=$work_dir/pkgs
889	migrate_file "$backup_dir/pkgs" "$pkgs"
890	(	cd $pkgdb_dir
891		pkg_info | sort
892		echo ""
893		find . \( -name +REQUIRED_BY -o -name +CONTENTS \) -print0 |
894			xargs -0 ls -ldgTq | sort -t. +1 | sed -e 's, \./, ,'
895	 ) > $pkgs
896	echo "$pkgs" > $PKGS
897	CHANGELIST="$PKGS $CHANGELIST"
898fi
899
900# List of files that get backed up and checked for any modifications.
901# Any changes cause the files to rotate.
902#
903if checkyesno check_changelist ; then
904	mtree -D -k type -f $SPECIALSPEC -E exclude |
905	    sed '/^type=file/!d ; s/type=file \.//' | unvis > $CHANGEFILES
906
907	(
908		# Add other files which might dynamically exist:
909		#	/etc/ifconfig.*
910		#	/etc/raid*.conf
911		#	/etc/rc.d/*
912		#	/etc/rc.conf.d/*
913		#
914		echo "/etc/ifconfig.*"
915		echo "/etc/raid*.conf"
916		echo "/etc/rc.d/*"
917		echo "/etc/rc.conf.d/*"
918
919		# Add /etc/changelist
920		#
921		if [ -s /etc/changelist ]; then
922			grep -v '^#' /etc/changelist
923		fi
924	) | while read file; do
925		case "$file" in
926		*[\*\?\[]*)	# If changelist line is a glob ...
927				# ... expand possible backup files
928				#
929			ls -1d $(echo $backup_dir/${file}.current) 2>/dev/null \
930			    | sed "s,^$backup_dir/,, ; s,\.current$,,"
931				
932				# ... expand possible files
933				#
934			ls -1d $(echo $file) 2>/dev/null
935			;;
936		*)
937				# Otherwise, just print the filename
938			echo $file
939			;;
940		esac
941	done >> $CHANGEFILES
942	CHANGELIST="$CHANGEFILES $CHANGELIST"
943fi
944
945# Special case backups, including the master password file and
946# ssh private host keys. The normal backup mechanisms for
947# $check_changelist (see below) also print out the actual file
948# differences and we don't want to do that for these files
949#
950echo $MP > $TMP1			# always add /etc/master.passwd
951mtree -D -k type -f $SPECIALSPEC -I nodiff |
952    sed '/^type=file/!d ; s/type=file \.//' | unvis >> $TMP1
953grep -v '^$' $TMP1 | sort -u > $TMP2
954
955while read file; do
956	backup_and_diff "$file" no
957done < $TMP2
958
959
960if [ -n "$CHANGELIST" ]; then
961	grep -h -v '^$' $CHANGELIST | sort -u > $TMP1
962	comm -23 $TMP1 $TMP2 | while read file; do
963		backup_and_diff "$file" yes
964	done
965fi
966
967if [ -f /etc/security.local ]; then
968	. /etc/security.local > $OUTPUT 2>&1
969	if [ -s $OUTPUT ] ; then
970		printf "\nRunning /etc/security.local:\n"
971		cat $OUTPUT
972	fi
973fi
974