security revision 1.104 
1#!/bin/sh -
2#
3#	$NetBSD: security,v 1.104 2007/08/27 19:57:02 adrianp Exp $
4#	from: @(#)security	8.1 (Berkeley) 6/9/93
5#
6
7PATH=/sbin:/usr/sbin:/bin:/usr/bin
8
9rcvar_manpage='security.conf(5)'
10
11if [ -f /etc/rc.subr ]; then
12	. /etc/rc.subr
13else
14	echo "Can't read /etc/rc.subr; aborting."
15	exit 1;
16fi
17
18umask 077
19TZ=UTC; export TZ
20
21if [ -s /etc/security.conf ]; then
22	. /etc/security.conf
23fi
24
25# Set reasonable defaults (if they're not set in security.conf)
26#
27backup_dir=${backup_dir:-/var/backups}
28pkgdb_dir=${pkgdb_dir:-/var/db/pkg}
29max_loginlen=${max_loginlen:-8}
30max_grouplen=${max_grouplen:-8}
31pkg_info=${pkg_info:-/usr/sbin/pkg_info}
32
33# Other configurable variables
34#
35special_files="/etc/mtree/special /etc/mtree/special.local"
36MP=/etc/master.passwd
37CHANGELIST=""
38work_dir=$backup_dir/work
39
40if [ ! -d "$work_dir" ]; then
41	mkdir -p "$work_dir"
42fi
43
44SECUREDIR=$(mktemp -d -t _securedir) || exit 1
45
46trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE
47
48if ! cd "$SECUREDIR"; then
49	echo "Can not cd to $SECUREDIR".
50	exit 1
51fi
52
53ERR=err.$$
54TMP1=tmp1.$$
55TMP2=tmp2.$$
56MPBYUID=mpbyuid.$$
57MPBYPATH=mpbypath.$$
58LIST=list.$$
59OUTPUT=output.$$
60LABELS=labels.$$
61PKGS=pkgs.$$
62CHANGEFILES=changefiles.$$
63SPECIALSPEC=specialspec.$$
64
65
66# migrate_file old new
67#	Determine if the "${old}" path name needs to be migrated to the
68#	"${new}" path. Also checks if "${old}.current" needs migrating,
69#	and if so, migrate it and possibly "${old}.current,v" and
70#	"${old}.backup".
71#
72migrate_file()
73{
74	_old=$1
75	_new=$2
76	if [ -z "$_old" -o -z "$_new" ]; then
77		err 3 "USAGE: migrate_file old new"
78	fi
79	if [ ! -d "${_new%/*}" ]; then
80		mkdir -p "${_new%/*}"
81	fi
82	if [ -f "${_old}" -a ! -f "${_new}" ]; then
83		echo "==> migrating ${_old}"
84		echo "           to ${_new}"
85		mv "${_old}" "${_new}"
86	fi
87	if [ -f "${_old}.current" -a ! -f "${_new}.current" ]; then
88		echo "==> migrating ${_old}.current"
89		echo "           to ${_new}.current"
90		mv "${_old}.current" "${_new}.current"
91		if [ -f "${_old}.current,v" -a ! -f "${_new}.current,v" ]; then
92			echo "==> migrating ${_old}.current,v"
93			echo "           to ${_new}.current,v"
94			mv "${_old}.current,v" "${_new}.current,v"
95		fi
96		if [ -f "${_old}.backup" -a ! -f "${_new}.backup" ]; then
97			echo "==> migrating ${_old}.backup"
98			echo "           to ${_new}.backup"
99			mv "${_old}.backup" "${_new}.backup"
100		fi
101	fi
102}
103
104
105# backup_and_diff file printdiff
106#	Determine if file needs backing up, and if so, do it.
107#	If printdiff is yes, display the diffs, otherwise 
108#	just print a message saying "[changes omitted]".
109#
110backup_and_diff()
111{
112	_file=$1
113	_printdiff=$2
114	if [ -z "$_file" -o -z "$_printdiff" ]; then
115		err 3 "USAGE: backup_and_diff file printdiff"
116	fi
117	! checkyesno _printdiff
118	_printdiff=$?
119
120	_old=$backup_dir/${_file##*/}
121	case "$_file" in
122	$work_dir/*)
123		_new=$_file
124		migrate_file "$backup_dir/$_old" "$_new"
125		migrate_file "$_old" "$_new"
126		;;
127	*)
128		_new=$backup_dir/$_file
129		migrate_file "$_old" "$_new"
130		;;
131	esac
132	CUR=${_new}.current
133	BACK=${_new}.backup
134	if [ -f $_file ]; then
135		if [ -f $CUR ] ; then
136			if [ "$_printdiff" -ne 0 ]; then
137				diff ${diff_options} $CUR $_file > $OUTPUT
138			else
139				if ! cmp -s $CUR $_file; then
140					echo "[changes omitted]"
141				fi > $OUTPUT
142			fi
143			if [ -s $OUTPUT ] ; then
144				printf \
145			"\n======\n%s diffs (OLD < > NEW)\n======\n" $_file
146				cat $OUTPUT
147				backup_file update $_file $CUR $BACK
148			fi
149		else
150			printf "\n======\n%s added\n======\n" $_file
151			if [ "$_printdiff" -ne 0 ]; then
152				diff ${diff_options} /dev/null $_file
153			else
154				echo "[changes omitted]"
155			fi
156			backup_file add $_file $CUR $BACK
157		fi
158	else
159		if [ -f $CUR ]; then
160			printf "\n======\n%s removed\n======\n" $_file
161			if [ "$_printdiff" -ne 0 ]; then
162				diff ${diff_options} $CUR /dev/null
163			else
164				echo "[changes omitted]"
165			fi
166			backup_file remove $_file $CUR $BACK
167		fi
168	fi
169}
170
171
172# These are used several times.
173#
174awk -F: '!/^\+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID
175awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH
176for file in $special_files; do
177	[ -s $file ] && cat $file
178done | mtree -CM -k all > $SPECIALSPEC || exit 1
179
180
181# Check the master password file syntax.
182#
183if checkyesno check_passwd; then
184        # XXX: the sense of permit_star is reversed; the code works as
185        # implemented, but usage needs to be negated.
186	checkyesno check_passwd_permit_star && permit_star=0 || permit_star=1
187	checkyesno check_passwd_permit_nonalpha \
188		 && permit_nonalpha=1 || permit_nonalpha=0
189
190	awk -v "len=$max_loginlen" \
191	    -v "nowarn_shells_list=$check_passwd_nowarn_shells" \
192	    -v "nowarn_users_list=$check_passwd_nowarn_users" \
193	    -v "permit_star=$permit_star" \
194	    -v "permit_nonalpha=$permit_nonalpha" \
195	'
196	BEGIN {
197		while ( getline < "/etc/shells" > 0 ) {
198			if ($0 ~ /^\#/ || $0 ~ /^$/ )
199				continue;
200			shells[$1]++;
201		}
202		split(nowarn_shells_list, a);
203		for (i in a) nowarn_shells[a[i]]++;
204		split(nowarn_users_list, a);
205		for (i in a) nowarn_users[a[i]]++;
206		uid0_users_list="root toor"
207		split(uid0_users_list, a);
208		for (i in a) uid0_users[a[i]]++;
209		FS=":";
210	}
211
212	{
213		if ($0 ~ /^[	 ]*$/) {
214			printf "Line %d is a blank line.\n", NR;
215			next;
216		}
217		if (NF != 10 && ($1 != "+" || NF != 1))
218			printf "Line %d has the wrong number of fields.\n", NR;
219		if ($1 == "+" )  {
220			if (NF != 1 && $3 == 0)
221			    printf "Line %d includes entries with uid 0.\n",
222			        NR;
223			next;
224		}
225		if (!permit_nonalpha &&
226		    $1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/)
227			printf "Login %s has non-alphanumeric characters.\n",
228			    $1;
229		if (length($1) > len)
230			printf "Login %s has more than "len" characters.\n",
231			    $1;
232		if ($2 == "" && !nowarn_users[$1])
233			    printf "Login %s has no password.\n", $1;
234		if (!nowarn_shells[$10] && !nowarn_users[$1]) {
235		    if (length($2) != 13 &&
236		    	length($2) != 20 &&
237		    	$2 !~ /^\$1/ &&
238		    	$2 !~ /^\$2/ &&
239			$2 !~ /^\$sha1/ &&
240		    	$2 != "" &&
241			(permit_star || $2 != "*") &&
242		    	$2 !~ /^\*[A-z-]+$/ &&
243			$1 != "toor") {
244		    	    if ($10 == "" || shells[$10])
245				printf "Login %s is off but still has "\
246				  "a valid shell (%s)\n", $1, $10;
247		    } else if (! shells[$10])
248		    	    printf "Login %s does not have a valid "\
249			    "shell (%s)\n", $1, $10;
250		}
251		if ($3 == 0 && !uid0_users[$1] && !nowarn_users[$1])
252			printf "Login %s has a user id of 0.\n", $1;
253		if ($3 < 0)
254			printf "Login %s has a negative user id.\n", $1;
255		if ($4 < 0)
256			printf "Login %s has a negative group id.\n", $1;
257	}' < $MP > $OUTPUT
258	if [ -s $OUTPUT ] ; then
259		printf "\nChecking the $MP file:\n"
260		cat $OUTPUT
261	fi
262
263	awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
264	if [ -s $OUTPUT ] ; then
265		printf "\n$MP has duplicate user names.\n"
266		column $OUTPUT
267	fi
268
269# To not exclude 'toor', a standard duplicate root account, from the duplicate
270# account test, uncomment the line below (without egrep in it)and comment
271# out the line (with egrep in it) below it.
272#
273#	< $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2
274	< $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2
275	if [ -s $TMP2 ] ; then
276		printf "\n$MP has duplicate user id's.\n"
277		while read uid; do
278			grep -w $uid $MPBYUID
279		done < $TMP2 | column
280	fi
281fi
282
283# Check the group file syntax.
284#
285if checkyesno check_group; then
286	GRP=/etc/group
287	awk -F: -v "len=$max_grouplen" '{
288		if ($0 ~ /^[	 ]*$/) {
289			printf "Line %d is a blank line.\n", NR;
290			next;
291		}
292		if (NF != 4 && ($1 != "+" || NF != 1))
293			printf "Line %d has the wrong number of fields.\n", NR;
294		if ($1 == "+" )  {
295			next;
296		}
297		if ($1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/)
298			printf "Group %s has non-alphanumeric characters.\n",
299			    $1;
300		if (length($1) > len)
301			printf "Group %s has more than "len" characters.\n", $1;
302		if ($3 !~ /[0-9]*/)
303			printf "Login %s has a negative group id.\n", $1;
304	}' < $GRP > $OUTPUT
305	if [ -s $OUTPUT ] ; then
306		printf "\nChecking the $GRP file:\n"
307		cat $OUTPUT
308	fi
309
310	awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT
311	if [ -s $OUTPUT ] ; then
312		printf "\n$GRP has duplicate group names.\n"
313		column $OUTPUT
314	fi
315fi
316
317# Check for root paths, umask values in startup files.
318# The check for the root paths is problematical -- it's likely to fail
319# in other environments.  Once the shells have been modified to warn
320# of '.' in the path, the path tests should go away.
321#
322if checkyesno check_rootdotfiles; then
323	rhome=~root
324	umaskset=no
325	list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login"
326	for i in $list ; do
327		if [ -f $i ] ; then
328			if egrep '^[ \t]*umask[ \t]+[0-7]+' $i > /dev/null ;
329			then
330				umaskset=yes
331			fi
332			# Double check the umask value itself; ensure that
333			# both the group and other write bits are set.
334			#
335			egrep '^[ \t]*umask[ \t]+[0-7]+' $i |
336			awk '{
337				if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) {
338					print "\tRoot umask is group writable"
339				}
340				if ($2 ~ /[^2367]$/) {
341					print "\tRoot umask is other writable"
342			    	}
343			    }' | sort -u
344			SAVE_PATH=$PATH
345			unset PATH
346			/bin/csh -f -s << end-of-csh > /dev/null 2>&1
347				source $i
348				/bin/ls -ldgT \$path > $TMP1
349end-of-csh
350			export PATH=$SAVE_PATH
351			awk '{
352				if ($10 ~ /^\.$/) {
353					print "\tThe root path includes .";
354					next;
355				}
356			     }
357			     $1 ~ /^d....w/ \
358		{ print "\tRoot path directory " $10 " is group writable." } \
359			     $1 ~ /^d.......w/ \
360		{ print "\tRoot path directory " $10 " is other writable." }' \
361			< $TMP1
362		fi
363	done > $OUTPUT
364	if [ $umaskset = "no" -o -s $OUTPUT ] ; then
365		printf "\nChecking root csh paths, umask values:\n$list\n\n"
366		if [ -s $OUTPUT ]; then
367			cat $OUTPUT
368		fi
369		if [ $umaskset = "no" ] ; then
370		    printf "\tRoot csh startup files do not set the umask.\n"
371		fi
372	fi
373
374	umaskset=no
375	list="/etc/profile ${rhome}/.profile"
376	for i in $list; do
377		if [ -f $i ] ; then
378			if egrep umask $i > /dev/null ; then
379				umaskset=yes
380			fi
381			egrep umask $i |
382			awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \
383				{ print "\tRoot umask is group writable" } \
384			     $2 ~ /[^2367]$/ \
385				{ print "\tRoot umask is other writable" }'
386			SAVE_PATH=$PATH
387			unset PATH
388			/bin/sh << end-of-sh > /dev/null 2>&1
389				. $i
390				list=\`echo \$PATH | /usr/bin/sed -e \
391				    's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\`
392				/bin/ls -ldgT \$list > $TMP1
393end-of-sh
394			export PATH=$SAVE_PATH
395			awk '{
396				if ($10 ~ /^\.$/) {
397					print "\tThe root path includes .";
398					next;
399				}
400			     }
401			     $1 ~ /^d....w/ \
402		{ print "\tRoot path directory " $10 " is group writable." } \
403			     $1 ~ /^d.......w/ \
404		{ print "\tRoot path directory " $10 " is other writable." }' \
405			< $TMP1
406
407		fi
408	done > $OUTPUT
409	if [ $umaskset = "no" -o -s $OUTPUT ] ; then
410		printf "\nChecking root sh paths, umask values:\n$list\n"
411		if [ -s $OUTPUT ]; then
412			cat $OUTPUT
413		fi
414		if [ $umaskset = "no" ] ; then
415			printf "\tRoot sh startup files do not set the umask.\n"
416		fi
417	fi
418fi
419
420# Root and uucp should both be in /etc/ftpusers.
421#
422if checkyesno check_ftpusers; then
423	list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID`
424	for i in $list; do
425		if /usr/libexec/ftpd -C $i ; then
426			printf "\t$i is not denied\n"
427		fi
428	done > $OUTPUT
429	if [ -s $OUTPUT ]; then
430		printf "\nChecking the /etc/ftpusers configuration:\n"
431		cat $OUTPUT
432	fi
433fi
434
435# Uudecode should not be in the /etc/mail/aliases file.
436#
437if checkyesno check_aliases; then
438	for f in /etc/mail/aliases /etc/aliases; do
439		if [ -f $f ] && egrep '^[^#]*(uudecode|decode).*\|' $f; then
440			printf "\nEntry for uudecode in $f file.\n"
441		fi
442	done
443fi
444
445# Files that should not have + signs.
446#
447if checkyesno check_rhosts; then
448	list="/etc/hosts.equiv /etc/hosts.lpd"
449	for f in $list ; do
450		if [ -f $f ] && egrep '\+' $f > /dev/null ; then
451			printf "\nPlus sign in $f file.\n"
452		fi
453	done
454
455	# Check for special users with .rhosts files.  Only root and toor should
456	# have .rhosts files.  Also, .rhosts files should not have plus signs.
457	awk -F: '$1 != "root" && $1 != "toor" && \
458		($3 < 100 || $1 == "ftp" || $1 == "uucp") \
459			{ print $1 " " $9 }' $MP |
460	sort -k2 |
461	while read uid homedir; do
462		if [ -f ${homedir}/.rhosts ] ; then
463			rhost=`ls -ldgT ${homedir}/.rhosts`
464			printf -- "$uid: $rhost\n"
465		fi
466	done > $OUTPUT
467	if [ -s $OUTPUT ] ; then
468		printf "\nChecking for special users with .rhosts files.\n"
469		cat $OUTPUT
470	fi
471
472	while read uid homedir; do
473		if [ -f ${homedir}/.rhosts -a -r ${homedir}/.rhosts ] && \
474		    cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null ; then
475			printf -- "$uid: + in .rhosts file.\n"
476		fi
477	done < $MPBYPATH > $OUTPUT
478	if [ -s $OUTPUT ] ; then
479		printf "\nChecking .rhosts files syntax.\n"
480		cat $OUTPUT
481	fi
482fi
483
484# Check home directories.  Directories should not be owned by someone else
485# or writable.
486#
487if checkyesno check_homes; then
488	checkyesno check_homes_permit_usergroups && \
489		permit_usergroups=1 || permit_usergroups=0
490	while read uid homedir; do
491		if [ -d ${homedir}/ ] ; then
492			file=`ls -ldgT ${homedir}`
493			printf -- "$uid $file\n"
494		fi
495	done < $MPBYPATH |
496	awk -v "usergroups=$permit_usergroups" '
497	     $1 != $4 && $4 != "root" \
498		{ print "user " $1 " home directory is owned by " $4 }
499	     $2 ~ /^d....w/ && (!usergroups || $5 != $1) \
500		{ print "user " $1 " home directory is group writable" }
501	     $2 ~ /^d.......w/ \
502		{ print "user " $1 " home directory is other writable" }' \
503	    > $OUTPUT
504	if [ -s $OUTPUT ] ; then
505		printf "\nChecking home directories.\n"
506		cat $OUTPUT
507	fi
508
509	# Files that should not be owned by someone else or readable.
510	list=".Xauthority .netrc .ssh/id_dsa .ssh/id_rsa .ssh/identity"
511	while read uid homedir; do
512		for f in $list ; do
513			file=${homedir}/${f}
514			if [ -f $file ] ; then
515				printf -- "$uid $f `ls -ldgT $file`\n"
516			fi
517		done
518	done < $MPBYPATH |
519	awk  -v "usergroups=$permit_usergroups" '
520	     $1 != $5 && $5 != "root" \
521		{ print "user " $1 " " $2 " file is owned by " $5 }
522	     $3 ~ /^-...r/ && (!usergroups || $6 != $1) \
523		{ print "user " $1 " " $2 " file is group readable" }
524	     $3 ~ /^-......r/ \
525		{ print "user " $1 " " $2 " file is other readable" }
526	     $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
527		{ print "user " $1 " " $2 " file is group writable" }
528	     $3 ~ /^-.......w/ \
529		{ print "user " $1 " " $2 " file is other writable" }' \
530	    > $OUTPUT
531
532	# Files that should not be owned by someone else or writable.
533	list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \
534	      .cshrc .emacs .exrc .forward .history .k5login .klogin .login \
535	      .logout .profile .qmail .rc_history .rhosts .shosts ssh .tcshrc \
536	      .twmrc .xinitrc .xsession .ssh/authorized_keys \
537	      .ssh/authorized_keys2 .ssh/config .ssh/id_dsa.pub \
538	      .ssh/id_rsa.pub .ssh/identity.pub .ssh/known_hosts \
539	      .ssh/known_hosts2"
540	while read uid homedir; do
541		for f in $list ; do
542			file=${homedir}/${f}
543			if [ -f $file ] ; then
544				printf -- "$uid $f `ls -ldgT $file`\n"
545			fi
546		done
547	done < $MPBYPATH |
548	awk -v "usergroups=$permit_usergroups" '
549	     $1 != $5 && $5 != "root" \
550		{ print "user " $1 " " $2 " file is owned by " $5 }
551	     $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
552		{ print "user " $1 " " $2 " file is group writable" }
553	     $3 ~ /^-.......w/ \
554		{ print "user " $1 " " $2 " file is other writable" }' \
555	    >> $OUTPUT
556	if [ -s $OUTPUT ] ; then
557		printf "\nChecking dot files.\n"
558		cat $OUTPUT
559	fi
560fi
561
562# Mailboxes should be owned by user and unreadable.
563#
564if checkyesno check_varmail; then
565	ls -lA /var/mail | \
566	awk '	NR == 1 { next; }
567		$9 ~ /^\./ {next; }
568	    	$3 != $9 {
569			print "user " $9 " mailbox is owned by " $3
570		}
571		$1 != "-rw-------" {
572			print "user " $9 " mailbox is " $1 ", group " $4
573		}' > $OUTPUT
574	if [ -s $OUTPUT ] ; then
575		printf "\nChecking mailbox ownership.\n"
576		cat $OUTPUT
577	fi
578fi
579
580# NFS exports shouldn't be globally exported
581#
582if checkyesno check_nfs && [ -f /etc/exports ]; then
583	awk '{
584		# ignore comments and blank lines
585		if ($0 ~ /^\#/ || $0 ~ /^$/ )
586			next;
587		# manage line continuation
588		while ($NF ~ /^\\$/) {
589			$NF = "";
590			line = $0 "";
591			getline;
592			$0 = line $0 "";
593		}
594
595		delete dir;
596		readonly = ndir = 0;
597		for (i = 1; i <= NF; ++i) {
598			if ($i ~ /^\//) dir[ndir++] = $i;
599			else if ($i ~ /^-/) {
600				if ($i ~ /^-(ro|o)$/) readonly = 1;
601				if ($i ~ /^-network/) next;
602			}
603			else next;
604		}
605		if (readonly)
606			for (item in dir)
607				rodir[nrodir++] = dir[item];
608		else
609			for (item in dir)
610				rwdir[nrwdir++] = dir[item];
611
612	}
613
614	END {
615		if (nrodir) {
616			printf("Globally exported file system%s, read-only:\n",
617				nrodir > 1 ? "s" : "");
618			for (item in rodir)
619				printf("\t%s\n", rodir[item]);
620		}
621		if (nrwdir) {
622			printf("Globally exported file system%s, read-write:\n",
623				nrwdir > 1 ? "s" : "");
624			for (item in rwdir)
625				printf("\t%s\n", rwdir[item]);
626		}
627	}' < /etc/exports > $OUTPUT
628	if [ -s $OUTPUT ] ; then
629		printf "\nChecking for globally exported file systems.\n"
630		cat $OUTPUT
631	fi
632fi
633
634# Display any changes in setuid files and devices.
635#
636if checkyesno check_devices; then
637	> $ERR
638	(
639
640	# Convert check_devices_ignore_fstypes="foo !bar bax"
641	#    into "-fstype foo -o ! -fstype bar -o -fstype bax"
642	# and check_devices_ignore_paths="/foo !/bar /bax"
643	#    into " -path /foo -o ! -path /bar -o -path /bax"
644	#
645	ignexpr=$(\
646	    echo $check_devices_ignore_fstypes | \
647		sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -fstype \2/g' ; \
648	    echo $check_devices_ignore_paths | \
649		sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -path \2/g' \
650	)
651
652	# Massage the expression into ( $ignexpr ) -a -prune -o
653	if [ -n "${ignexpr}" ]; then
654		ignexpr=$(\
655			echo $ignexpr | \
656			    sed -e 's/^-o /( /' \
657				-e 's/$/ ) -a -prune -o/' \
658		)
659	fi
660
661	find / $ignexpr \
662	    \( \( -perm -u+s -a ! -type d \) -o \
663	       \( -perm -g+s -a ! -type d \) -o \
664	       -type b -o -type c \) -print0 | \
665	xargs -0 ls -ldgTq | sort +9 > $LIST
666
667	) 2> $OUTPUT
668
669	# Display any errors that occurred during system file walk.
670	if [ -s $OUTPUT ] ; then
671		printf "Setuid/device find errors:\n" >> $ERR
672		cat $OUTPUT >> $ERR
673		printf "\n" >> $ERR
674	fi
675
676	# Display any changes in the setuid file list.
677	egrep -v '^[bc]' $LIST > $TMP1
678	if [ -s $TMP1 ] ; then
679		# Check to make sure uudecode isn't setuid.
680		if grep -w uudecode $TMP1 > /dev/null ; then
681			printf "\nUudecode is setuid.\n" >> $ERR
682		fi
683
684		file=$work_dir/setuid
685		migrate_file "$backup_dir/setuid" "$file"
686		CUR=${file}.current
687		BACK=${file}.backup
688		if [ -s $CUR ] ; then
689			if cmp -s $CUR $TMP1 ; then
690				:
691			else
692				> $TMP2
693				join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
694				if [ -s $OUTPUT ] ; then
695					printf "Setuid additions:\n" >> $ERR
696					tee -a $TMP2 < $OUTPUT >> $ERR
697					printf "\n" >> $ERR
698				fi
699
700				join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
701				if [ -s $OUTPUT ] ; then
702					printf "Setuid deletions:\n" >> $ERR
703					tee -a $TMP2 < $OUTPUT >> $ERR
704					printf "\n" >> $ERR
705				fi
706
707				sort -k10 $TMP2 $CUR $TMP1 | \
708				    sed -e 's/[	 ][	 ]*/ /g' | \
709				    uniq -u > $OUTPUT
710				if [ -s $OUTPUT ] ; then
711					printf "Setuid changes:\n" >> $ERR
712					column -t $OUTPUT >> $ERR
713					printf "\n" >> $ERR
714				fi
715
716				backup_file update $TMP1 $CUR $BACK
717			fi
718		else
719			printf "Setuid additions:\n" >> $ERR
720			column -t $TMP1 >> $ERR
721			printf "\n" >> $ERR
722			backup_file add $TMP1 $CUR $BACK
723		fi
724	fi
725
726	# Check for block and character disk devices that are readable or
727	# writable or not owned by root.operator.
728	>$TMP1
729	DISKLIST="ccd ch hk hp ld md ra raid rb rd rl rx \
730	    sd se ss uk up vnd wd xd xy"
731#	DISKLIST="$DISKLIST ct mt st wt"
732	for i in $DISKLIST; do
733		egrep "^b.*/${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
734		egrep "^c.*/r${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
735	done
736
737	awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \
738		{ printf "Disk %s is user %s, group %s, permissions %s.\n", \
739		    $11, $3, $4, $1; }' < $TMP1 > $OUTPUT
740	if [ -s $OUTPUT ] ; then
741		printf "\nChecking disk ownership and permissions.\n" >> $ERR
742		cat $OUTPUT >> $ERR
743		printf "\n" >> $ERR
744	fi
745
746	# Display any changes in the device file list.
747	egrep '^[bc]' $LIST | sort -k11 > $TMP1
748	if [ -s $TMP1 ] ; then
749		file=$work_dir/device
750		migrate_file "$backup_dir/device" "$file"
751		CUR=${file}.current
752		BACK=${file}.backup
753
754		if [ -s $CUR ] ; then
755			if cmp -s $CUR $TMP1 ; then
756				:
757			else
758				> $TMP2
759				join -111 -211 -v2 $CUR $TMP1 > $OUTPUT
760				if [ -s $OUTPUT ] ; then
761					printf "Device additions:\n" >> $ERR
762					tee -a $TMP2 < $OUTPUT >> $ERR
763					printf "\n" >> $ERR
764				fi
765
766				join -111 -211 -v1 $CUR $TMP1 > $OUTPUT
767				if [ -s $OUTPUT ] ; then
768					printf "Device deletions:\n" >> $ERR
769					tee -a $TMP2 < $OUTPUT >> $ERR
770					printf "\n" >> $ERR
771				fi
772
773				# Report any block device change. Ignore
774				# character devices, only the name is
775				# significant.
776				cat $TMP2 $CUR $TMP1 | \
777				    sed -e '/^c/d' | \
778				    sort -k11 | \
779				    sed -e 's/[	 ][	 ]*/ /g' | \
780				    uniq -u > $OUTPUT
781				if [ -s $OUTPUT ] ; then
782					printf "Block device changes:\n" >> $ERR
783					column -t $OUTPUT >> $ERR
784					printf "\n" >> $ERR
785				fi
786
787				backup_file update $TMP1 $CUR $BACK
788			fi
789		else
790			printf "Device additions:\n" >> $ERR
791			column -t $TMP1 >> $ERR
792			printf "\n" >> $ERR
793			backup_file add $TMP1 $CUR $BACK >> $ERR
794		fi
795	fi
796	if [ -s $ERR ] ; then
797		printf "\nChecking setuid files and devices:\n"
798		cat $ERR
799		printf "\n"
800	fi
801fi
802
803# Check special files.
804# Check system binaries.
805#
806# Create the mtree tree specifications using:
807#	mtree -cx -pDIR -kmd5,uid,gid,mode,nlink,size,link,time > DIR.secure
808#	chown root:wheel DIR.secure
809#	chmod u+r,go= DIR.secure
810#
811# Note, this is not complete protection against Trojan horsed binaries, as
812# the hacker can modify the tree specification to match the replaced binary.
813# For details on really protecting yourself against modified binaries, see
814# the mtree(8) manual page.
815#
816if checkyesno check_mtree; then
817	if checkyesno check_mtree_follow_symlinks; then
818		check_mtree_flags="-L"
819	else
820		check_mtree_flags=""
821	fi
822	mtree -e -l -p / $check_mtree_flags -f $SPECIALSPEC 3>&1 >$OUTPUT 2>&3 |
823		grep -v '^mtree: dev/tty: Device not configured$' >&2
824	if [ -s $OUTPUT ]; then
825		printf "\nChecking special files and directories.\n"
826		cat $OUTPUT
827	fi
828
829	for file in /etc/mtree/*.secure; do
830		[ $file = '/etc/mtree/*.secure' ] && continue
831		tree=`sed -n -e '3s/.* //p' -e 3q $file`
832		mtree $check_mtree_flags -f $file -p $tree > $TMP1
833		if [ -s $TMP1 ]; then
834			printf "\nChecking $tree:\n"
835			cat $TMP1
836		fi
837	done > $OUTPUT
838	if [ -s $OUTPUT ]; then
839		printf "\nChecking system binaries:\n"
840		cat $OUTPUT
841	fi
842fi
843
844# Backup disklabels of available disks
845#
846if checkyesno check_disklabels; then
847		# migrate old disklabels
848	for file in `ls -1d $backup_dir/$backup_dir/disklabel.* \
849	    $backup_dir/disklabel.* 2>/dev/null`; do
850		migrate_file "$file" "$work_dir/${file##*/}"
851	done
852
853		# generate list of old disklabels, fdisks & wedges and remove them
854	ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null |
855	    egrep -v '\.(backup|current)(,v)?$' > $LABELS
856	xargs rm < $LABELS
857
858		# generate disklabels of all disks excluding:	cd dk fd md st
859	disks=`iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d|dk|st|nfs/ { print $1; }'`
860	for i in $disks; do
861		disklabel $i > "$work_dir/disklabel.$i" 2>/dev/null
862	done
863
864		# if fdisk is available, generate fdisks for:	ed ld sd wd
865	if [ -x /sbin/fdisk ]; then
866		disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d/ { print $1; }'`
867		for i in $disks; do
868			/sbin/fdisk $i > "$work_dir/fdisk.$i" 2>/dev/null
869		done
870	fi
871
872		# if dkctl is available, generate dkctl listwedges for:	ed ld sd wd cgd ofdisk ra rl raid
873	if [ -x /sbin/dkctl ]; then
874		disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d|cgd|ofdisk|r[al]|raid/ { print $1; }'`
875		for i in $disks; do
876			/sbin/dkctl $i listwedges > "$work_dir/wedges.$i" 2>/dev/null
877		done
878	fi
879
880		# append list of new disklabels, fdisks and wedges
881	ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null |
882	    egrep -v '\.(backup|current)(,v)?$' >> $LABELS
883	CHANGELIST="$LABELS $CHANGELIST"
884fi
885
886# Check for changes in the list of installed pkgs
887#
888if checkyesno check_pkgs && [ -d $pkgdb_dir ]; then
889	pkgs=$work_dir/pkgs
890	migrate_file "$backup_dir/pkgs" "$pkgs"
891	(	cd $pkgdb_dir
892		$pkg_info | sort
893		echo ""
894		find . \( -name +REQUIRED_BY -o -name +CONTENTS \) -print0 |
895			xargs -0 ls -ldgTq | sort -t. +1 | sed -e 's, \./, ,'
896	 ) > $pkgs
897	echo "$pkgs" > $PKGS
898	CHANGELIST="$PKGS $CHANGELIST"
899fi
900
901# List of files that get backed up and checked for any modifications.
902# Any changes cause the files to rotate.
903#
904if checkyesno check_changelist ; then
905	mtree -D -k type -f $SPECIALSPEC -E exclude |
906	    sed '/^type=file/!d ; s/type=file \.//' | unvis > $CHANGEFILES
907
908	(
909		# Add other files which might dynamically exist:
910		#	/etc/ifconfig.*
911		#	/etc/raid*.conf
912		#	/etc/rc.d/*
913		#	/etc/rc.conf.d/*
914		#
915		echo "/etc/ifconfig.*"
916		echo "/etc/raid*.conf"
917		echo "/etc/rc.d/*"
918		echo "/etc/rc.conf.d/*"
919
920		# Add /etc/changelist
921		#
922		if [ -s /etc/changelist ]; then
923			grep -v '^#' /etc/changelist
924		fi
925	) | while read file; do
926		case "$file" in
927		*[\*\?\[]*)	# If changelist line is a glob ...
928				# ... expand possible backup files
929				#
930			ls -1d $(echo $backup_dir/${file}.current) 2>/dev/null \
931			    | sed "s,^$backup_dir/,, ; s,\.current$,,"
932				
933				# ... expand possible files
934				#
935			ls -1d $(echo $file) 2>/dev/null
936			;;
937		*)
938				# Otherwise, just print the filename
939			echo $file
940			;;
941		esac
942	done >> $CHANGEFILES
943	CHANGELIST="$CHANGEFILES $CHANGELIST"
944fi
945
946# Special case backups, including the master password file and
947# ssh private host keys. The normal backup mechanisms for
948# $check_changelist (see below) also print out the actual file
949# differences and we don't want to do that for these files
950#
951echo $MP > $TMP1			# always add /etc/master.passwd
952mtree -D -k type -f $SPECIALSPEC -I nodiff |
953    sed '/^type=file/!d ; s/type=file \.//' | unvis >> $TMP1
954grep -v '^$' $TMP1 | sort -u > $TMP2
955
956while read file; do
957	backup_and_diff "$file" no
958done < $TMP2
959
960
961if [ -n "$CHANGELIST" ]; then
962	grep -h -v '^$' $CHANGELIST | sort -u > $TMP1
963	comm -23 $TMP1 $TMP2 | while read file; do
964		backup_and_diff "$file" yes
965	done
966fi
967
968if [ -f /etc/security.local ]; then
969	. /etc/security.local > $OUTPUT 2>&1
970	if [ -s $OUTPUT ] ; then
971		printf "\nRunning /etc/security.local:\n"
972		cat $OUTPUT
973	fi
974fi
975