security revision 1.105.4.2 
1#!/bin/sh -
2#
3#	$NetBSD: security,v 1.105.4.2 2007/11/23 15:51:28 dholland Exp $
4#	from: @(#)security	8.1 (Berkeley) 6/9/93
5#
6
7PATH=/sbin:/usr/sbin:/bin:/usr/bin
8
9rcvar_manpage='security.conf(5)'
10
11if [ -f /etc/rc.subr ]; then
12	. /etc/rc.subr
13else
14	echo "Can't read /etc/rc.subr; aborting."
15	exit 1;
16fi
17
18umask 077
19TZ=UTC; export TZ
20
21if [ -s /etc/security.conf ]; then
22	. /etc/security.conf
23fi
24
25# Set reasonable defaults (if they're not set in security.conf)
26#
27backup_dir=${backup_dir:-/var/backups}
28pkgdb_dir=${pkgdb_dir:-/var/db/pkg}
29max_loginlen=${max_loginlen:-8}
30max_grouplen=${max_grouplen:-8}
31pkg_info=${pkg_info:-/usr/sbin/pkg_info}
32
33# Other configurable variables
34#
35special_files="/etc/mtree/special /etc/mtree/special.local"
36MP=/etc/master.passwd
37CHANGELIST=""
38work_dir=$backup_dir/work
39
40if [ ! -d "$work_dir" ]; then
41	mkdir -p "$work_dir"
42fi
43
44SECUREDIR=$(mktemp -d -t _securedir) || exit 1
45
46trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE
47
48if ! cd "$SECUREDIR"; then
49	echo "Can not cd to $SECUREDIR".
50	exit 1
51fi
52
53ERR=err.$$
54TMP1=tmp1.$$
55TMP2=tmp2.$$
56MPBYUID=mpbyuid.$$
57MPBYPATH=mpbypath.$$
58LIST=list.$$
59OUTPUT=output.$$
60LABELS=labels.$$
61PKGS=pkgs.$$
62CHANGEFILES=changefiles.$$
63SPECIALSPEC=specialspec.$$
64
65
66# migrate_file old new
67#	Determine if the "${old}" path name needs to be migrated to the
68#	"${new}" path. Also checks if "${old}.current" needs migrating,
69#	and if so, migrate it and possibly "${old}.current,v" and
70#	"${old}.backup".
71#
72migrate_file()
73{
74	_old=$1
75	_new=$2
76	if [ -z "$_old" -o -z "$_new" ]; then
77		err 3 "USAGE: migrate_file old new"
78	fi
79	if [ ! -d "${_new%/*}" ]; then
80		mkdir -p "${_new%/*}"
81	fi
82	if [ -f "${_old}" -a ! -f "${_new}" ]; then
83		echo "==> migrating ${_old}"
84		echo "           to ${_new}"
85		mv "${_old}" "${_new}"
86	fi
87	if [ -f "${_old}.current" -a ! -f "${_new}.current" ]; then
88		echo "==> migrating ${_old}.current"
89		echo "           to ${_new}.current"
90		mv "${_old}.current" "${_new}.current"
91		if [ -f "${_old}.current,v" -a ! -f "${_new}.current,v" ]; then
92			echo "==> migrating ${_old}.current,v"
93			echo "           to ${_new}.current,v"
94			mv "${_old}.current,v" "${_new}.current,v"
95		fi
96		if [ -f "${_old}.backup" -a ! -f "${_new}.backup" ]; then
97			echo "==> migrating ${_old}.backup"
98			echo "           to ${_new}.backup"
99			mv "${_old}.backup" "${_new}.backup"
100		fi
101	fi
102}
103
104
105# backup_and_diff file printdiff
106#	Determine if file needs backing up, and if so, do it.
107#	If printdiff is yes, display the diffs, otherwise 
108#	just print a message saying "[changes omitted]".
109#
110backup_and_diff()
111{
112	_file=$1
113	_printdiff=$2
114	if [ -z "$_file" -o -z "$_printdiff" ]; then
115		err 3 "USAGE: backup_and_diff file printdiff"
116	fi
117	! checkyesno _printdiff
118	_printdiff=$?
119
120	_old=$backup_dir/${_file##*/}
121	case "$_file" in
122	$work_dir/*)
123		_new=$_file
124		migrate_file "$backup_dir/$_old" "$_new"
125		migrate_file "$_old" "$_new"
126		;;
127	*)
128		_new=$backup_dir/$_file
129		migrate_file "$_old" "$_new"
130		;;
131	esac
132	CUR=${_new}.current
133	BACK=${_new}.backup
134	if [ -f $_file ]; then
135		if [ -f $CUR ] ; then
136			if [ "$_printdiff" -ne 0 ]; then
137				diff ${diff_options} $CUR $_file > $OUTPUT
138			else
139				if ! cmp -s $CUR $_file; then
140					echo "[changes omitted]"
141				fi > $OUTPUT
142			fi
143			if [ -s $OUTPUT ] ; then
144				printf \
145			"\n======\n%s diffs (OLD < > NEW)\n======\n" $_file
146				cat $OUTPUT
147				backup_file update $_file $CUR $BACK
148			fi
149		else
150			printf "\n======\n%s added\n======\n" $_file
151			if [ "$_printdiff" -ne 0 ]; then
152				diff ${diff_options} /dev/null $_file
153			else
154				echo "[changes omitted]"
155			fi
156			backup_file add $_file $CUR $BACK
157		fi
158	else
159		if [ -f $CUR ]; then
160			printf "\n======\n%s removed\n======\n" $_file
161			if [ "$_printdiff" -ne 0 ]; then
162				diff ${diff_options} $CUR /dev/null
163			else
164				echo "[changes omitted]"
165			fi
166			backup_file remove $_file $CUR $BACK
167		fi
168	fi
169}
170
171
172# These are used several times.
173#
174awk -F: '!/^\+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID
175awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH
176for file in $special_files; do
177	[ -s $file ] && cat $file
178done | mtree -CM -k all > $SPECIALSPEC || exit 1
179
180
181# Check the master password file syntax.
182#
183if checkyesno check_passwd; then
184        # XXX: the sense of permit_star is reversed; the code works as
185        # implemented, but usage needs to be negated.
186	checkyesno check_passwd_permit_star && permit_star=0 || permit_star=1
187	checkyesno check_passwd_permit_nonalpha \
188		 && permit_nonalpha=1 || permit_nonalpha=0
189
190	awk -v "len=$max_loginlen" \
191	    -v "nowarn_shells_list=$check_passwd_nowarn_shells" \
192	    -v "nowarn_users_list=$check_passwd_nowarn_users" \
193	    -v "permit_star=$permit_star" \
194	    -v "permit_nonalpha=$permit_nonalpha" \
195	'
196	BEGIN {
197		while ( getline < "/etc/shells" > 0 ) {
198			if ($0 ~ /^\#/ || $0 ~ /^$/ )
199				continue;
200			shells[$1]++;
201		}
202		split(nowarn_shells_list, a);
203		for (i in a) nowarn_shells[a[i]]++;
204		split(nowarn_users_list, a);
205		for (i in a) nowarn_users[a[i]]++;
206		uid0_users_list="root toor"
207		split(uid0_users_list, a);
208		for (i in a) uid0_users[a[i]]++;
209		FS=":";
210	}
211
212	{
213		if ($0 ~ /^[	 ]*$/) {
214			printf "Line %d is a blank line.\n", NR;
215			next;
216		}
217
218		# NIS compat entry?
219		compatline = $1 ~ "^[\\+-]";
220		if (compatline) {
221			if ($1 == "+" && NF == 1) {
222				next;
223			}
224			sub("^.", "", $1);
225		}
226		if (NF != 10)
227			printf "Line %d has the wrong number of fields.\n", NR;
228		if (compatline)  {
229			if ($3 == 0)
230			    printf "Line %d includes entries with uid 0.\n",
231			        NR;
232			if ($1 == "")
233			    next;
234		}
235		if (!permit_nonalpha &&
236		    $1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/)
237			printf "Login %s has non-alphanumeric characters.\n",
238			    $1;
239		if (length($1) > len)
240			printf "Login %s has more than "len" characters.\n",
241			    $1;
242		if ($2 == "" && !compatline && !nowarn_users[$1])
243			    printf "Login %s has no password.\n", $1;
244		if (!nowarn_shells[$10] && !nowarn_users[$1]) {
245		    if (length($2) != 13 &&
246		    	length($2) != 20 &&
247		    	$2 !~ /^\$1/ &&
248		    	$2 !~ /^\$2/ &&
249			$2 !~ /^\$sha1/ &&
250		    	$2 != "" &&
251			(permit_star || $2 != "*") &&
252		    	$2 !~ /^\*[A-z-]+$/ &&
253			$1 != "toor") {
254		    	    if ($10 == "" || shells[$10])
255				printf "Login %s is off but still has "\
256				  "a valid shell (%s)\n", $1, $10;
257		    } else if (compatline && $10 == "") {
258			    # nothing
259		    } else if (! shells[$10])
260		    	    printf "Login %s does not have a valid "\
261			    "shell (%s)\n", $1, $10;
262		}
263		if ($3 == 0 && !uid0_users[$1] && !nowarn_users[$1])
264			printf "Login %s has a user id of 0.\n", $1;
265		if ($3 != "" && $3 < 0)
266			printf "Login %s has a negative user id.\n", $1;
267		if ($4 != "" && $4 < 0)
268			printf "Login %s has a negative group id.\n", $1;
269	}' < $MP > $OUTPUT
270	if [ -s $OUTPUT ] ; then
271		printf "\nChecking the $MP file:\n"
272		cat $OUTPUT
273	fi
274
275	awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
276	if [ -s $OUTPUT ] ; then
277		printf "\n$MP has duplicate user names.\n"
278		column $OUTPUT
279	fi
280
281# To not exclude 'toor', a standard duplicate root account, from the duplicate
282# account test, uncomment the line below (without egrep in it)and comment
283# out the line (with egrep in it) below it.
284#
285#	< $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2
286	< $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2
287	if [ -s $TMP2 ] ; then
288		printf "\n$MP has duplicate user id's.\n"
289		while read uid; do
290			grep -w $uid $MPBYUID
291		done < $TMP2 | column
292	fi
293fi
294
295# Check the group file syntax.
296#
297if checkyesno check_group; then
298	GRP=/etc/group
299	awk -F: -v "len=$max_grouplen" '{
300		if ($0 ~ /^[	 ]*$/) {
301			printf "Line %d is a blank line.\n", NR;
302			next;
303		}
304		if (NF != 4 && ($1 != "+" || NF != 1))
305			printf "Line %d has the wrong number of fields.\n", NR;
306		if ($1 == "+" )  {
307			next;
308		}
309		if ($1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/)
310			printf "Group %s has non-alphanumeric characters.\n",
311			    $1;
312		if (length($1) > len)
313			printf "Group %s has more than "len" characters.\n", $1;
314		if ($3 !~ /[0-9]*/)
315			printf "Login %s has a negative group id.\n", $1;
316	}' < $GRP > $OUTPUT
317	if [ -s $OUTPUT ] ; then
318		printf "\nChecking the $GRP file:\n"
319		cat $OUTPUT
320	fi
321
322	awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT
323	if [ -s $OUTPUT ] ; then
324		printf "\n$GRP has duplicate group names.\n"
325		column $OUTPUT
326	fi
327fi
328
329# Check for root paths, umask values in startup files.
330# The check for the root paths is problematical -- it's likely to fail
331# in other environments.  Once the shells have been modified to warn
332# of '.' in the path, the path tests should go away.
333#
334if checkyesno check_rootdotfiles; then
335	rhome=~root
336	umaskset=no
337	list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login"
338	for i in $list ; do
339		if [ -f $i ] ; then
340			if egrep '^[ \t]*umask[ \t]+[0-7]+' $i > /dev/null ;
341			then
342				umaskset=yes
343			fi
344			# Double check the umask value itself; ensure that
345			# both the group and other write bits are set.
346			#
347			egrep '^[ \t]*umask[ \t]+[0-7]+' $i |
348			awk '{
349				if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) {
350					print "\tRoot umask is group writable"
351				}
352				if ($2 ~ /[^2367]$/) {
353					print "\tRoot umask is other writable"
354			    	}
355			    }' | sort -u
356			SAVE_PATH=$PATH
357			unset PATH
358			/bin/csh -f -s << end-of-csh > /dev/null 2>&1
359				source $i
360				/bin/ls -ldgT \$path > $TMP1
361end-of-csh
362			export PATH=$SAVE_PATH
363			awk '{
364				if ($10 ~ /^\.$/) {
365					print "\tThe root path includes .";
366					next;
367				}
368			     }
369			     $1 ~ /^d....w/ \
370		{ print "\tRoot path directory " $10 " is group writable." } \
371			     $1 ~ /^d.......w/ \
372		{ print "\tRoot path directory " $10 " is other writable." }' \
373			< $TMP1
374		fi
375	done > $OUTPUT
376	if [ $umaskset = "no" -o -s $OUTPUT ] ; then
377		printf "\nChecking root csh paths, umask values:\n$list\n\n"
378		if [ -s $OUTPUT ]; then
379			cat $OUTPUT
380		fi
381		if [ $umaskset = "no" ] ; then
382		    printf "\tRoot csh startup files do not set the umask.\n"
383		fi
384	fi
385
386	umaskset=no
387	list="/etc/profile ${rhome}/.profile"
388	for i in $list; do
389		if [ -f $i ] ; then
390			if egrep umask $i > /dev/null ; then
391				umaskset=yes
392			fi
393			egrep umask $i |
394			awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \
395				{ print "\tRoot umask is group writable" } \
396			     $2 ~ /[^2367]$/ \
397				{ print "\tRoot umask is other writable" }'
398			SAVE_PATH=$PATH
399			unset PATH
400			/bin/sh << end-of-sh > /dev/null 2>&1
401				. $i
402				list=\`echo \$PATH | /usr/bin/sed -e \
403				    's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\`
404				/bin/ls -ldgT \$list > $TMP1
405end-of-sh
406			export PATH=$SAVE_PATH
407			awk '{
408				if ($10 ~ /^\.$/) {
409					print "\tThe root path includes .";
410					next;
411				}
412			     }
413			     $1 ~ /^d....w/ \
414		{ print "\tRoot path directory " $10 " is group writable." } \
415			     $1 ~ /^d.......w/ \
416		{ print "\tRoot path directory " $10 " is other writable." }' \
417			< $TMP1
418
419		fi
420	done > $OUTPUT
421	if [ $umaskset = "no" -o -s $OUTPUT ] ; then
422		printf "\nChecking root sh paths, umask values:\n$list\n"
423		if [ -s $OUTPUT ]; then
424			cat $OUTPUT
425		fi
426		if [ $umaskset = "no" ] ; then
427			printf "\tRoot sh startup files do not set the umask.\n"
428		fi
429	fi
430fi
431
432# Root and uucp should both be in /etc/ftpusers.
433#
434if checkyesno check_ftpusers; then
435	list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID`
436	for i in $list; do
437		if /usr/libexec/ftpd -C $i ; then
438			printf "\t$i is not denied\n"
439		fi
440	done > $OUTPUT
441	if [ -s $OUTPUT ]; then
442		printf "\nChecking the /etc/ftpusers configuration:\n"
443		cat $OUTPUT
444	fi
445fi
446
447# Uudecode should not be in the /etc/mail/aliases file.
448#
449if checkyesno check_aliases; then
450	for f in /etc/mail/aliases /etc/aliases; do
451		if [ -f $f ] && egrep '^[^#]*(uudecode|decode).*\|' $f; then
452			printf "\nEntry for uudecode in $f file.\n"
453		fi
454	done
455fi
456
457# Files that should not have + signs.
458#
459if checkyesno check_rhosts; then
460	list="/etc/hosts.equiv /etc/hosts.lpd"
461	for f in $list ; do
462		if [ -f $f ] && egrep '\+' $f > /dev/null ; then
463			printf "\nPlus sign in $f file.\n"
464		fi
465	done
466
467	# Check for special users with .rhosts files.  Only root and toor should
468	# have .rhosts files.  Also, .rhosts files should not have plus signs.
469	awk -F: '$1 != "root" && $1 != "toor" && \
470		($3 < 100 || $1 == "ftp" || $1 == "uucp") \
471			{ print $1 " " $9 }' $MP |
472	sort -k2 |
473	while read uid homedir; do
474		if [ -f ${homedir}/.rhosts ] ; then
475			rhost=`ls -ldgT ${homedir}/.rhosts`
476			printf -- "$uid: $rhost\n"
477		fi
478	done > $OUTPUT
479	if [ -s $OUTPUT ] ; then
480		printf "\nChecking for special users with .rhosts files.\n"
481		cat $OUTPUT
482	fi
483
484	while read uid homedir; do
485		if [ -f ${homedir}/.rhosts -a -r ${homedir}/.rhosts ] && \
486		    cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null ; then
487			printf -- "$uid: + in .rhosts file.\n"
488		fi
489	done < $MPBYPATH > $OUTPUT
490	if [ -s $OUTPUT ] ; then
491		printf "\nChecking .rhosts files syntax.\n"
492		cat $OUTPUT
493	fi
494fi
495
496# Check home directories.  Directories should not be owned by someone else
497# or writable.
498#
499if checkyesno check_homes; then
500	checkyesno check_homes_permit_usergroups && \
501		permit_usergroups=1 || permit_usergroups=0
502	while read uid homedir; do
503		if [ -d ${homedir}/ ] ; then
504			file=`ls -ldgT ${homedir}`
505			printf -- "$uid $file\n"
506		fi
507	done < $MPBYPATH |
508	awk -v "usergroups=$permit_usergroups" '
509	     $1 != $4 && $4 != "root" \
510		{ print "user " $1 " home directory is owned by " $4 }
511	     $2 ~ /^d....w/ && (!usergroups || $5 != $1) \
512		{ print "user " $1 " home directory is group writable" }
513	     $2 ~ /^d.......w/ \
514		{ print "user " $1 " home directory is other writable" }' \
515	    > $OUTPUT
516	if [ -s $OUTPUT ] ; then
517		printf "\nChecking home directories.\n"
518		cat $OUTPUT
519	fi
520
521	# Files that should not be owned by someone else or readable.
522	list=".Xauthority .netrc .ssh/id_dsa .ssh/id_rsa .ssh/identity"
523	while read uid homedir; do
524		for f in $list ; do
525			file=${homedir}/${f}
526			if [ -f $file ] ; then
527				printf -- "$uid $f `ls -ldgT $file`\n"
528			fi
529		done
530	done < $MPBYPATH |
531	awk  -v "usergroups=$permit_usergroups" '
532	     $1 != $5 && $5 != "root" \
533		{ print "user " $1 " " $2 " file is owned by " $5 }
534	     $3 ~ /^-...r/ && (!usergroups || $6 != $1) \
535		{ print "user " $1 " " $2 " file is group readable" }
536	     $3 ~ /^-......r/ \
537		{ print "user " $1 " " $2 " file is other readable" }
538	     $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
539		{ print "user " $1 " " $2 " file is group writable" }
540	     $3 ~ /^-.......w/ \
541		{ print "user " $1 " " $2 " file is other writable" }' \
542	    > $OUTPUT
543
544	# Files that should not be owned by someone else or writable.
545	list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \
546	      .cshrc .emacs .exrc .forward .history .k5login .klogin .login \
547	      .logout .profile .qmail .rc_history .rhosts .shosts ssh .tcshrc \
548	      .twmrc .xinitrc .xsession .ssh/authorized_keys \
549	      .ssh/authorized_keys2 .ssh/config .ssh/id_dsa.pub \
550	      .ssh/id_rsa.pub .ssh/identity.pub .ssh/known_hosts \
551	      .ssh/known_hosts2"
552	while read uid homedir; do
553		for f in $list ; do
554			file=${homedir}/${f}
555			if [ -f $file ] ; then
556				printf -- "$uid $f `ls -ldgT $file`\n"
557			fi
558		done
559	done < $MPBYPATH |
560	awk -v "usergroups=$permit_usergroups" '
561	     $1 != $5 && $5 != "root" \
562		{ print "user " $1 " " $2 " file is owned by " $5 }
563	     $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
564		{ print "user " $1 " " $2 " file is group writable" }
565	     $3 ~ /^-.......w/ \
566		{ print "user " $1 " " $2 " file is other writable" }' \
567	    >> $OUTPUT
568	if [ -s $OUTPUT ] ; then
569		printf "\nChecking dot files.\n"
570		cat $OUTPUT
571	fi
572fi
573
574# Mailboxes should be owned by user and unreadable.
575#
576if checkyesno check_varmail; then
577	ls -lA /var/mail | \
578	awk '	NR == 1 { next; }
579		$9 ~ /^\./ {next; }
580	    	$3 != $9 {
581			print "user " $9 " mailbox is owned by " $3
582		}
583		$1 != "-rw-------" {
584			print "user " $9 " mailbox is " $1 ", group " $4
585		}' > $OUTPUT
586	if [ -s $OUTPUT ] ; then
587		printf "\nChecking mailbox ownership.\n"
588		cat $OUTPUT
589	fi
590fi
591
592# NFS exports shouldn't be globally exported
593#
594if checkyesno check_nfs && [ -f /etc/exports ]; then
595	awk '{
596		# ignore comments and blank lines
597		if ($0 ~ /^\#/ || $0 ~ /^$/ )
598			next;
599		# manage line continuation
600		while ($NF ~ /^\\$/) {
601			$NF = "";
602			line = $0 "";
603			getline;
604			$0 = line $0 "";
605		}
606
607		delete dir;
608		readonly = ndir = 0;
609		for (i = 1; i <= NF; ++i) {
610			if ($i ~ /^\//) dir[ndir++] = $i;
611			else if ($i ~ /^-/) {
612				if ($i ~ /^-(ro|o)$/) readonly = 1;
613				if ($i ~ /^-network/) next;
614			}
615			else next;
616		}
617		if (readonly)
618			for (item in dir)
619				rodir[nrodir++] = dir[item];
620		else
621			for (item in dir)
622				rwdir[nrwdir++] = dir[item];
623
624	}
625
626	END {
627		if (nrodir) {
628			printf("Globally exported file system%s, read-only:\n",
629				nrodir > 1 ? "s" : "");
630			for (item in rodir)
631				printf("\t%s\n", rodir[item]);
632		}
633		if (nrwdir) {
634			printf("Globally exported file system%s, read-write:\n",
635				nrwdir > 1 ? "s" : "");
636			for (item in rwdir)
637				printf("\t%s\n", rwdir[item]);
638		}
639	}' < /etc/exports > $OUTPUT
640	if [ -s $OUTPUT ] ; then
641		printf "\nChecking for globally exported file systems.\n"
642		cat $OUTPUT
643	fi
644fi
645
646# Display any changes in setuid files and devices.
647#
648if checkyesno check_devices; then
649	> $ERR
650	(
651
652	# Convert check_devices_ignore_fstypes="foo !bar bax"
653	#    into "-fstype foo -o ! -fstype bar -o -fstype bax"
654	# and check_devices_ignore_paths="/foo !/bar /bax"
655	#    into " -path /foo -o ! -path /bar -o -path /bax"
656	#
657	ignexpr=$(\
658	    echo $check_devices_ignore_fstypes | \
659		sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -fstype \2/g' ; \
660	    echo $check_devices_ignore_paths | \
661		sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -path \2/g' \
662	)
663
664	# Massage the expression into ( $ignexpr ) -a -prune -o
665	if [ -n "${ignexpr}" ]; then
666		ignexpr=$(\
667			echo $ignexpr | \
668			    sed -e 's/^-o /( /' \
669				-e 's/$/ ) -a -prune -o/' \
670		)
671	fi
672
673	find / $ignexpr \
674	    \( \( -perm -u+s -a ! -type d \) -o \
675	       \( -perm -g+s -a ! -type d \) -o \
676	       -type b -o -type c \) -print0 | \
677	xargs -0 ls -ldgTq | sort +9 > $LIST
678
679	) 2> $OUTPUT
680
681	# Display any errors that occurred during system file walk.
682	if [ -s $OUTPUT ] ; then
683		printf "Setuid/device find errors:\n" >> $ERR
684		cat $OUTPUT >> $ERR
685		printf "\n" >> $ERR
686	fi
687
688	# Display any changes in the setuid file list.
689	egrep -v '^[bc]' $LIST > $TMP1
690	if [ -s $TMP1 ] ; then
691		# Check to make sure uudecode isn't setuid.
692		if grep -w uudecode $TMP1 > /dev/null ; then
693			printf "\nUudecode is setuid.\n" >> $ERR
694		fi
695
696		file=$work_dir/setuid
697		migrate_file "$backup_dir/setuid" "$file"
698		CUR=${file}.current
699		BACK=${file}.backup
700		if [ -s $CUR ] ; then
701			if cmp -s $CUR $TMP1 ; then
702				:
703			else
704				> $TMP2
705				join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
706				if [ -s $OUTPUT ] ; then
707					printf "Setuid additions:\n" >> $ERR
708					tee -a $TMP2 < $OUTPUT >> $ERR
709					printf "\n" >> $ERR
710				fi
711
712				join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
713				if [ -s $OUTPUT ] ; then
714					printf "Setuid deletions:\n" >> $ERR
715					tee -a $TMP2 < $OUTPUT >> $ERR
716					printf "\n" >> $ERR
717				fi
718
719				sort -k10 $TMP2 $CUR $TMP1 | \
720				    sed -e 's/[	 ][	 ]*/ /g' | \
721				    uniq -u > $OUTPUT
722				if [ -s $OUTPUT ] ; then
723					printf "Setuid changes:\n" >> $ERR
724					column -t $OUTPUT >> $ERR
725					printf "\n" >> $ERR
726				fi
727
728				backup_file update $TMP1 $CUR $BACK
729			fi
730		else
731			printf "Setuid additions:\n" >> $ERR
732			column -t $TMP1 >> $ERR
733			printf "\n" >> $ERR
734			backup_file add $TMP1 $CUR $BACK
735		fi
736	fi
737
738	# Check for block and character disk devices that are readable or
739	# writable or not owned by root.operator.
740	>$TMP1
741	DISKLIST="ccd ch hk hp ld md ra raid rb rd rl rx \
742	    sd se ss uk up vnd wd xd xy"
743#	DISKLIST="$DISKLIST ct mt st wt"
744	for i in $DISKLIST; do
745		egrep "^b.*/${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
746		egrep "^c.*/r${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
747	done
748
749	awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \
750		{ printf "Disk %s is user %s, group %s, permissions %s.\n", \
751		    $11, $3, $4, $1; }' < $TMP1 > $OUTPUT
752	if [ -s $OUTPUT ] ; then
753		printf "\nChecking disk ownership and permissions.\n" >> $ERR
754		cat $OUTPUT >> $ERR
755		printf "\n" >> $ERR
756	fi
757
758	# Display any changes in the device file list.
759	egrep '^[bc]' $LIST | sort -k11 > $TMP1
760	if [ -s $TMP1 ] ; then
761		file=$work_dir/device
762		migrate_file "$backup_dir/device" "$file"
763		CUR=${file}.current
764		BACK=${file}.backup
765
766		if [ -s $CUR ] ; then
767			if cmp -s $CUR $TMP1 ; then
768				:
769			else
770				> $TMP2
771				join -111 -211 -v2 $CUR $TMP1 > $OUTPUT
772				if [ -s $OUTPUT ] ; then
773					printf "Device additions:\n" >> $ERR
774					tee -a $TMP2 < $OUTPUT >> $ERR
775					printf "\n" >> $ERR
776				fi
777
778				join -111 -211 -v1 $CUR $TMP1 > $OUTPUT
779				if [ -s $OUTPUT ] ; then
780					printf "Device deletions:\n" >> $ERR
781					tee -a $TMP2 < $OUTPUT >> $ERR
782					printf "\n" >> $ERR
783				fi
784
785				# Report any block device change. Ignore
786				# character devices, only the name is
787				# significant.
788				cat $TMP2 $CUR $TMP1 | \
789				    sed -e '/^c/d' | \
790				    sort -k11 | \
791				    sed -e 's/[	 ][	 ]*/ /g' | \
792				    uniq -u > $OUTPUT
793				if [ -s $OUTPUT ] ; then
794					printf "Block device changes:\n" >> $ERR
795					column -t $OUTPUT >> $ERR
796					printf "\n" >> $ERR
797				fi
798
799				backup_file update $TMP1 $CUR $BACK
800			fi
801		else
802			printf "Device additions:\n" >> $ERR
803			column -t $TMP1 >> $ERR
804			printf "\n" >> $ERR
805			backup_file add $TMP1 $CUR $BACK >> $ERR
806		fi
807	fi
808	if [ -s $ERR ] ; then
809		printf "\nChecking setuid files and devices:\n"
810		cat $ERR
811		printf "\n"
812	fi
813fi
814
815# Check special files.
816# Check system binaries.
817#
818# Create the mtree tree specifications using:
819#	mtree -cx -pDIR -kmd5,uid,gid,mode,nlink,size,link,time > DIR.secure
820#	chown root:wheel DIR.secure
821#	chmod u+r,go= DIR.secure
822#
823# Note, this is not complete protection against Trojan horsed binaries, as
824# the hacker can modify the tree specification to match the replaced binary.
825# For details on really protecting yourself against modified binaries, see
826# the mtree(8) manual page.
827#
828if checkyesno check_mtree; then
829	if checkyesno check_mtree_follow_symlinks; then
830		check_mtree_flags="-L"
831	else
832		check_mtree_flags=""
833	fi
834	mtree -e -l -p / $check_mtree_flags -f $SPECIALSPEC 3>&1 >$OUTPUT 2>&3 |
835		grep -v '^mtree: dev/tty: Device not configured$' >&2
836	if [ -s $OUTPUT ]; then
837		printf "\nChecking special files and directories.\n"
838		cat $OUTPUT
839	fi
840
841	for file in /etc/mtree/*.secure; do
842		[ $file = '/etc/mtree/*.secure' ] && continue
843		tree=`sed -n -e '3s/.* //p' -e 3q $file`
844		mtree $check_mtree_flags -f $file -p $tree > $TMP1
845		if [ -s $TMP1 ]; then
846			printf "\nChecking $tree:\n"
847			cat $TMP1
848		fi
849	done > $OUTPUT
850	if [ -s $OUTPUT ]; then
851		printf "\nChecking system binaries:\n"
852		cat $OUTPUT
853	fi
854fi
855
856# Backup disklabels of available disks
857#
858if checkyesno check_disklabels; then
859		# migrate old disklabels
860	for file in `ls -1d $backup_dir/$backup_dir/disklabel.* \
861	    $backup_dir/disklabel.* 2>/dev/null`; do
862		migrate_file "$file" "$work_dir/${file##*/}"
863	done
864
865		# generate list of old disklabels, fdisks & wedges and remove them
866	ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null |
867	    egrep -v '\.(backup|current)(,v)?$' > $LABELS
868	xargs rm < $LABELS
869
870		# generate disklabels of all disks excluding:	cd dk fd md st
871	disks=`iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d|dk|st|nfs/ { print $1; }'`
872	for i in $disks; do
873		disklabel $i > "$work_dir/disklabel.$i" 2>/dev/null
874	done
875
876		# if fdisk is available, generate fdisks for:	ed ld sd wd
877	if [ -x /sbin/fdisk ]; then
878		disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d/ { print $1; }'`
879		for i in $disks; do
880			/sbin/fdisk $i > "$work_dir/fdisk.$i" 2>/dev/null
881		done
882	fi
883
884		# if dkctl is available, generate dkctl listwedges for:	ed ld sd wd cgd ofdisk ra rl raid
885	if [ -x /sbin/dkctl ]; then
886		disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d|cgd|ofdisk|r[al]|raid/ { print $1; }'`
887		for i in $disks; do
888			/sbin/dkctl $i listwedges > "$work_dir/wedges.$i" 2>/dev/null
889		done
890	fi
891
892		# append list of new disklabels, fdisks and wedges
893	ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null |
894	    egrep -v '\.(backup|current)(,v)?$' >> $LABELS
895	CHANGELIST="$LABELS $CHANGELIST"
896fi
897
898# Check for changes in the list of installed pkgs
899#
900if checkyesno check_pkgs && [ -d $pkgdb_dir ]; then
901	pkgs=$work_dir/pkgs
902	migrate_file "$backup_dir/pkgs" "$pkgs"
903	(	cd $pkgdb_dir
904		$pkg_info | sort
905		echo ""
906		find . \( -name +REQUIRED_BY -o -name +CONTENTS \) -print0 |
907			xargs -0 ls -ldgTq | sort -t. +1 | sed -e 's, \./, ,'
908	 ) > $pkgs
909	echo "$pkgs" > $PKGS
910	CHANGELIST="$PKGS $CHANGELIST"
911fi
912
913# List of files that get backed up and checked for any modifications.
914# Any changes cause the files to rotate.
915#
916if checkyesno check_changelist ; then
917	mtree -D -k type -f $SPECIALSPEC -E exclude |
918	    sed '/^type=file/!d ; s/type=file \.//' | unvis > $CHANGEFILES
919
920	(
921		# Add other files which might dynamically exist:
922		#	/etc/ifconfig.*
923		#	/etc/raid*.conf
924		#	/etc/rc.d/*
925		#	/etc/rc.conf.d/*
926		#
927		echo "/etc/ifconfig.*"
928		echo "/etc/raid*.conf"
929		echo "/etc/rc.d/*"
930		echo "/etc/rc.conf.d/*"
931
932		# Add /etc/changelist
933		#
934		if [ -s /etc/changelist ]; then
935			grep -v '^#' /etc/changelist
936		fi
937	) | while read file; do
938		case "$file" in
939		*[\*\?\[]*)	# If changelist line is a glob ...
940				# ... expand possible backup files
941				#
942			ls -1d $(echo $backup_dir/${file}.current) 2>/dev/null \
943			    | sed "s,^$backup_dir/,, ; s,\.current$,,"
944				
945				# ... expand possible files
946				#
947			ls -1d $(echo $file) 2>/dev/null
948			;;
949		*)
950				# Otherwise, just print the filename
951			echo $file
952			;;
953		esac
954	done >> $CHANGEFILES
955	CHANGELIST="$CHANGEFILES $CHANGELIST"
956fi
957
958# Special case backups, including the master password file and
959# ssh private host keys. The normal backup mechanisms for
960# $check_changelist (see below) also print out the actual file
961# differences and we don't want to do that for these files
962#
963echo $MP > $TMP1			# always add /etc/master.passwd
964mtree -D -k type -f $SPECIALSPEC -I nodiff |
965    sed '/^type=file/!d ; s/type=file \.//' | unvis >> $TMP1
966grep -v '^$' $TMP1 | sort -u > $TMP2
967
968while read file; do
969	backup_and_diff "$file" no
970done < $TMP2
971
972
973if [ -n "$CHANGELIST" ]; then
974	grep -h -v '^$' $CHANGELIST | sort -u > $TMP1
975	comm -23 $TMP1 $TMP2 | while read file; do
976		backup_and_diff "$file" yes
977	done
978fi
979
980if [ -f /etc/security.local ]; then
981	. /etc/security.local > $OUTPUT 2>&1
982	if [ -s $OUTPUT ] ; then
983		printf "\nRunning /etc/security.local:\n"
984		cat $OUTPUT
985	fi
986fi
987