security revision 1.88.2.1 
1#!/bin/sh -
2#
3#	$NetBSD: security,v 1.88.2.1 2007/05/27 21:26:12 bouyer Exp $
4#	from: @(#)security	8.1 (Berkeley) 6/9/93
5#
6
7PATH=/sbin:/usr/sbin:/bin:/usr/bin
8
9if [ -f /etc/rc.subr ]; then
10	. /etc/rc.subr
11else
12	echo "Can't read /etc/rc.subr; aborting."
13	exit 1;
14fi
15
16umask 077
17TZ=UTC; export TZ
18
19if [ -s /etc/security.conf ]; then
20	. /etc/security.conf
21fi
22
23# Set reasonable defaults (if they're not set in security.conf)
24#
25backup_dir=${backup_dir:-/var/backups}
26pkgdb_dir=${pkgdb_dir:-/var/db/pkg}
27max_loginlen=${max_loginlen:-8}
28max_grouplen=${max_grouplen:-8}
29
30# Other configurable variables
31#
32special_files="/etc/mtree/special /etc/mtree/special.local"
33MP=/etc/master.passwd
34CHANGELIST=""
35work_dir=$backup_dir/work
36
37if [ ! -d "$work_dir" ]; then
38	mkdir -p "$work_dir"
39fi
40
41SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1
42
43trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE
44
45if ! cd "$SECUREDIR"; then
46	echo "Can not cd to $SECUREDIR".
47	exit 1
48fi
49
50ERR=secure1.$$
51TMP1=secure2.$$
52TMP2=secure3.$$
53MPBYUID=secure4.$$
54MPBYPATH=secure5.$$
55LIST=secure6.$$
56OUTPUT=secure7.$$
57LABELS=secure8.$$
58PKGS=secure9.$$
59CHANGEFILES=secure10.$$
60
61
62# migrate_file old new
63#	Determine if the "${old}" path name needs to be migrated to the
64#	"${new}" path. Also checks if "${old}.current" needs migrating,
65#	and if so, migrate it and possibly "${old}.current,v" and
66#	"${old}.backup".
67#
68migrate_file()
69{
70	_old=$1
71	_new=$2
72	if [ -z "$_old" -o -z "$_new" ]; then
73		err 3 "USAGE: migrate_file old new"
74	fi
75	if [ ! -d "${_new%/*}" ]; then
76		mkdir -p "${_new%/*}"
77	fi
78	if [ -f "${_old}" -a ! -f "${_new}" ]; then
79		echo "==> migrating ${_old}"
80		echo "           to ${_new}"
81		mv "${_old}" "${_new}"
82	fi
83	if [ -f "${_old}.current" -a ! -f "${_new}.current" ]; then
84		echo "==> migrating ${_old}.current"
85		echo "           to ${_new}.current"
86		mv "${_old}.current" "${_new}.current"
87		if [ -f "${_old}.current,v" -a ! -f "${_new}.current,v" ]; then
88			echo "==> migrating ${_old}.current,v"
89			echo "           to ${_new}.current,v"
90			mv "${_old}.current,v" "${_new}.current,v"
91		fi
92		if [ -f "${_old}.backup" -a ! -f "${_new}.backup" ]; then
93			echo "==> migrating ${_old}.backup"
94			echo "           to ${_new}.backup"
95			mv "${_old}.backup" "${_new}.backup"
96		fi
97	fi
98}
99
100
101# backup_and_diff file printdiff
102#	Determine if file needs backing up, and if so, do it.
103#	If printdiff is yes, display the diffs, otherwise 
104#	just print a message saying "[changes omitted]".
105#
106backup_and_diff()
107{
108	_file=$1
109	_printdiff=$2
110	if [ -z "$_file" -o -z "$_printdiff" ]; then
111		err 3 "USAGE: backup_and_diff file printdiff"
112	fi
113	! checkyesno _printdiff
114	_printdiff=$?
115
116	_old=$backup_dir/${_file##*/}
117	case "$_file" in
118	$work_dir/*)
119		_new=$_file
120		migrate_file "$backup_dir/$_old" "$_new"
121		migrate_file "$_old" "$_new"
122		;;
123	*)
124		_new=$backup_dir/$_file
125		migrate_file "$_old" "$_new"
126		;;
127	esac
128	CUR=${_new}.current
129	BACK=${_new}.backup
130	if [ -f $_file ]; then
131		if [ -f $CUR ] ; then
132			if [ "$_printdiff" -ne 0 ]; then
133				diff ${diff_options} $CUR $_file > $OUTPUT
134			else
135				if ! cmp -s $CUR $_file; then
136					echo "[changes omitted]"
137				fi > $OUTPUT
138			fi
139			if [ -s $OUTPUT ] ; then
140				printf \
141			"\n======\n%s diffs (OLD < > NEW)\n======\n" $_file
142				cat $OUTPUT
143				backup_file update $_file $CUR $BACK
144			fi
145		else
146			printf "\n======\n%s added\n======\n" $_file
147			if [ "$_printdiff" -ne 0 ]; then
148				diff ${diff_options} /dev/null $_file
149			else
150				echo "[changes omitted]"
151			fi
152			backup_file add $_file $CUR $BACK
153		fi
154	else
155		if [ -f $CUR ]; then
156			printf "\n======\n%s removed\n======\n" $_file
157			if [ "$_printdiff" -ne 0 ]; then
158				diff ${diff_options} $CUR /dev/null
159			else
160				echo "[changes omitted]"
161			fi
162			backup_file remove $_file $CUR $BACK
163		fi
164	fi
165}
166
167
168# These are used several times.
169#
170awk -F: '!/^+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID
171awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH
172
173
174# Check the master password file syntax.
175#
176if checkyesno check_passwd; then
177        # XXX: the sense of permit_star is reversed; the code works as
178        # implemented, but usage needs to be negated.
179	checkyesno check_passwd_permit_star && permit_star=0 || permit_star=1
180	awk -v "len=$max_loginlen" \
181	    -v "nowarn_shells_list=$check_passwd_nowarn_shells" \
182	    -v "nowarn_users_list=$check_passwd_nowarn_users" \
183	    -v "permit_star=$permit_star" '
184	BEGIN {
185		while ( getline < "/etc/shells" > 0 ) {
186			if ($0 ~ /^\#/ || $0 ~ /^$/ )
187				continue;
188			shells[$1]++;
189		}
190		split(nowarn_shells_list, a);
191		for (i in a) nowarn_shells[a[i]]++;
192		split(nowarn_users_list, a);
193		for (i in a) nowarn_users[a[i]]++;
194		uid0_users_list="root toor"
195		split(uid0_users_list, a);
196		for (i in a) uid0_users[a[i]]++;
197		FS=":";
198	}
199
200	{
201		if ($0 ~ /^[	 ]*$/) {
202			printf "Line %d is a blank line.\n", NR;
203			next;
204		}
205		if (NF != 10 && ($1 != "+" || NF != 1))
206			printf "Line %d has the wrong number of fields.\n", NR;
207		if ($1 == "+" )  {
208			if (NF != 1 && $3 == 0)
209			    printf "Line %d includes entries with uid 0.\n",
210			        NR;
211			next;
212		}
213		if ($1 !~ /^[A-Za-z0-9]([-A-Za-z0-9]*[A-Za-z0-9])*$/)
214			printf "Login %s has non-alphanumeric characters.\n",
215			    $1;
216		if (length($1) > len)
217			printf "Login %s has more than "len" characters.\n",
218			    $1;
219		if ($2 == "" && !nowarn_users[$1])
220			    printf "Login %s has no password.\n", $1;
221		if (!nowarn_shells[$10] && !nowarn_users[$1]) {
222		    if (length($2) != 13 &&
223		    	length($2) != 20 &&
224		    	$2 !~ /^\$1/ &&
225		    	$2 !~ /^\$2/ &&
226		    	$2 != "" &&
227			(permit_star || $2 != "*") &&
228		    	$2 !~ /^\*[A-z-]+$/ &&
229			$1 != "toor") {
230		    	    if ($10 == "" || shells[$10])
231				printf "Login %s is off but still has "\
232				  "a valid shell (%s)\n", $1, $10;
233		    } else if (! shells[$10])
234		    	    printf "Login %s does not have a valid "\
235			    "shell (%s)\n", $1, $10;
236		}
237		if ($3 == 0 && !uid0_users[$1] && !nowarn_users[$1])
238			printf "Login %s has a user id of 0.\n", $1;
239		if ($3 < 0)
240			printf "Login %s has a negative user id.\n", $1;
241		if ($4 < 0)
242			printf "Login %s has a negative group id.\n", $1;
243	}' < $MP > $OUTPUT
244	if [ -s $OUTPUT ] ; then
245		printf "\nChecking the $MP file:\n"
246		cat $OUTPUT
247	fi
248
249	awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
250	if [ -s $OUTPUT ] ; then
251		printf "\n$MP has duplicate user names.\n"
252		column $OUTPUT
253	fi
254
255# To not exclude 'toor', a standard duplicate root account, from the duplicate
256# account test, uncomment the line below (without egrep in it)and comment
257# out the line (with egrep in it) below it.
258#
259#	< $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2
260	< $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2
261	if [ -s $TMP2 ] ; then
262		printf "\n$MP has duplicate user id's.\n"
263		while read uid; do
264			grep -w $uid $MPBYUID
265		done < $TMP2 | column
266	fi
267fi
268
269# Check the group file syntax.
270#
271if checkyesno check_group; then
272	GRP=/etc/group
273	awk -F: -v "len=$max_grouplen" '{
274		if ($0 ~ /^[	 ]*$/) {
275			printf "Line %d is a blank line.\n", NR;
276			next;
277		}
278		if (NF != 4 && ($1 != "+" || NF != 1))
279			printf "Line %d has the wrong number of fields.\n", NR;
280		if ($1 == "+" )  {
281			next;
282		}
283		if ($1 !~ /^[A-Za-z0-9]([-A-Za-z0-9]*[A-Za-z0-9])*$/)
284			printf "Group %s has non-alphanumeric characters.\n",
285			    $1;
286		if (length($1) > len)
287			printf "Group %s has more than "len" characters.\n", $1;
288		if ($3 !~ /[0-9]*/)
289			printf "Login %s has a negative group id.\n", $1;
290	}' < $GRP > $OUTPUT
291	if [ -s $OUTPUT ] ; then
292		printf "\nChecking the $GRP file:\n"
293		cat $OUTPUT
294	fi
295
296	awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT
297	if [ -s $OUTPUT ] ; then
298		printf "\n$GRP has duplicate group names.\n"
299		column $OUTPUT
300	fi
301fi
302
303# Check for root paths, umask values in startup files.
304# The check for the root paths is problematical -- it's likely to fail
305# in other environments.  Once the shells have been modified to warn
306# of '.' in the path, the path tests should go away.
307#
308if checkyesno check_rootdotfiles; then
309	rhome=~root
310	umaskset=no
311	list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login"
312	for i in $list ; do
313		if [ -f $i ] ; then
314			if egrep '^[ \t]*umask[ \t]+[0-7]+' $i > /dev/null ;
315			then
316				umaskset=yes
317			fi
318			# Double check the umask value itself; ensure that
319			# both the group and other write bits are set.
320			#
321			egrep '^[ \t]*umask[ \t]+[0-7]+' $i |
322			awk '{
323				if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) {
324					print "\tRoot umask is group writable"
325				}
326				if ($2 ~ /[^2367]$/) {
327					print "\tRoot umask is other writable"
328			    	}
329			    }' | sort -u
330			SAVE_PATH=$PATH
331			unset PATH
332			/bin/csh -f -s << end-of-csh > /dev/null 2>&1
333				source $i
334				/bin/ls -ldgT \$path > $TMP1
335end-of-csh
336			export PATH=$SAVE_PATH
337			awk '{
338				if ($10 ~ /^\.$/) {
339					print "\tThe root path includes .";
340					next;
341				}
342			     }
343			     $1 ~ /^d....w/ \
344		{ print "\tRoot path directory " $10 " is group writable." } \
345			     $1 ~ /^d.......w/ \
346		{ print "\tRoot path directory " $10 " is other writable." }' \
347			< $TMP1
348		fi
349	done > $OUTPUT
350	if [ $umaskset = "no" -o -s $OUTPUT ] ; then
351		printf "\nChecking root csh paths, umask values:\n$list\n\n"
352		if [ -s $OUTPUT ]; then
353			cat $OUTPUT
354		fi
355		if [ $umaskset = "no" ] ; then
356		    printf "\tRoot csh startup files do not set the umask.\n"
357		fi
358	fi
359
360	umaskset=no
361	list="/etc/profile ${rhome}/.profile"
362	for i in $list; do
363		if [ -f $i ] ; then
364			if egrep umask $i > /dev/null ; then
365				umaskset=yes
366			fi
367			egrep umask $i |
368			awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \
369				{ print "\tRoot umask is group writable" } \
370			     $2 ~ /[^2367]$/ \
371				{ print "\tRoot umask is other writable" }'
372			SAVE_PATH=$PATH
373			unset PATH
374			/bin/sh << end-of-sh > /dev/null 2>&1
375				. $i
376				list=\`echo \$PATH | /usr/bin/sed -e \
377				    's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\`
378				/bin/ls -ldgT \$list > $TMP1
379end-of-sh
380			export PATH=$SAVE_PATH
381			awk '{
382				if ($10 ~ /^\.$/) {
383					print "\tThe root path includes .";
384					next;
385				}
386			     }
387			     $1 ~ /^d....w/ \
388		{ print "\tRoot path directory " $10 " is group writable." } \
389			     $1 ~ /^d.......w/ \
390		{ print "\tRoot path directory " $10 " is other writable." }' \
391			< $TMP1
392
393		fi
394	done > $OUTPUT
395	if [ $umaskset = "no" -o -s $OUTPUT ] ; then
396		printf "\nChecking root sh paths, umask values:\n$list\n"
397		if [ -s $OUTPUT ]; then
398			cat $OUTPUT
399		fi
400		if [ $umaskset = "no" ] ; then
401			printf "\tRoot sh startup files do not set the umask.\n"
402		fi
403	fi
404fi
405
406# Root and uucp should both be in /etc/ftpusers.
407#
408if checkyesno check_ftpusers; then
409	list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID`
410	for i in $list; do
411		if /usr/libexec/ftpd -C $i ; then
412			printf "\t$i is not denied\n"
413		fi
414	done > $OUTPUT
415	if [ -s $OUTPUT ]; then
416		printf "\nChecking the /etc/ftpusers configuration:\n"
417		cat $OUTPUT
418	fi
419fi
420
421# Uudecode should not be in the /etc/mail/aliases file.
422#
423if checkyesno check_aliases; then
424	for f in /etc/mail/aliases /etc/aliases; do
425		if [ -f $f ] && egrep '^[^#]*(uudecode|decode).*\|' $f; then
426			printf "\nEntry for uudecode in $f file.\n"
427		fi
428	done
429fi
430
431# Files that should not have + signs.
432#
433if checkyesno check_rhosts; then
434	list="/etc/hosts.equiv /etc/hosts.lpd"
435	for f in $list ; do
436		if [ -f $f ] && egrep '\+' $f > /dev/null ; then
437			printf "\nPlus sign in $f file.\n"
438		fi
439	done
440
441	# Check for special users with .rhosts files.  Only root and toor should
442	# have .rhosts files.  Also, .rhosts files should not have plus signs.
443	awk -F: '$1 != "root" && $1 != "toor" && \
444		($3 < 100 || $1 == "ftp" || $1 == "uucp") \
445			{ print $1 " " $9 }' $MP |
446	sort -k2 |
447	while read uid homedir; do
448		if [ -f ${homedir}/.rhosts ] ; then
449			rhost=`ls -ldgT ${homedir}/.rhosts`
450			printf -- "$uid: $rhost\n"
451		fi
452	done > $OUTPUT
453	if [ -s $OUTPUT ] ; then
454		printf "\nChecking for special users with .rhosts files.\n"
455		cat $OUTPUT
456	fi
457
458	while read uid homedir; do
459		if [ -f ${homedir}/.rhosts -a -r ${homedir}/.rhosts ] && \
460		    cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null ; then
461			printf -- "$uid: + in .rhosts file.\n"
462		fi
463	done < $MPBYPATH > $OUTPUT
464	if [ -s $OUTPUT ] ; then
465		printf "\nChecking .rhosts files syntax.\n"
466		cat $OUTPUT
467	fi
468fi
469
470# Check home directories.  Directories should not be owned by someone else
471# or writable.
472#
473if checkyesno check_homes; then
474	checkyesno check_homes_permit_usergroups && \
475		permit_usergroups=1 || permit_usergroups=0
476	while read uid homedir; do
477		if [ -d ${homedir}/ ] ; then
478			file=`ls -ldgT ${homedir}`
479			printf -- "$uid $file\n"
480		fi
481	done < $MPBYPATH |
482	awk -v "usergroups=$permit_usergroups" '
483	     $1 != $4 && $4 != "root" \
484		{ print "user " $1 " home directory is owned by " $4 }
485	     $2 ~ /^d....w/ && (!usergroups || $5 != $1) \
486		{ print "user " $1 " home directory is group writable" }
487	     $2 ~ /^d.......w/ \
488		{ print "user " $1 " home directory is other writable" }' \
489	    > $OUTPUT
490	if [ -s $OUTPUT ] ; then
491		printf "\nChecking home directories.\n"
492		cat $OUTPUT
493	fi
494
495	# Files that should not be owned by someone else or readable.
496	list=".Xauthority .netrc .ssh/id_dsa .ssh/id_rsa .ssh/identity"
497	while read uid homedir; do
498		for f in $list ; do
499			file=${homedir}/${f}
500			if [ -f $file ] ; then
501				printf -- "$uid $f `ls -ldgT $file`\n"
502			fi
503		done
504	done < $MPBYPATH |
505	awk  -v "usergroups=$permit_usergroups" '
506	     $1 != $5 && $5 != "root" \
507		{ print "user " $1 " " $2 " file is owned by " $5 }
508	     $3 ~ /^-...r/ && (!usergroups || $6 != $1) \
509		{ print "user " $1 " " $2 " file is group readable" }
510	     $3 ~ /^-......r/ \
511		{ print "user " $1 " " $2 " file is other readable" }
512	     $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
513		{ print "user " $1 " " $2 " file is group writable" }
514	     $3 ~ /^-.......w/ \
515		{ print "user " $1 " " $2 " file is other writable" }' \
516	    > $OUTPUT
517
518	# Files that should not be owned by someone else or writable.
519	list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \
520	      .cshrc .emacs .exrc .forward .history .k5login .klogin .login \
521	      .logout .profile .qmail .rc_history .rhosts .shosts ssh .tcshrc \
522	      .twmrc .xinitrc .xsession .ssh/authorized_keys \
523	      .ssh/authorized_keys2 .ssh/config .ssh/id_dsa.pub \
524	      .ssh/id_rsa.pub .ssh/identity.pub .ssh/known_hosts \
525	      .ssh/known_hosts2"
526	while read uid homedir; do
527		for f in $list ; do
528			file=${homedir}/${f}
529			if [ -f $file ] ; then
530				printf -- "$uid $f `ls -ldgT $file`\n"
531			fi
532		done
533	done < $MPBYPATH |
534	awk -v "usergroups=$permit_usergroups" '
535	     $1 != $5 && $5 != "root" \
536		{ print "user " $1 " " $2 " file is owned by " $5 }
537	     $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
538		{ print "user " $1 " " $2 " file is group writable" }
539	     $3 ~ /^-.......w/ \
540		{ print "user " $1 " " $2 " file is other writable" }' \
541	    >> $OUTPUT
542	if [ -s $OUTPUT ] ; then
543		printf "\nChecking dot files.\n"
544		cat $OUTPUT
545	fi
546fi
547
548# Mailboxes should be owned by user and unreadable.
549#
550if checkyesno check_varmail; then
551	ls -lA /var/mail | \
552	awk '	NR == 1 { next; }
553		$9 ~ /^\./ {next; }
554	    	$3 != $9 {
555			print "user " $9 " mailbox is owned by " $3
556		}
557		$1 != "-rw-------" {
558			print "user " $9 " mailbox is " $1 ", group " $4
559		}' > $OUTPUT
560	if [ -s $OUTPUT ] ; then
561		printf "\nChecking mailbox ownership.\n"
562		cat $OUTPUT
563	fi
564fi
565
566# NFS exports shouldn't be globally exported
567#
568if checkyesno check_nfs && [ -f /etc/exports ]; then
569	awk '{
570		# ignore comments and blank lines
571		if ($0 ~ /^\#/ || $0 ~ /^$/ )
572			next;
573
574		readonly = 0;
575		for (i = 2; i <= NF; ++i) {
576			if ($i ~ /-ro/)
577				readonly = 1;
578			else if ($i !~ /^-/)
579				next;
580		}
581		if (readonly)
582			print "File system " $1 " globally exported, read-only."
583		else
584			print "File system " $1 " globally exported, read-write."
585	}' < /etc/exports > $OUTPUT
586	if [ -s $OUTPUT ] ; then
587		printf "\nChecking for globally exported file systems.\n"
588		cat $OUTPUT
589	fi
590fi
591
592# Display any changes in setuid files and devices.
593#
594if checkyesno check_devices; then
595	> $ERR
596	(find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \
597			-o -fstype null \
598			-o -fstype procfs \) -a -prune -o \
599	    \( \( -perm -u+s -a ! -type d \) -o \
600	       \( -perm -g+s -a ! -type d \) -o \
601	       -type b -o -type c \) -print0 | \
602	xargs -0 ls -ldgTq | sort +9 > $LIST) 2> $OUTPUT
603
604	# Display any errors that occurred during system file walk.
605	if [ -s $OUTPUT ] ; then
606		printf "Setuid/device find errors:\n" >> $ERR
607		cat $OUTPUT >> $ERR
608		printf "\n" >> $ERR
609	fi
610
611	# Display any changes in the setuid file list.
612	egrep -v '^[bc]' $LIST > $TMP1
613	if [ -s $TMP1 ] ; then
614		# Check to make sure uudecode isn't setuid.
615		if grep -w uudecode $TMP1 > /dev/null ; then
616			printf "\nUudecode is setuid.\n" >> $ERR
617		fi
618
619		file=$work_dir/setuid
620		migrate_file "$backup_dir/setuid" "$file"
621		CUR=${file}.current
622		BACK=${file}.backup
623		if [ -s $CUR ] ; then
624			if cmp -s $CUR $TMP1 ; then
625				:
626			else
627				> $TMP2
628				join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
629				if [ -s $OUTPUT ] ; then
630					printf "Setuid additions:\n" >> $ERR
631					tee -a $TMP2 < $OUTPUT >> $ERR
632					printf "\n" >> $ERR
633				fi
634
635				join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
636				if [ -s $OUTPUT ] ; then
637					printf "Setuid deletions:\n" >> $ERR
638					tee -a $TMP2 < $OUTPUT >> $ERR
639					printf "\n" >> $ERR
640				fi
641
642				sort -k10 $TMP2 $CUR $TMP1 | \
643				    sed -e 's/[	 ][	 ]*/ /g' | \
644				    uniq -u > $OUTPUT
645				if [ -s $OUTPUT ] ; then
646					printf "Setuid changes:\n" >> $ERR
647					column -t $OUTPUT >> $ERR
648					printf "\n" >> $ERR
649				fi
650
651				backup_file update $TMP1 $CUR $BACK
652			fi
653		else
654			printf "Setuid additions:\n" >> $ERR
655			column -t $TMP1 >> $ERR
656			printf "\n" >> $ERR
657			backup_file add $TMP1 $CUR $BACK
658		fi
659	fi
660
661	# Check for block and character disk devices that are readable or
662	# writable or not owned by root.operator.
663	>$TMP1
664	DISKLIST="ccd ch hk hp ld md ra raid rb rd rl rx \
665	    sd se ss uk up vnd wd xd xy"
666#	DISKLIST="$DISKLIST ct mt st wt"
667	for i in $DISKLIST; do
668		egrep "^b.*/${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
669		egrep "^c.*/r${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
670	done
671
672	awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \
673		{ printf "Disk %s is user %s, group %s, permissions %s.\n", \
674		    $11, $3, $4, $1; }' < $TMP1 > $OUTPUT
675	if [ -s $OUTPUT ] ; then
676		printf "\nChecking disk ownership and permissions.\n" >> $ERR
677		cat $OUTPUT >> $ERR
678		printf "\n" >> $ERR
679	fi
680
681	# Display any changes in the device file list.
682	egrep '^[bc]' $LIST | sort -k11 > $TMP1
683	if [ -s $TMP1 ] ; then
684		file=$work_dir/device
685		migrate_file "$backup_dir/device" "$file"
686		CUR=${file}.current
687		BACK=${file}.backup
688
689		if [ -s $CUR ] ; then
690			if cmp -s $CUR $TMP1 ; then
691				:
692			else
693				> $TMP2
694				join -111 -211 -v2 $CUR $TMP1 > $OUTPUT
695				if [ -s $OUTPUT ] ; then
696					printf "Device additions:\n" >> $ERR
697					tee -a $TMP2 < $OUTPUT >> $ERR
698					printf "\n" >> $ERR
699				fi
700
701				join -111 -211 -v1 $CUR $TMP1 > $OUTPUT
702				if [ -s $OUTPUT ] ; then
703					printf "Device deletions:\n" >> $ERR
704					tee -a $TMP2 < $OUTPUT >> $ERR
705					printf "\n" >> $ERR
706				fi
707
708				# Report any block device change. Ignore
709				# character devices, only the name is
710				# significant.
711				cat $TMP2 $CUR $TMP1 | \
712				    sed -e '/^c/d' | \
713				    sort -k11 | \
714				    sed -e 's/[	 ][	 ]*/ /g' | \
715				    uniq -u > $OUTPUT
716				if [ -s $OUTPUT ] ; then
717					printf "Block device changes:\n" >> $ERR
718					column -t $OUTPUT >> $ERR
719					printf "\n" >> $ERR
720				fi
721
722				backup_file update $TMP1 $CUR $BACK
723			fi
724		else
725			printf "Device additions:\n" >> $ERR
726			column -t $TMP1 >> $ERR
727			printf "\n" >> $ERR
728			backup_file add $TMP1 $CUR $BACK >> $ERR
729		fi
730	fi
731	if [ -s $ERR ] ; then
732		printf "\nChecking setuid files and devices:\n"
733		cat $ERR
734		printf "\n"
735	fi
736fi
737
738# Check special files.
739# Check system binaries.
740#
741# Create the mtree tree specifications using:
742#	mtree -cx -pDIR -kmd5,uid,gid,mode,nlink,size,link,time > DIR.secure
743#	chown root:wheel DIR.secure
744#	chmod u+r,go= DIR.secure
745#
746# Note, this is not complete protection against Trojan horsed binaries, as
747# the hacker can modify the tree specification to match the replaced binary.
748# For details on really protecting yourself against modified binaries, see
749# the mtree(8) manual page.
750#
751if checkyesno check_mtree; then
752	if checkyesno check_mtree_follow_symlinks; then
753		check_mtree_flags="-L"
754	else
755		check_mtree_flags=""
756	fi
757	for file in $special_files; do
758		[ ! -s $file ] && continue
759		mtree -e -l -p / $check_mtree_flags -f $file
760	done 3>&1 >$OUTPUT 2>&3 |
761		grep -v '^mtree: dev/tty: Device not configured$' >&2
762	if [ -s $OUTPUT ]; then
763		printf "\nChecking special files and directories.\n"
764		cat $OUTPUT
765	fi
766
767	for file in /etc/mtree/*.secure; do
768		[ $file = '/etc/mtree/*.secure' ] && continue
769		tree=`sed -n -e '3s/.* //p' -e 3q $file`
770		mtree $check_mtree_flags -f $file -p $tree > $TMP1
771		if [ -s $TMP1 ]; then
772			printf "\nChecking $tree:\n"
773			cat $TMP1
774		fi
775	done > $OUTPUT
776	if [ -s $OUTPUT ]; then
777		printf "\nChecking system binaries:\n"
778		cat $OUTPUT
779	fi
780fi
781
782# Backup disklabels of available disks
783#
784if checkyesno check_disklabels; then
785		# migrate old disklabels
786	for file in `ls -1d $backup_dir/$backup_dir/disklabel.* \
787	    $backup_dir/disklabel.* 2>/dev/null`; do
788		migrate_file "$file" "$work_dir/${file##*/}"
789	done
790
791		# generate list of old disklabels & fdisks and remove them
792	ls -1d $work_dir/disklabel.* $work_dir/fdisk.* 2>/dev/null |
793	    egrep -v '\.(backup|current)(,v)?$' > $LABELS
794	xargs rm < $LABELS
795
796		# generate disklabels of all disks excluding:	cd fd md
797	disks=`iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d/ { print $1; }'`
798	for i in $disks; do
799		disklabel $i > "$work_dir/disklabel.$i" 2>/dev/null
800	done
801
802		# if fdisk is available, generate fdisks for:	ed ld sd wd
803	if [ -x /sbin/fdisk ]; then
804		disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d/ { print $1; }'`
805		for i in $disks; do
806			/sbin/fdisk $i > "$work_dir/fdisk.$i" 2>/dev/null
807		done
808	fi
809
810		# append list of new disklabels and fdisks
811	ls -1d $work_dir/disklabel.* $work_dir/fdisk.* 2>/dev/null |
812	    egrep -v '\.(backup|current)(,v)?$' >> $LABELS
813	CHANGELIST="$LABELS $CHANGELIST"
814fi
815
816# Check for changes in the list of installed pkgs
817#
818if checkyesno check_pkgs && [ -d $pkgdb_dir ]; then
819	pkgs=$work_dir/pkgs
820	migrate_file "$backup_dir/pkgs" "$pkgs"
821	(	cd $pkgdb_dir
822		pkg_info | sort
823		echo ""
824		find . \( -name +REQUIRED_BY -o -name +CONTENTS \) -print0 |
825			xargs -0 ls -ldgTq | sort -t. +1 | sed -e 's, \./, ,'
826	 ) > $pkgs
827	echo "$pkgs" > $PKGS
828	CHANGELIST="$PKGS $CHANGELIST"
829fi
830
831# List of files that get backed up and checked for any modifications.
832# Any changes cause the files to rotate.
833#
834if checkyesno check_changelist ; then
835	for file in $special_files; do
836		[ ! -s $file ] && continue
837		mtree -D -k type -f $file -E exclude |
838		    sed '/^type=file/!d ; s/type=file \.//'
839	done > $CHANGEFILES
840
841	(
842		# Add other files which might dynamically exist:
843		#	/etc/ifconfig.*
844		#	/etc/raid*.conf
845		#	/etc/rc.d/*
846		#	/etc/rc.conf.d/*
847		#
848		echo "/etc/ifconfig.*"
849		echo "/etc/raid*.conf"
850		echo "/etc/rc.d/*"
851		echo "/etc/rc.conf.d/*"
852
853		# Add /etc/changelist
854		#
855		if [ -s /etc/changelist ]; then
856			grep -v '^#' /etc/changelist
857		fi
858	) | while read file; do
859		case "$file" in
860		*[\*\?\[]*)	# If changelist line is a glob ...
861				# ... expand possible backup files
862				#
863			ls -1d $(echo $backup_dir/${file}.current) 2>/dev/null \
864			    | sed "s,^$backup_dir/,, ; s,\.current$,,"
865				
866				# ... expand possible files
867				#
868			ls -1d $(echo $file) 2>/dev/null
869			;;
870		*)
871				# Otherwise, just print the filename
872			echo $file
873			;;
874		esac
875	done >> $CHANGEFILES
876	CHANGELIST="$CHANGEFILES $CHANGELIST"
877fi
878
879# Special case backups, including the master password file and
880# ssh private host keys. The normal backup mechanisms for
881# $check_changelist (see below) also print out the actual file
882# differences and we don't want to do that for these files
883#
884echo $MP > $TMP1			# always add /etc/master.passwd
885for file in $special_files; do
886	[ ! -s $file ] && continue
887	mtree -D -k type -f $file -I nodiff |
888	    sed '/^type=file/!d ; s/type=file \.//'
889done >> $TMP1
890grep -v '^$' $TMP1 | sort -u > $TMP2
891
892while read file; do
893	backup_and_diff "$file" no
894done < $TMP2
895
896
897if [ -n "$CHANGELIST" ]; then
898	grep -h -v '^$' $CHANGELIST | sort -u > $TMP1
899	comm -23 $TMP1 $TMP2 | while read file; do
900		backup_and_diff "$file" yes
901	done
902fi
903
904if [ -f /etc/security.local ]; then
905	. /etc/security.local > $OUTPUT
906	if [ -s $OUTPUT ] ; then
907		printf "\nRunning /etc/security.local:\n"
908		cat $OUTPUT
909	fi
910fi
911