security revision 1.90 
1#!/bin/sh -
2#
3#	$NetBSD: security,v 1.90 2004/04/09 17:33:35 kim Exp $
4#	from: @(#)security	8.1 (Berkeley) 6/9/93
5#
6
7PATH=/sbin:/usr/sbin:/bin:/usr/bin
8
9rcvar_manpage='security.conf(5)'
10
11if [ -f /etc/rc.subr ]; then
12	. /etc/rc.subr
13else
14	echo "Can't read /etc/rc.subr; aborting."
15	exit 1;
16fi
17
18umask 077
19TZ=UTC; export TZ
20
21if [ -s /etc/security.conf ]; then
22	. /etc/security.conf
23fi
24
25# Set reasonable defaults (if they're not set in security.conf)
26#
27backup_dir=${backup_dir:-/var/backups}
28pkgdb_dir=${pkgdb_dir:-/var/db/pkg}
29max_loginlen=${max_loginlen:-8}
30max_grouplen=${max_grouplen:-8}
31
32# Other configurable variables
33#
34special_files="/etc/mtree/special /etc/mtree/special.local"
35MP=/etc/master.passwd
36CHANGELIST=""
37work_dir=$backup_dir/work
38
39if [ ! -d "$work_dir" ]; then
40	mkdir -p "$work_dir"
41fi
42
43SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1
44
45trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE
46
47if ! cd "$SECUREDIR"; then
48	echo "Can not cd to $SECUREDIR".
49	exit 1
50fi
51
52ERR=secure1.$$
53TMP1=secure2.$$
54TMP2=secure3.$$
55MPBYUID=secure4.$$
56MPBYPATH=secure5.$$
57LIST=secure6.$$
58OUTPUT=secure7.$$
59LABELS=secure8.$$
60PKGS=secure9.$$
61CHANGEFILES=secure10.$$
62
63
64# migrate_file old new
65#	Determine if the "${old}" path name needs to be migrated to the
66#	"${new}" path. Also checks if "${old}.current" needs migrating,
67#	and if so, migrate it and possibly "${old}.current,v" and
68#	"${old}.backup".
69#
70migrate_file()
71{
72	_old=$1
73	_new=$2
74	if [ -z "$_old" -o -z "$_new" ]; then
75		err 3 "USAGE: migrate_file old new"
76	fi
77	if [ ! -d "${_new%/*}" ]; then
78		mkdir -p "${_new%/*}"
79	fi
80	if [ -f "${_old}" -a ! -f "${_new}" ]; then
81		echo "==> migrating ${_old}"
82		echo "           to ${_new}"
83		mv "${_old}" "${_new}"
84	fi
85	if [ -f "${_old}.current" -a ! -f "${_new}.current" ]; then
86		echo "==> migrating ${_old}.current"
87		echo "           to ${_new}.current"
88		mv "${_old}.current" "${_new}.current"
89		if [ -f "${_old}.current,v" -a ! -f "${_new}.current,v" ]; then
90			echo "==> migrating ${_old}.current,v"
91			echo "           to ${_new}.current,v"
92			mv "${_old}.current,v" "${_new}.current,v"
93		fi
94		if [ -f "${_old}.backup" -a ! -f "${_new}.backup" ]; then
95			echo "==> migrating ${_old}.backup"
96			echo "           to ${_new}.backup"
97			mv "${_old}.backup" "${_new}.backup"
98		fi
99	fi
100}
101
102
103# backup_and_diff file printdiff
104#	Determine if file needs backing up, and if so, do it.
105#	If printdiff is yes, display the diffs, otherwise 
106#	just print a message saying "[changes omitted]".
107#
108backup_and_diff()
109{
110	_file=$1
111	_printdiff=$2
112	if [ -z "$_file" -o -z "$_printdiff" ]; then
113		err 3 "USAGE: backup_and_diff file printdiff"
114	fi
115	! checkyesno _printdiff
116	_printdiff=$?
117
118	_old=$backup_dir/${_file##*/}
119	case "$_file" in
120	$work_dir/*)
121		_new=$_file
122		migrate_file "$backup_dir/$_old" "$_new"
123		migrate_file "$_old" "$_new"
124		;;
125	*)
126		_new=$backup_dir/$_file
127		migrate_file "$_old" "$_new"
128		;;
129	esac
130	CUR=${_new}.current
131	BACK=${_new}.backup
132	if [ -f $_file ]; then
133		if [ -f $CUR ] ; then
134			if [ "$_printdiff" -ne 0 ]; then
135				diff ${diff_options} $CUR $_file > $OUTPUT
136			else
137				if ! cmp -s $CUR $_file; then
138					echo "[changes omitted]"
139				fi > $OUTPUT
140			fi
141			if [ -s $OUTPUT ] ; then
142				printf \
143			"\n======\n%s diffs (OLD < > NEW)\n======\n" $_file
144				cat $OUTPUT
145				backup_file update $_file $CUR $BACK
146			fi
147		else
148			printf "\n======\n%s added\n======\n" $_file
149			if [ "$_printdiff" -ne 0 ]; then
150				diff ${diff_options} /dev/null $_file
151			else
152				echo "[changes omitted]"
153			fi
154			backup_file add $_file $CUR $BACK
155		fi
156	else
157		if [ -f $CUR ]; then
158			printf "\n======\n%s removed\n======\n" $_file
159			if [ "$_printdiff" -ne 0 ]; then
160				diff ${diff_options} $CUR /dev/null
161			else
162				echo "[changes omitted]"
163			fi
164			backup_file remove $_file $CUR $BACK
165		fi
166	fi
167}
168
169
170# These are used several times.
171#
172awk -F: '!/^+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID
173awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH
174
175
176# Check the master password file syntax.
177#
178if checkyesno check_passwd; then
179        # XXX: the sense of permit_star is reversed; the code works as
180        # implemented, but usage needs to be negated.
181	checkyesno check_passwd_permit_star && permit_star=0 || permit_star=1
182	awk -v "len=$max_loginlen" \
183	    -v "nowarn_shells_list=$check_passwd_nowarn_shells" \
184	    -v "nowarn_users_list=$check_passwd_nowarn_users" \
185	    -v "permit_star=$permit_star" '
186	BEGIN {
187		while ( getline < "/etc/shells" > 0 ) {
188			if ($0 ~ /^\#/ || $0 ~ /^$/ )
189				continue;
190			shells[$1]++;
191		}
192		split(nowarn_shells_list, a);
193		for (i in a) nowarn_shells[a[i]]++;
194		split(nowarn_users_list, a);
195		for (i in a) nowarn_users[a[i]]++;
196		uid0_users_list="root toor"
197		split(uid0_users_list, a);
198		for (i in a) uid0_users[a[i]]++;
199		FS=":";
200	}
201
202	{
203		if ($0 ~ /^[	 ]*$/) {
204			printf "Line %d is a blank line.\n", NR;
205			next;
206		}
207		if (NF != 10 && ($1 != "+" || NF != 1))
208			printf "Line %d has the wrong number of fields.\n", NR;
209		if ($1 == "+" )  {
210			if (NF != 1 && $3 == 0)
211			    printf "Line %d includes entries with uid 0.\n",
212			        NR;
213			next;
214		}
215		if ($1 !~ /^[A-Za-z0-9]([-A-Za-z0-9]*[A-Za-z0-9])*$/)
216			printf "Login %s has non-alphanumeric characters.\n",
217			    $1;
218		if (length($1) > len)
219			printf "Login %s has more than "len" characters.\n",
220			    $1;
221		if ($2 == "" && !nowarn_users[$1])
222			    printf "Login %s has no password.\n", $1;
223		if (!nowarn_shells[$10] && !nowarn_users[$1]) {
224		    if (length($2) != 13 &&
225		    	length($2) != 20 &&
226		    	$2 !~ /^\$1/ &&
227		    	$2 !~ /^\$2/ &&
228		    	$2 != "" &&
229			(permit_star || $2 != "*") &&
230		    	$2 !~ /^\*[A-z-]+$/ &&
231			$1 != "toor") {
232		    	    if ($10 == "" || shells[$10])
233				printf "Login %s is off but still has "\
234				  "a valid shell (%s)\n", $1, $10;
235		    } else if (! shells[$10])
236		    	    printf "Login %s does not have a valid "\
237			    "shell (%s)\n", $1, $10;
238		}
239		if ($3 == 0 && !uid0_users[$1] && !nowarn_users[$1])
240			printf "Login %s has a user id of 0.\n", $1;
241		if ($3 < 0)
242			printf "Login %s has a negative user id.\n", $1;
243		if ($4 < 0)
244			printf "Login %s has a negative group id.\n", $1;
245	}' < $MP > $OUTPUT
246	if [ -s $OUTPUT ] ; then
247		printf "\nChecking the $MP file:\n"
248		cat $OUTPUT
249	fi
250
251	awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
252	if [ -s $OUTPUT ] ; then
253		printf "\n$MP has duplicate user names.\n"
254		column $OUTPUT
255	fi
256
257# To not exclude 'toor', a standard duplicate root account, from the duplicate
258# account test, uncomment the line below (without egrep in it)and comment
259# out the line (with egrep in it) below it.
260#
261#	< $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2
262	< $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2
263	if [ -s $TMP2 ] ; then
264		printf "\n$MP has duplicate user id's.\n"
265		while read uid; do
266			grep -w $uid $MPBYUID
267		done < $TMP2 | column
268	fi
269fi
270
271# Check the group file syntax.
272#
273if checkyesno check_group; then
274	GRP=/etc/group
275	awk -F: -v "len=$max_grouplen" '{
276		if ($0 ~ /^[	 ]*$/) {
277			printf "Line %d is a blank line.\n", NR;
278			next;
279		}
280		if (NF != 4 && ($1 != "+" || NF != 1))
281			printf "Line %d has the wrong number of fields.\n", NR;
282		if ($1 == "+" )  {
283			next;
284		}
285		if ($1 !~ /^[A-Za-z0-9]([-A-Za-z0-9]*[A-Za-z0-9])*$/)
286			printf "Group %s has non-alphanumeric characters.\n",
287			    $1;
288		if (length($1) > len)
289			printf "Group %s has more than "len" characters.\n", $1;
290		if ($3 !~ /[0-9]*/)
291			printf "Login %s has a negative group id.\n", $1;
292	}' < $GRP > $OUTPUT
293	if [ -s $OUTPUT ] ; then
294		printf "\nChecking the $GRP file:\n"
295		cat $OUTPUT
296	fi
297
298	awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT
299	if [ -s $OUTPUT ] ; then
300		printf "\n$GRP has duplicate group names.\n"
301		column $OUTPUT
302	fi
303fi
304
305# Check for root paths, umask values in startup files.
306# The check for the root paths is problematical -- it's likely to fail
307# in other environments.  Once the shells have been modified to warn
308# of '.' in the path, the path tests should go away.
309#
310if checkyesno check_rootdotfiles; then
311	rhome=~root
312	umaskset=no
313	list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login"
314	for i in $list ; do
315		if [ -f $i ] ; then
316			if egrep '^[ \t]*umask[ \t]+[0-7]+' $i > /dev/null ;
317			then
318				umaskset=yes
319			fi
320			# Double check the umask value itself; ensure that
321			# both the group and other write bits are set.
322			#
323			egrep '^[ \t]*umask[ \t]+[0-7]+' $i |
324			awk '{
325				if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) {
326					print "\tRoot umask is group writable"
327				}
328				if ($2 ~ /[^2367]$/) {
329					print "\tRoot umask is other writable"
330			    	}
331			    }' | sort -u
332			SAVE_PATH=$PATH
333			unset PATH
334			/bin/csh -f -s << end-of-csh > /dev/null 2>&1
335				source $i
336				/bin/ls -ldgT \$path > $TMP1
337end-of-csh
338			export PATH=$SAVE_PATH
339			awk '{
340				if ($10 ~ /^\.$/) {
341					print "\tThe root path includes .";
342					next;
343				}
344			     }
345			     $1 ~ /^d....w/ \
346		{ print "\tRoot path directory " $10 " is group writable." } \
347			     $1 ~ /^d.......w/ \
348		{ print "\tRoot path directory " $10 " is other writable." }' \
349			< $TMP1
350		fi
351	done > $OUTPUT
352	if [ $umaskset = "no" -o -s $OUTPUT ] ; then
353		printf "\nChecking root csh paths, umask values:\n$list\n\n"
354		if [ -s $OUTPUT ]; then
355			cat $OUTPUT
356		fi
357		if [ $umaskset = "no" ] ; then
358		    printf "\tRoot csh startup files do not set the umask.\n"
359		fi
360	fi
361
362	umaskset=no
363	list="/etc/profile ${rhome}/.profile"
364	for i in $list; do
365		if [ -f $i ] ; then
366			if egrep umask $i > /dev/null ; then
367				umaskset=yes
368			fi
369			egrep umask $i |
370			awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \
371				{ print "\tRoot umask is group writable" } \
372			     $2 ~ /[^2367]$/ \
373				{ print "\tRoot umask is other writable" }'
374			SAVE_PATH=$PATH
375			unset PATH
376			/bin/sh << end-of-sh > /dev/null 2>&1
377				. $i
378				list=\`echo \$PATH | /usr/bin/sed -e \
379				    's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\`
380				/bin/ls -ldgT \$list > $TMP1
381end-of-sh
382			export PATH=$SAVE_PATH
383			awk '{
384				if ($10 ~ /^\.$/) {
385					print "\tThe root path includes .";
386					next;
387				}
388			     }
389			     $1 ~ /^d....w/ \
390		{ print "\tRoot path directory " $10 " is group writable." } \
391			     $1 ~ /^d.......w/ \
392		{ print "\tRoot path directory " $10 " is other writable." }' \
393			< $TMP1
394
395		fi
396	done > $OUTPUT
397	if [ $umaskset = "no" -o -s $OUTPUT ] ; then
398		printf "\nChecking root sh paths, umask values:\n$list\n"
399		if [ -s $OUTPUT ]; then
400			cat $OUTPUT
401		fi
402		if [ $umaskset = "no" ] ; then
403			printf "\tRoot sh startup files do not set the umask.\n"
404		fi
405	fi
406fi
407
408# Root and uucp should both be in /etc/ftpusers.
409#
410if checkyesno check_ftpusers; then
411	list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID`
412	for i in $list; do
413		if /usr/libexec/ftpd -C $i ; then
414			printf "\t$i is not denied\n"
415		fi
416	done > $OUTPUT
417	if [ -s $OUTPUT ]; then
418		printf "\nChecking the /etc/ftpusers configuration:\n"
419		cat $OUTPUT
420	fi
421fi
422
423# Uudecode should not be in the /etc/mail/aliases file.
424#
425if checkyesno check_aliases; then
426	for f in /etc/mail/aliases /etc/aliases; do
427		if [ -f $f ] && egrep '^[^#]*(uudecode|decode).*\|' $f; then
428			printf "\nEntry for uudecode in $f file.\n"
429		fi
430	done
431fi
432
433# Files that should not have + signs.
434#
435if checkyesno check_rhosts; then
436	list="/etc/hosts.equiv /etc/hosts.lpd"
437	for f in $list ; do
438		if [ -f $f ] && egrep '\+' $f > /dev/null ; then
439			printf "\nPlus sign in $f file.\n"
440		fi
441	done
442
443	# Check for special users with .rhosts files.  Only root and toor should
444	# have .rhosts files.  Also, .rhosts files should not have plus signs.
445	awk -F: '$1 != "root" && $1 != "toor" && \
446		($3 < 100 || $1 == "ftp" || $1 == "uucp") \
447			{ print $1 " " $9 }' $MP |
448	sort -k2 |
449	while read uid homedir; do
450		if [ -f ${homedir}/.rhosts ] ; then
451			rhost=`ls -ldgT ${homedir}/.rhosts`
452			printf -- "$uid: $rhost\n"
453		fi
454	done > $OUTPUT
455	if [ -s $OUTPUT ] ; then
456		printf "\nChecking for special users with .rhosts files.\n"
457		cat $OUTPUT
458	fi
459
460	while read uid homedir; do
461		if [ -f ${homedir}/.rhosts -a -r ${homedir}/.rhosts ] && \
462		    cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null ; then
463			printf -- "$uid: + in .rhosts file.\n"
464		fi
465	done < $MPBYPATH > $OUTPUT
466	if [ -s $OUTPUT ] ; then
467		printf "\nChecking .rhosts files syntax.\n"
468		cat $OUTPUT
469	fi
470fi
471
472# Check home directories.  Directories should not be owned by someone else
473# or writable.
474#
475if checkyesno check_homes; then
476	checkyesno check_homes_permit_usergroups && \
477		permit_usergroups=1 || permit_usergroups=0
478	while read uid homedir; do
479		if [ -d ${homedir}/ ] ; then
480			file=`ls -ldgT ${homedir}`
481			printf -- "$uid $file\n"
482		fi
483	done < $MPBYPATH |
484	awk -v "usergroups=$permit_usergroups" '
485	     $1 != $4 && $4 != "root" \
486		{ print "user " $1 " home directory is owned by " $4 }
487	     $2 ~ /^-....w/ && (!usergroups || $5 != $1) \
488		{ print "user " $1 " home directory is group writable" }
489	     $2 ~ /^-.......w/ \
490		{ print "user " $1 " home directory is other writable" }' \
491	    > $OUTPUT
492	if [ -s $OUTPUT ] ; then
493		printf "\nChecking home directories.\n"
494		cat $OUTPUT
495	fi
496
497	# Files that should not be owned by someone else or readable.
498	list=".Xauthority .netrc .ssh/id_dsa .ssh/id_rsa .ssh/identity"
499	while read uid homedir; do
500		for f in $list ; do
501			file=${homedir}/${f}
502			if [ -f $file ] ; then
503				printf -- "$uid $f `ls -ldgT $file`\n"
504			fi
505		done
506	done < $MPBYPATH |
507	awk  -v "usergroups=$permit_usergroups" '
508	     $1 != $5 && $5 != "root" \
509		{ print "user " $1 " " $2 " file is owned by " $5 }
510	     $3 ~ /^-...r/ && (!usergroups || $6 != $1) \
511		{ print "user " $1 " " $2 " file is group readable" }
512	     $3 ~ /^-......r/ \
513		{ print "user " $1 " " $2 " file is other readable" }
514	     $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
515		{ print "user " $1 " " $2 " file is group writable" }
516	     $3 ~ /^-.......w/ \
517		{ print "user " $1 " " $2 " file is other writable" }' \
518	    > $OUTPUT
519
520	# Files that should not be owned by someone else or writable.
521	list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \
522	      .cshrc .emacs .exrc .forward .history .k5login .klogin .login \
523	      .logout .profile .qmail .rc_history .rhosts .shosts ssh .tcshrc \
524	      .twmrc .xinitrc .xsession .ssh/authorized_keys \
525	      .ssh/authorized_keys2 .ssh/config .ssh/id_dsa.pub \
526	      .ssh/id_rsa.pub .ssh/identity.pub .ssh/known_hosts \
527	      .ssh/known_hosts2"
528	while read uid homedir; do
529		for f in $list ; do
530			file=${homedir}/${f}
531			if [ -f $file ] ; then
532				printf -- "$uid $f `ls -ldgT $file`\n"
533			fi
534		done
535	done < $MPBYPATH |
536	awk -v "usergroups=$permit_usergroups" '
537	     $1 != $5 && $5 != "root" \
538		{ print "user " $1 " " $2 " file is owned by " $5 }
539	     $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
540		{ print "user " $1 " " $2 " file is group writable" }
541	     $3 ~ /^-.......w/ \
542		{ print "user " $1 " " $2 " file is other writable" }' \
543	    >> $OUTPUT
544	if [ -s $OUTPUT ] ; then
545		printf "\nChecking dot files.\n"
546		cat $OUTPUT
547	fi
548fi
549
550# Mailboxes should be owned by user and unreadable.
551#
552if checkyesno check_varmail; then
553	ls -lA /var/mail | \
554	awk '	NR == 1 { next; }
555		$9 ~ /^\./ {next; }
556	    	$3 != $9 {
557			print "user " $9 " mailbox is owned by " $3
558		}
559		$1 != "-rw-------" {
560			print "user " $9 " mailbox is " $1 ", group " $4
561		}' > $OUTPUT
562	if [ -s $OUTPUT ] ; then
563		printf "\nChecking mailbox ownership.\n"
564		cat $OUTPUT
565	fi
566fi
567
568# NFS exports shouldn't be globally exported
569#
570if checkyesno check_nfs && [ -f /etc/exports ]; then
571	awk '{
572		# ignore comments and blank lines
573		if ($0 ~ /^\#/ || $0 ~ /^$/ )
574			next;
575
576		readonly = 0;
577		for (i = 2; i <= NF; ++i) {
578			if ($i ~ /-ro/)
579				readonly = 1;
580			else if ($i !~ /^-/)
581				next;
582		}
583		if (readonly)
584			print "File system " $1 " globally exported, read-only."
585		else
586			print "File system " $1 " globally exported, read-write."
587	}' < /etc/exports > $OUTPUT
588	if [ -s $OUTPUT ] ; then
589		printf "\nChecking for globally exported file systems.\n"
590		cat $OUTPUT
591	fi
592fi
593
594# Display any changes in setuid files and devices.
595#
596if checkyesno check_devices; then
597	> $ERR
598	(find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \
599			-o -fstype null \
600			-o -fstype procfs \) -a -prune -o \
601	    \( \( -perm -u+s -a ! -type d \) -o \
602	       \( -perm -g+s -a ! -type d \) -o \
603	       -type b -o -type c \) -print0 | \
604	xargs -0 ls -ldgTq | sort +9 > $LIST) 2> $OUTPUT
605
606	# Display any errors that occurred during system file walk.
607	if [ -s $OUTPUT ] ; then
608		printf "Setuid/device find errors:\n" >> $ERR
609		cat $OUTPUT >> $ERR
610		printf "\n" >> $ERR
611	fi
612
613	# Display any changes in the setuid file list.
614	egrep -v '^[bc]' $LIST > $TMP1
615	if [ -s $TMP1 ] ; then
616		# Check to make sure uudecode isn't setuid.
617		if grep -w uudecode $TMP1 > /dev/null ; then
618			printf "\nUudecode is setuid.\n" >> $ERR
619		fi
620
621		file=$work_dir/setuid
622		migrate_file "$backup_dir/setuid" "$file"
623		CUR=${file}.current
624		BACK=${file}.backup
625		if [ -s $CUR ] ; then
626			if cmp -s $CUR $TMP1 ; then
627				:
628			else
629				> $TMP2
630				join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
631				if [ -s $OUTPUT ] ; then
632					printf "Setuid additions:\n" >> $ERR
633					tee -a $TMP2 < $OUTPUT >> $ERR
634					printf "\n" >> $ERR
635				fi
636
637				join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
638				if [ -s $OUTPUT ] ; then
639					printf "Setuid deletions:\n" >> $ERR
640					tee -a $TMP2 < $OUTPUT >> $ERR
641					printf "\n" >> $ERR
642				fi
643
644				sort -k10 $TMP2 $CUR $TMP1 | \
645				    sed -e 's/[	 ][	 ]*/ /g' | \
646				    uniq -u > $OUTPUT
647				if [ -s $OUTPUT ] ; then
648					printf "Setuid changes:\n" >> $ERR
649					column -t $OUTPUT >> $ERR
650					printf "\n" >> $ERR
651				fi
652
653				backup_file update $TMP1 $CUR $BACK
654			fi
655		else
656			printf "Setuid additions:\n" >> $ERR
657			column -t $TMP1 >> $ERR
658			printf "\n" >> $ERR
659			backup_file add $TMP1 $CUR $BACK
660		fi
661	fi
662
663	# Check for block and character disk devices that are readable or
664	# writable or not owned by root.operator.
665	>$TMP1
666	DISKLIST="ccd ch hk hp ld md ra raid rb rd rl rx \
667	    sd se ss uk up vnd wd xd xy"
668#	DISKLIST="$DISKLIST ct mt st wt"
669	for i in $DISKLIST; do
670		egrep "^b.*/${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
671		egrep "^c.*/r${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
672	done
673
674	awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \
675		{ printf "Disk %s is user %s, group %s, permissions %s.\n", \
676		    $11, $3, $4, $1; }' < $TMP1 > $OUTPUT
677	if [ -s $OUTPUT ] ; then
678		printf "\nChecking disk ownership and permissions.\n" >> $ERR
679		cat $OUTPUT >> $ERR
680		printf "\n" >> $ERR
681	fi
682
683	# Display any changes in the device file list.
684	egrep '^[bc]' $LIST | sort -k11 > $TMP1
685	if [ -s $TMP1 ] ; then
686		file=$work_dir/device
687		migrate_file "$backup_dir/device" "$file"
688		CUR=${file}.current
689		BACK=${file}.backup
690
691		if [ -s $CUR ] ; then
692			if cmp -s $CUR $TMP1 ; then
693				:
694			else
695				> $TMP2
696				join -111 -211 -v2 $CUR $TMP1 > $OUTPUT
697				if [ -s $OUTPUT ] ; then
698					printf "Device additions:\n" >> $ERR
699					tee -a $TMP2 < $OUTPUT >> $ERR
700					printf "\n" >> $ERR
701				fi
702
703				join -111 -211 -v1 $CUR $TMP1 > $OUTPUT
704				if [ -s $OUTPUT ] ; then
705					printf "Device deletions:\n" >> $ERR
706					tee -a $TMP2 < $OUTPUT >> $ERR
707					printf "\n" >> $ERR
708				fi
709
710				# Report any block device change. Ignore
711				# character devices, only the name is
712				# significant.
713				cat $TMP2 $CUR $TMP1 | \
714				    sed -e '/^c/d' | \
715				    sort -k11 | \
716				    sed -e 's/[	 ][	 ]*/ /g' | \
717				    uniq -u > $OUTPUT
718				if [ -s $OUTPUT ] ; then
719					printf "Block device changes:\n" >> $ERR
720					column -t $OUTPUT >> $ERR
721					printf "\n" >> $ERR
722				fi
723
724				backup_file update $TMP1 $CUR $BACK
725			fi
726		else
727			printf "Device additions:\n" >> $ERR
728			column -t $TMP1 >> $ERR
729			printf "\n" >> $ERR
730			backup_file add $TMP1 $CUR $BACK >> $ERR
731		fi
732	fi
733	if [ -s $ERR ] ; then
734		printf "\nChecking setuid files and devices:\n"
735		cat $ERR
736		printf "\n"
737	fi
738fi
739
740# Check special files.
741# Check system binaries.
742#
743# Create the mtree tree specifications using:
744#	mtree -cx -pDIR -kmd5,uid,gid,mode,nlink,size,link,time > DIR.secure
745#	chown root:wheel DIR.secure
746#	chmod u+r,go= DIR.secure
747#
748# Note, this is not complete protection against Trojan horsed binaries, as
749# the hacker can modify the tree specification to match the replaced binary.
750# For details on really protecting yourself against modified binaries, see
751# the mtree(8) manual page.
752#
753if checkyesno check_mtree; then
754	if checkyesno check_mtree_follow_symlinks; then
755		check_mtree_flags="-L"
756	else
757		check_mtree_flags=""
758	fi
759	for file in $special_files; do
760		[ ! -s $file ] && continue
761		mtree -e -l -p / $check_mtree_flags -f $file
762	done 3>&1 >$OUTPUT 2>&3 |
763		grep -v '^mtree: dev/tty: Device not configured$' >&2
764	if [ -s $OUTPUT ]; then
765		printf "\nChecking special files and directories.\n"
766		cat $OUTPUT
767	fi
768
769	for file in /etc/mtree/*.secure; do
770		[ $file = '/etc/mtree/*.secure' ] && continue
771		tree=`sed -n -e '3s/.* //p' -e 3q $file`
772		mtree $check_mtree_flags -f $file -p $tree > $TMP1
773		if [ -s $TMP1 ]; then
774			printf "\nChecking $tree:\n"
775			cat $TMP1
776		fi
777	done > $OUTPUT
778	if [ -s $OUTPUT ]; then
779		printf "\nChecking system binaries:\n"
780		cat $OUTPUT
781	fi
782fi
783
784# Backup disklabels of available disks
785#
786if checkyesno check_disklabels; then
787		# migrate old disklabels
788	for file in `ls -1d $backup_dir/$backup_dir/disklabel.* \
789	    $backup_dir/disklabel.* 2>/dev/null`; do
790		migrate_file "$file" "$work_dir/${file##*/}"
791	done
792
793		# generate list of old disklabels & fdisks and remove them
794	ls -1d $work_dir/disklabel.* $work_dir/fdisk.* 2>/dev/null |
795	    egrep -v '\.(backup|current)(,v)?$' > $LABELS
796	xargs rm < $LABELS
797
798		# generate disklabels of all disks excluding:	cd fd md
799	disks=`iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d/ { print $1; }'`
800	for i in $disks; do
801		disklabel $i > "$work_dir/disklabel.$i" 2>/dev/null
802	done
803
804		# if fdisk is available, generate fdisks for:	ed ld sd wd
805	if [ -x /sbin/fdisk ]; then
806		disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d/ { print $1; }'`
807		for i in $disks; do
808			/sbin/fdisk $i > "$work_dir/fdisk.$i" 2>/dev/null
809		done
810	fi
811
812		# append list of new disklabels and fdisks
813	ls -1d $work_dir/disklabel.* $work_dir/fdisk.* 2>/dev/null |
814	    egrep -v '\.(backup|current)(,v)?$' >> $LABELS
815	CHANGELIST="$LABELS $CHANGELIST"
816fi
817
818# Check for changes in the list of installed pkgs
819#
820if checkyesno check_pkgs && [ -d $pkgdb_dir ]; then
821	pkgs=$work_dir/pkgs
822	migrate_file "$backup_dir/pkgs" "$pkgs"
823	(	cd $pkgdb_dir
824		pkg_info | sort
825		echo ""
826		find . \( -name +REQUIRED_BY -o -name +CONTENTS \) -print0 |
827			xargs -0 ls -ldgTq | sort -t. +1 | sed -e 's, \./, ,'
828	 ) > $pkgs
829	echo "$pkgs" > $PKGS
830	CHANGELIST="$PKGS $CHANGELIST"
831fi
832
833# List of files that get backed up and checked for any modifications.
834# Any changes cause the files to rotate.
835#
836if checkyesno check_changelist ; then
837	for file in $special_files; do
838		[ ! -s $file ] && continue
839		mtree -D -k type -f $file -E exclude |
840		    sed '/^type=file/!d ; s/type=file \.//'
841	done > $CHANGEFILES
842
843	(
844		# Add other files which might dynamically exist:
845		#	/etc/ifconfig.*
846		#	/etc/raid*.conf
847		#	/etc/rc.d/*
848		#	/etc/rc.conf.d/*
849		#
850		echo "/etc/ifconfig.*"
851		echo "/etc/raid*.conf"
852		echo "/etc/rc.d/*"
853		echo "/etc/rc.conf.d/*"
854
855		# Add /etc/changelist
856		#
857		if [ -s /etc/changelist ]; then
858			grep -v '^#' /etc/changelist
859		fi
860	) | while read file; do
861		case "$file" in
862		*[\*\?\[]*)	# If changelist line is a glob ...
863				# ... expand possible backup files
864				#
865			ls -1d $(echo $backup_dir/${file}.current) 2>/dev/null \
866			    | sed "s,^$backup_dir/,, ; s,\.current$,,"
867				
868				# ... expand possible files
869				#
870			ls -1d $(echo $file) 2>/dev/null
871			;;
872		*)
873				# Otherwise, just print the filename
874			echo $file
875			;;
876		esac
877	done >> $CHANGEFILES
878	CHANGELIST="$CHANGEFILES $CHANGELIST"
879fi
880
881# Special case backups, including the master password file and
882# ssh private host keys. The normal backup mechanisms for
883# $check_changelist (see below) also print out the actual file
884# differences and we don't want to do that for these files
885#
886echo $MP > $TMP1			# always add /etc/master.passwd
887for file in $special_files; do
888	[ ! -s $file ] && continue
889	mtree -D -k type -f $file -I nodiff |
890	    sed '/^type=file/!d ; s/type=file \.//'
891done >> $TMP1
892grep -v '^$' $TMP1 | sort -u > $TMP2
893
894while read file; do
895	backup_and_diff "$file" no
896done < $TMP2
897
898
899if [ -n "$CHANGELIST" ]; then
900	grep -h -v '^$' $CHANGELIST | sort -u > $TMP1
901	comm -23 $TMP1 $TMP2 | while read file; do
902		backup_and_diff "$file" yes
903	done
904fi
905
906if [ -f /etc/security.local ]; then
907	. /etc/security.local > $OUTPUT 2>&1
908	if [ -s $OUTPUT ] ; then
909		printf "\nRunning /etc/security.local:\n"
910		cat $OUTPUT
911	fi
912fi
913