security revision 1.93 
1#!/bin/sh -
2#
3#	$NetBSD: security,v 1.93 2004/11/21 19:00:12 kim Exp $
4#	from: @(#)security	8.1 (Berkeley) 6/9/93
5#
6
7PATH=/sbin:/usr/sbin:/bin:/usr/bin
8
9rcvar_manpage='security.conf(5)'
10
11if [ -f /etc/rc.subr ]; then
12	. /etc/rc.subr
13else
14	echo "Can't read /etc/rc.subr; aborting."
15	exit 1;
16fi
17
18umask 077
19TZ=UTC; export TZ
20
21if [ -s /etc/security.conf ]; then
22	. /etc/security.conf
23fi
24
25# Set reasonable defaults (if they're not set in security.conf)
26#
27backup_dir=${backup_dir:-/var/backups}
28pkgdb_dir=${pkgdb_dir:-/var/db/pkg}
29max_loginlen=${max_loginlen:-8}
30max_grouplen=${max_grouplen:-8}
31
32# Other configurable variables
33#
34special_files="/etc/mtree/special /etc/mtree/special.local"
35MP=/etc/master.passwd
36CHANGELIST=""
37work_dir=$backup_dir/work
38
39if [ ! -d "$work_dir" ]; then
40	mkdir -p "$work_dir"
41fi
42
43SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1
44
45trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE
46
47if ! cd "$SECUREDIR"; then
48	echo "Can not cd to $SECUREDIR".
49	exit 1
50fi
51
52ERR=err.$$
53TMP1=tmp1.$$
54TMP2=tmp2.$$
55MPBYUID=mpbyuid.$$
56MPBYPATH=mpbypath.$$
57LIST=list.$$
58OUTPUT=output.$$
59LABELS=labels.$$
60PKGS=pkgs.$$
61CHANGEFILES=changefiles.$$
62SPECIALSPEC=specialspec.$$
63
64
65# migrate_file old new
66#	Determine if the "${old}" path name needs to be migrated to the
67#	"${new}" path. Also checks if "${old}.current" needs migrating,
68#	and if so, migrate it and possibly "${old}.current,v" and
69#	"${old}.backup".
70#
71migrate_file()
72{
73	_old=$1
74	_new=$2
75	if [ -z "$_old" -o -z "$_new" ]; then
76		err 3 "USAGE: migrate_file old new"
77	fi
78	if [ ! -d "${_new%/*}" ]; then
79		mkdir -p "${_new%/*}"
80	fi
81	if [ -f "${_old}" -a ! -f "${_new}" ]; then
82		echo "==> migrating ${_old}"
83		echo "           to ${_new}"
84		mv "${_old}" "${_new}"
85	fi
86	if [ -f "${_old}.current" -a ! -f "${_new}.current" ]; then
87		echo "==> migrating ${_old}.current"
88		echo "           to ${_new}.current"
89		mv "${_old}.current" "${_new}.current"
90		if [ -f "${_old}.current,v" -a ! -f "${_new}.current,v" ]; then
91			echo "==> migrating ${_old}.current,v"
92			echo "           to ${_new}.current,v"
93			mv "${_old}.current,v" "${_new}.current,v"
94		fi
95		if [ -f "${_old}.backup" -a ! -f "${_new}.backup" ]; then
96			echo "==> migrating ${_old}.backup"
97			echo "           to ${_new}.backup"
98			mv "${_old}.backup" "${_new}.backup"
99		fi
100	fi
101}
102
103
104# backup_and_diff file printdiff
105#	Determine if file needs backing up, and if so, do it.
106#	If printdiff is yes, display the diffs, otherwise 
107#	just print a message saying "[changes omitted]".
108#
109backup_and_diff()
110{
111	_file=$1
112	_printdiff=$2
113	if [ -z "$_file" -o -z "$_printdiff" ]; then
114		err 3 "USAGE: backup_and_diff file printdiff"
115	fi
116	! checkyesno _printdiff
117	_printdiff=$?
118
119	_old=$backup_dir/${_file##*/}
120	case "$_file" in
121	$work_dir/*)
122		_new=$_file
123		migrate_file "$backup_dir/$_old" "$_new"
124		migrate_file "$_old" "$_new"
125		;;
126	*)
127		_new=$backup_dir/$_file
128		migrate_file "$_old" "$_new"
129		;;
130	esac
131	CUR=${_new}.current
132	BACK=${_new}.backup
133	if [ -f $_file ]; then
134		if [ -f $CUR ] ; then
135			if [ "$_printdiff" -ne 0 ]; then
136				diff ${diff_options} $CUR $_file > $OUTPUT
137			else
138				if ! cmp -s $CUR $_file; then
139					echo "[changes omitted]"
140				fi > $OUTPUT
141			fi
142			if [ -s $OUTPUT ] ; then
143				printf \
144			"\n======\n%s diffs (OLD < > NEW)\n======\n" $_file
145				cat $OUTPUT
146				backup_file update $_file $CUR $BACK
147			fi
148		else
149			printf "\n======\n%s added\n======\n" $_file
150			if [ "$_printdiff" -ne 0 ]; then
151				diff ${diff_options} /dev/null $_file
152			else
153				echo "[changes omitted]"
154			fi
155			backup_file add $_file $CUR $BACK
156		fi
157	else
158		if [ -f $CUR ]; then
159			printf "\n======\n%s removed\n======\n" $_file
160			if [ "$_printdiff" -ne 0 ]; then
161				diff ${diff_options} $CUR /dev/null
162			else
163				echo "[changes omitted]"
164			fi
165			backup_file remove $_file $CUR $BACK
166		fi
167	fi
168}
169
170
171# These are used several times.
172#
173awk -F: '!/^\+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID
174awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH
175for file in $special_files; do
176	[ -s $file ] && cat $file
177done | mtree -CM -k all > $SPECIALSPEC || exit 1
178
179
180# Check the master password file syntax.
181#
182if checkyesno check_passwd; then
183        # XXX: the sense of permit_star is reversed; the code works as
184        # implemented, but usage needs to be negated.
185	checkyesno check_passwd_permit_star && permit_star=0 || permit_star=1
186	awk -v "len=$max_loginlen" \
187	    -v "nowarn_shells_list=$check_passwd_nowarn_shells" \
188	    -v "nowarn_users_list=$check_passwd_nowarn_users" \
189	    -v "permit_star=$permit_star" '
190	BEGIN {
191		while ( getline < "/etc/shells" > 0 ) {
192			if ($0 ~ /^\#/ || $0 ~ /^$/ )
193				continue;
194			shells[$1]++;
195		}
196		split(nowarn_shells_list, a);
197		for (i in a) nowarn_shells[a[i]]++;
198		split(nowarn_users_list, a);
199		for (i in a) nowarn_users[a[i]]++;
200		uid0_users_list="root toor"
201		split(uid0_users_list, a);
202		for (i in a) uid0_users[a[i]]++;
203		FS=":";
204	}
205
206	{
207		if ($0 ~ /^[	 ]*$/) {
208			printf "Line %d is a blank line.\n", NR;
209			next;
210		}
211		if (NF != 10 && ($1 != "+" || NF != 1))
212			printf "Line %d has the wrong number of fields.\n", NR;
213		if ($1 == "+" )  {
214			if (NF != 1 && $3 == 0)
215			    printf "Line %d includes entries with uid 0.\n",
216			        NR;
217			next;
218		}
219		if ($1 !~ /^[A-Za-z0-9]([-A-Za-z0-9]*[A-Za-z0-9])*$/)
220			printf "Login %s has non-alphanumeric characters.\n",
221			    $1;
222		if (length($1) > len)
223			printf "Login %s has more than "len" characters.\n",
224			    $1;
225		if ($2 == "" && !nowarn_users[$1])
226			    printf "Login %s has no password.\n", $1;
227		if (!nowarn_shells[$10] && !nowarn_users[$1]) {
228		    if (length($2) != 13 &&
229		    	length($2) != 20 &&
230		    	$2 !~ /^\$1/ &&
231		    	$2 !~ /^\$2/ &&
232		    	$2 != "" &&
233			(permit_star || $2 != "*") &&
234		    	$2 !~ /^\*[A-z-]+$/ &&
235			$1 != "toor") {
236		    	    if ($10 == "" || shells[$10])
237				printf "Login %s is off but still has "\
238				  "a valid shell (%s)\n", $1, $10;
239		    } else if (! shells[$10])
240		    	    printf "Login %s does not have a valid "\
241			    "shell (%s)\n", $1, $10;
242		}
243		if ($3 == 0 && !uid0_users[$1] && !nowarn_users[$1])
244			printf "Login %s has a user id of 0.\n", $1;
245		if ($3 < 0)
246			printf "Login %s has a negative user id.\n", $1;
247		if ($4 < 0)
248			printf "Login %s has a negative group id.\n", $1;
249	}' < $MP > $OUTPUT
250	if [ -s $OUTPUT ] ; then
251		printf "\nChecking the $MP file:\n"
252		cat $OUTPUT
253	fi
254
255	awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
256	if [ -s $OUTPUT ] ; then
257		printf "\n$MP has duplicate user names.\n"
258		column $OUTPUT
259	fi
260
261# To not exclude 'toor', a standard duplicate root account, from the duplicate
262# account test, uncomment the line below (without egrep in it)and comment
263# out the line (with egrep in it) below it.
264#
265#	< $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2
266	< $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2
267	if [ -s $TMP2 ] ; then
268		printf "\n$MP has duplicate user id's.\n"
269		while read uid; do
270			grep -w $uid $MPBYUID
271		done < $TMP2 | column
272	fi
273fi
274
275# Check the group file syntax.
276#
277if checkyesno check_group; then
278	GRP=/etc/group
279	awk -F: -v "len=$max_grouplen" '{
280		if ($0 ~ /^[	 ]*$/) {
281			printf "Line %d is a blank line.\n", NR;
282			next;
283		}
284		if (NF != 4 && ($1 != "+" || NF != 1))
285			printf "Line %d has the wrong number of fields.\n", NR;
286		if ($1 == "+" )  {
287			next;
288		}
289		if ($1 !~ /^[A-Za-z0-9]([-A-Za-z0-9]*[A-Za-z0-9])*$/)
290			printf "Group %s has non-alphanumeric characters.\n",
291			    $1;
292		if (length($1) > len)
293			printf "Group %s has more than "len" characters.\n", $1;
294		if ($3 !~ /[0-9]*/)
295			printf "Login %s has a negative group id.\n", $1;
296	}' < $GRP > $OUTPUT
297	if [ -s $OUTPUT ] ; then
298		printf "\nChecking the $GRP file:\n"
299		cat $OUTPUT
300	fi
301
302	awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT
303	if [ -s $OUTPUT ] ; then
304		printf "\n$GRP has duplicate group names.\n"
305		column $OUTPUT
306	fi
307fi
308
309# Check for root paths, umask values in startup files.
310# The check for the root paths is problematical -- it's likely to fail
311# in other environments.  Once the shells have been modified to warn
312# of '.' in the path, the path tests should go away.
313#
314if checkyesno check_rootdotfiles; then
315	rhome=~root
316	umaskset=no
317	list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login"
318	for i in $list ; do
319		if [ -f $i ] ; then
320			if egrep '^[ \t]*umask[ \t]+[0-7]+' $i > /dev/null ;
321			then
322				umaskset=yes
323			fi
324			# Double check the umask value itself; ensure that
325			# both the group and other write bits are set.
326			#
327			egrep '^[ \t]*umask[ \t]+[0-7]+' $i |
328			awk '{
329				if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) {
330					print "\tRoot umask is group writable"
331				}
332				if ($2 ~ /[^2367]$/) {
333					print "\tRoot umask is other writable"
334			    	}
335			    }' | sort -u
336			SAVE_PATH=$PATH
337			unset PATH
338			/bin/csh -f -s << end-of-csh > /dev/null 2>&1
339				source $i
340				/bin/ls -ldgT \$path > $TMP1
341end-of-csh
342			export PATH=$SAVE_PATH
343			awk '{
344				if ($10 ~ /^\.$/) {
345					print "\tThe root path includes .";
346					next;
347				}
348			     }
349			     $1 ~ /^d....w/ \
350		{ print "\tRoot path directory " $10 " is group writable." } \
351			     $1 ~ /^d.......w/ \
352		{ print "\tRoot path directory " $10 " is other writable." }' \
353			< $TMP1
354		fi
355	done > $OUTPUT
356	if [ $umaskset = "no" -o -s $OUTPUT ] ; then
357		printf "\nChecking root csh paths, umask values:\n$list\n\n"
358		if [ -s $OUTPUT ]; then
359			cat $OUTPUT
360		fi
361		if [ $umaskset = "no" ] ; then
362		    printf "\tRoot csh startup files do not set the umask.\n"
363		fi
364	fi
365
366	umaskset=no
367	list="/etc/profile ${rhome}/.profile"
368	for i in $list; do
369		if [ -f $i ] ; then
370			if egrep umask $i > /dev/null ; then
371				umaskset=yes
372			fi
373			egrep umask $i |
374			awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \
375				{ print "\tRoot umask is group writable" } \
376			     $2 ~ /[^2367]$/ \
377				{ print "\tRoot umask is other writable" }'
378			SAVE_PATH=$PATH
379			unset PATH
380			/bin/sh << end-of-sh > /dev/null 2>&1
381				. $i
382				list=\`echo \$PATH | /usr/bin/sed -e \
383				    's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\`
384				/bin/ls -ldgT \$list > $TMP1
385end-of-sh
386			export PATH=$SAVE_PATH
387			awk '{
388				if ($10 ~ /^\.$/) {
389					print "\tThe root path includes .";
390					next;
391				}
392			     }
393			     $1 ~ /^d....w/ \
394		{ print "\tRoot path directory " $10 " is group writable." } \
395			     $1 ~ /^d.......w/ \
396		{ print "\tRoot path directory " $10 " is other writable." }' \
397			< $TMP1
398
399		fi
400	done > $OUTPUT
401	if [ $umaskset = "no" -o -s $OUTPUT ] ; then
402		printf "\nChecking root sh paths, umask values:\n$list\n"
403		if [ -s $OUTPUT ]; then
404			cat $OUTPUT
405		fi
406		if [ $umaskset = "no" ] ; then
407			printf "\tRoot sh startup files do not set the umask.\n"
408		fi
409	fi
410fi
411
412# Root and uucp should both be in /etc/ftpusers.
413#
414if checkyesno check_ftpusers; then
415	list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID`
416	for i in $list; do
417		if /usr/libexec/ftpd -C $i ; then
418			printf "\t$i is not denied\n"
419		fi
420	done > $OUTPUT
421	if [ -s $OUTPUT ]; then
422		printf "\nChecking the /etc/ftpusers configuration:\n"
423		cat $OUTPUT
424	fi
425fi
426
427# Uudecode should not be in the /etc/mail/aliases file.
428#
429if checkyesno check_aliases; then
430	for f in /etc/mail/aliases /etc/aliases; do
431		if [ -f $f ] && egrep '^[^#]*(uudecode|decode).*\|' $f; then
432			printf "\nEntry for uudecode in $f file.\n"
433		fi
434	done
435fi
436
437# Files that should not have + signs.
438#
439if checkyesno check_rhosts; then
440	list="/etc/hosts.equiv /etc/hosts.lpd"
441	for f in $list ; do
442		if [ -f $f ] && egrep '\+' $f > /dev/null ; then
443			printf "\nPlus sign in $f file.\n"
444		fi
445	done
446
447	# Check for special users with .rhosts files.  Only root and toor should
448	# have .rhosts files.  Also, .rhosts files should not have plus signs.
449	awk -F: '$1 != "root" && $1 != "toor" && \
450		($3 < 100 || $1 == "ftp" || $1 == "uucp") \
451			{ print $1 " " $9 }' $MP |
452	sort -k2 |
453	while read uid homedir; do
454		if [ -f ${homedir}/.rhosts ] ; then
455			rhost=`ls -ldgT ${homedir}/.rhosts`
456			printf -- "$uid: $rhost\n"
457		fi
458	done > $OUTPUT
459	if [ -s $OUTPUT ] ; then
460		printf "\nChecking for special users with .rhosts files.\n"
461		cat $OUTPUT
462	fi
463
464	while read uid homedir; do
465		if [ -f ${homedir}/.rhosts -a -r ${homedir}/.rhosts ] && \
466		    cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null ; then
467			printf -- "$uid: + in .rhosts file.\n"
468		fi
469	done < $MPBYPATH > $OUTPUT
470	if [ -s $OUTPUT ] ; then
471		printf "\nChecking .rhosts files syntax.\n"
472		cat $OUTPUT
473	fi
474fi
475
476# Check home directories.  Directories should not be owned by someone else
477# or writable.
478#
479if checkyesno check_homes; then
480	checkyesno check_homes_permit_usergroups && \
481		permit_usergroups=1 || permit_usergroups=0
482	while read uid homedir; do
483		if [ -d ${homedir}/ ] ; then
484			file=`ls -ldgT ${homedir}`
485			printf -- "$uid $file\n"
486		fi
487	done < $MPBYPATH |
488	awk -v "usergroups=$permit_usergroups" '
489	     $1 != $4 && $4 != "root" \
490		{ print "user " $1 " home directory is owned by " $4 }
491	     $2 ~ /^-....w/ && (!usergroups || $5 != $1) \
492		{ print "user " $1 " home directory is group writable" }
493	     $2 ~ /^-.......w/ \
494		{ print "user " $1 " home directory is other writable" }' \
495	    > $OUTPUT
496	if [ -s $OUTPUT ] ; then
497		printf "\nChecking home directories.\n"
498		cat $OUTPUT
499	fi
500
501	# Files that should not be owned by someone else or readable.
502	list=".Xauthority .netrc .ssh/id_dsa .ssh/id_rsa .ssh/identity"
503	while read uid homedir; do
504		for f in $list ; do
505			file=${homedir}/${f}
506			if [ -f $file ] ; then
507				printf -- "$uid $f `ls -ldgT $file`\n"
508			fi
509		done
510	done < $MPBYPATH |
511	awk  -v "usergroups=$permit_usergroups" '
512	     $1 != $5 && $5 != "root" \
513		{ print "user " $1 " " $2 " file is owned by " $5 }
514	     $3 ~ /^-...r/ && (!usergroups || $6 != $1) \
515		{ print "user " $1 " " $2 " file is group readable" }
516	     $3 ~ /^-......r/ \
517		{ print "user " $1 " " $2 " file is other readable" }
518	     $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
519		{ print "user " $1 " " $2 " file is group writable" }
520	     $3 ~ /^-.......w/ \
521		{ print "user " $1 " " $2 " file is other writable" }' \
522	    > $OUTPUT
523
524	# Files that should not be owned by someone else or writable.
525	list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \
526	      .cshrc .emacs .exrc .forward .history .k5login .klogin .login \
527	      .logout .profile .qmail .rc_history .rhosts .shosts ssh .tcshrc \
528	      .twmrc .xinitrc .xsession .ssh/authorized_keys \
529	      .ssh/authorized_keys2 .ssh/config .ssh/id_dsa.pub \
530	      .ssh/id_rsa.pub .ssh/identity.pub .ssh/known_hosts \
531	      .ssh/known_hosts2"
532	while read uid homedir; do
533		for f in $list ; do
534			file=${homedir}/${f}
535			if [ -f $file ] ; then
536				printf -- "$uid $f `ls -ldgT $file`\n"
537			fi
538		done
539	done < $MPBYPATH |
540	awk -v "usergroups=$permit_usergroups" '
541	     $1 != $5 && $5 != "root" \
542		{ print "user " $1 " " $2 " file is owned by " $5 }
543	     $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
544		{ print "user " $1 " " $2 " file is group writable" }
545	     $3 ~ /^-.......w/ \
546		{ print "user " $1 " " $2 " file is other writable" }' \
547	    >> $OUTPUT
548	if [ -s $OUTPUT ] ; then
549		printf "\nChecking dot files.\n"
550		cat $OUTPUT
551	fi
552fi
553
554# Mailboxes should be owned by user and unreadable.
555#
556if checkyesno check_varmail; then
557	ls -lA /var/mail | \
558	awk '	NR == 1 { next; }
559		$9 ~ /^\./ {next; }
560	    	$3 != $9 {
561			print "user " $9 " mailbox is owned by " $3
562		}
563		$1 != "-rw-------" {
564			print "user " $9 " mailbox is " $1 ", group " $4
565		}' > $OUTPUT
566	if [ -s $OUTPUT ] ; then
567		printf "\nChecking mailbox ownership.\n"
568		cat $OUTPUT
569	fi
570fi
571
572# NFS exports shouldn't be globally exported
573#
574if checkyesno check_nfs && [ -f /etc/exports ]; then
575	awk '{
576		# ignore comments and blank lines
577		if ($0 ~ /^\#/ || $0 ~ /^$/ )
578			next;
579
580		readonly = 0;
581		for (i = 2; i <= NF; ++i) {
582			if ($i ~ /-ro/)
583				readonly = 1;
584			else if ($i ~ /^-network=/)
585				next;
586			else if ($i !~ /^-/)
587				next;
588		}
589		if (readonly)
590			print "File system " $1 " globally exported, read-only."
591		else
592			print "File system " $1 " globally exported, read-write."
593	}' < /etc/exports > $OUTPUT
594	if [ -s $OUTPUT ] ; then
595		printf "\nChecking for globally exported file systems.\n"
596		cat $OUTPUT
597	fi
598fi
599
600# Display any changes in setuid files and devices.
601#
602if checkyesno check_devices; then
603	> $ERR
604	(
605	# Turn "foo !bar bax" into "-fstype foo -o ! -fstype bar -o -fstype bax"
606	ignfstypes=`echo $check_devices_ignore_fstypes | \
607		sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -fstype \2/g' \
608		    -e's/^-o //'`
609	find / \( $ignfstypes \) -a -prune -o \
610	    \( \( -perm -u+s -a ! -type d \) -o \
611	       \( -perm -g+s -a ! -type d \) -o \
612	       -type b -o -type c \) -print0 | \
613	xargs -0 ls -ldgTq | sort +9 > $LIST) 2> $OUTPUT
614
615	# Display any errors that occurred during system file walk.
616	if [ -s $OUTPUT ] ; then
617		printf "Setuid/device find errors:\n" >> $ERR
618		cat $OUTPUT >> $ERR
619		printf "\n" >> $ERR
620	fi
621
622	# Display any changes in the setuid file list.
623	egrep -v '^[bc]' $LIST > $TMP1
624	if [ -s $TMP1 ] ; then
625		# Check to make sure uudecode isn't setuid.
626		if grep -w uudecode $TMP1 > /dev/null ; then
627			printf "\nUudecode is setuid.\n" >> $ERR
628		fi
629
630		file=$work_dir/setuid
631		migrate_file "$backup_dir/setuid" "$file"
632		CUR=${file}.current
633		BACK=${file}.backup
634		if [ -s $CUR ] ; then
635			if cmp -s $CUR $TMP1 ; then
636				:
637			else
638				> $TMP2
639				join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
640				if [ -s $OUTPUT ] ; then
641					printf "Setuid additions:\n" >> $ERR
642					tee -a $TMP2 < $OUTPUT >> $ERR
643					printf "\n" >> $ERR
644				fi
645
646				join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
647				if [ -s $OUTPUT ] ; then
648					printf "Setuid deletions:\n" >> $ERR
649					tee -a $TMP2 < $OUTPUT >> $ERR
650					printf "\n" >> $ERR
651				fi
652
653				sort -k10 $TMP2 $CUR $TMP1 | \
654				    sed -e 's/[	 ][	 ]*/ /g' | \
655				    uniq -u > $OUTPUT
656				if [ -s $OUTPUT ] ; then
657					printf "Setuid changes:\n" >> $ERR
658					column -t $OUTPUT >> $ERR
659					printf "\n" >> $ERR
660				fi
661
662				backup_file update $TMP1 $CUR $BACK
663			fi
664		else
665			printf "Setuid additions:\n" >> $ERR
666			column -t $TMP1 >> $ERR
667			printf "\n" >> $ERR
668			backup_file add $TMP1 $CUR $BACK
669		fi
670	fi
671
672	# Check for block and character disk devices that are readable or
673	# writable or not owned by root.operator.
674	>$TMP1
675	DISKLIST="ccd ch hk hp ld md ra raid rb rd rl rx \
676	    sd se ss uk up vnd wd xd xy"
677#	DISKLIST="$DISKLIST ct mt st wt"
678	for i in $DISKLIST; do
679		egrep "^b.*/${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
680		egrep "^c.*/r${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
681	done
682
683	awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \
684		{ printf "Disk %s is user %s, group %s, permissions %s.\n", \
685		    $11, $3, $4, $1; }' < $TMP1 > $OUTPUT
686	if [ -s $OUTPUT ] ; then
687		printf "\nChecking disk ownership and permissions.\n" >> $ERR
688		cat $OUTPUT >> $ERR
689		printf "\n" >> $ERR
690	fi
691
692	# Display any changes in the device file list.
693	egrep '^[bc]' $LIST | sort -k11 > $TMP1
694	if [ -s $TMP1 ] ; then
695		file=$work_dir/device
696		migrate_file "$backup_dir/device" "$file"
697		CUR=${file}.current
698		BACK=${file}.backup
699
700		if [ -s $CUR ] ; then
701			if cmp -s $CUR $TMP1 ; then
702				:
703			else
704				> $TMP2
705				join -111 -211 -v2 $CUR $TMP1 > $OUTPUT
706				if [ -s $OUTPUT ] ; then
707					printf "Device additions:\n" >> $ERR
708					tee -a $TMP2 < $OUTPUT >> $ERR
709					printf "\n" >> $ERR
710				fi
711
712				join -111 -211 -v1 $CUR $TMP1 > $OUTPUT
713				if [ -s $OUTPUT ] ; then
714					printf "Device deletions:\n" >> $ERR
715					tee -a $TMP2 < $OUTPUT >> $ERR
716					printf "\n" >> $ERR
717				fi
718
719				# Report any block device change. Ignore
720				# character devices, only the name is
721				# significant.
722				cat $TMP2 $CUR $TMP1 | \
723				    sed -e '/^c/d' | \
724				    sort -k11 | \
725				    sed -e 's/[	 ][	 ]*/ /g' | \
726				    uniq -u > $OUTPUT
727				if [ -s $OUTPUT ] ; then
728					printf "Block device changes:\n" >> $ERR
729					column -t $OUTPUT >> $ERR
730					printf "\n" >> $ERR
731				fi
732
733				backup_file update $TMP1 $CUR $BACK
734			fi
735		else
736			printf "Device additions:\n" >> $ERR
737			column -t $TMP1 >> $ERR
738			printf "\n" >> $ERR
739			backup_file add $TMP1 $CUR $BACK >> $ERR
740		fi
741	fi
742	if [ -s $ERR ] ; then
743		printf "\nChecking setuid files and devices:\n"
744		cat $ERR
745		printf "\n"
746	fi
747fi
748
749# Check special files.
750# Check system binaries.
751#
752# Create the mtree tree specifications using:
753#	mtree -cx -pDIR -kmd5,uid,gid,mode,nlink,size,link,time > DIR.secure
754#	chown root:wheel DIR.secure
755#	chmod u+r,go= DIR.secure
756#
757# Note, this is not complete protection against Trojan horsed binaries, as
758# the hacker can modify the tree specification to match the replaced binary.
759# For details on really protecting yourself against modified binaries, see
760# the mtree(8) manual page.
761#
762if checkyesno check_mtree; then
763	if checkyesno check_mtree_follow_symlinks; then
764		check_mtree_flags="-L"
765	else
766		check_mtree_flags=""
767	fi
768	mtree -e -l -p / $check_mtree_flags -f $SPECIALSPEC 3>&1 >$OUTPUT 2>&3 |
769		grep -v '^mtree: dev/tty: Device not configured$' >&2
770	if [ -s $OUTPUT ]; then
771		printf "\nChecking special files and directories.\n"
772		cat $OUTPUT
773	fi
774
775	for file in /etc/mtree/*.secure; do
776		[ $file = '/etc/mtree/*.secure' ] && continue
777		tree=`sed -n -e '3s/.* //p' -e 3q $file`
778		mtree $check_mtree_flags -f $file -p $tree > $TMP1
779		if [ -s $TMP1 ]; then
780			printf "\nChecking $tree:\n"
781			cat $TMP1
782		fi
783	done > $OUTPUT
784	if [ -s $OUTPUT ]; then
785		printf "\nChecking system binaries:\n"
786		cat $OUTPUT
787	fi
788fi
789
790# Backup disklabels of available disks
791#
792if checkyesno check_disklabels; then
793		# migrate old disklabels
794	for file in `ls -1d $backup_dir/$backup_dir/disklabel.* \
795	    $backup_dir/disklabel.* 2>/dev/null`; do
796		migrate_file "$file" "$work_dir/${file##*/}"
797	done
798
799		# generate list of old disklabels & fdisks and remove them
800	ls -1d $work_dir/disklabel.* $work_dir/fdisk.* 2>/dev/null |
801	    egrep -v '\.(backup|current)(,v)?$' > $LABELS
802	xargs rm < $LABELS
803
804		# generate disklabels of all disks excluding:	cd fd md
805	disks=`iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d/ { print $1; }'`
806	for i in $disks; do
807		disklabel $i > "$work_dir/disklabel.$i" 2>/dev/null
808	done
809
810		# if fdisk is available, generate fdisks for:	ed ld sd wd
811	if [ -x /sbin/fdisk ]; then
812		disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d/ { print $1; }'`
813		for i in $disks; do
814			/sbin/fdisk $i > "$work_dir/fdisk.$i" 2>/dev/null
815		done
816	fi
817
818		# append list of new disklabels and fdisks
819	ls -1d $work_dir/disklabel.* $work_dir/fdisk.* 2>/dev/null |
820	    egrep -v '\.(backup|current)(,v)?$' >> $LABELS
821	CHANGELIST="$LABELS $CHANGELIST"
822fi
823
824# Check for changes in the list of installed pkgs
825#
826if checkyesno check_pkgs && [ -d $pkgdb_dir ]; then
827	pkgs=$work_dir/pkgs
828	migrate_file "$backup_dir/pkgs" "$pkgs"
829	(	cd $pkgdb_dir
830		pkg_info | sort
831		echo ""
832		find . \( -name +REQUIRED_BY -o -name +CONTENTS \) -print0 |
833			xargs -0 ls -ldgTq | sort -t. +1 | sed -e 's, \./, ,'
834	 ) > $pkgs
835	echo "$pkgs" > $PKGS
836	CHANGELIST="$PKGS $CHANGELIST"
837fi
838
839# List of files that get backed up and checked for any modifications.
840# Any changes cause the files to rotate.
841#
842if checkyesno check_changelist ; then
843	mtree -D -k type -f $SPECIALSPEC -E exclude |
844	    sed '/^type=file/!d ; s/type=file \.//' | unvis > $CHANGEFILES
845
846	(
847		# Add other files which might dynamically exist:
848		#	/etc/ifconfig.*
849		#	/etc/raid*.conf
850		#	/etc/rc.d/*
851		#	/etc/rc.conf.d/*
852		#
853		echo "/etc/ifconfig.*"
854		echo "/etc/raid*.conf"
855		echo "/etc/rc.d/*"
856		echo "/etc/rc.conf.d/*"
857
858		# Add /etc/changelist
859		#
860		if [ -s /etc/changelist ]; then
861			grep -v '^#' /etc/changelist
862		fi
863	) | while read file; do
864		case "$file" in
865		*[\*\?\[]*)	# If changelist line is a glob ...
866				# ... expand possible backup files
867				#
868			ls -1d $(echo $backup_dir/${file}.current) 2>/dev/null \
869			    | sed "s,^$backup_dir/,, ; s,\.current$,,"
870				
871				# ... expand possible files
872				#
873			ls -1d $(echo $file) 2>/dev/null
874			;;
875		*)
876				# Otherwise, just print the filename
877			echo $file
878			;;
879		esac
880	done >> $CHANGEFILES
881	CHANGELIST="$CHANGEFILES $CHANGELIST"
882fi
883
884# Special case backups, including the master password file and
885# ssh private host keys. The normal backup mechanisms for
886# $check_changelist (see below) also print out the actual file
887# differences and we don't want to do that for these files
888#
889echo $MP > $TMP1			# always add /etc/master.passwd
890mtree -D -k type -f $SPECIALSPEC -I nodiff |
891    sed '/^type=file/!d ; s/type=file \.//' | unvis >> $TMP1
892grep -v '^$' $TMP1 | sort -u > $TMP2
893
894while read file; do
895	backup_and_diff "$file" no
896done < $TMP2
897
898
899if [ -n "$CHANGELIST" ]; then
900	grep -h -v '^$' $CHANGELIST | sort -u > $TMP1
901	comm -23 $TMP1 $TMP2 | while read file; do
902		backup_and_diff "$file" yes
903	done
904fi
905
906if [ -f /etc/security.local ]; then
907	. /etc/security.local > $OUTPUT 2>&1
908	if [ -s $OUTPUT ] ; then
909		printf "\nRunning /etc/security.local:\n"
910		cat $OUTPUT
911	fi
912fi
913