From owner-freebsd-security Fri Mar 3 13: 5:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 2179F37B667; Fri, 3 Mar 2000 13:05:18 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id QAA44752; Fri, 3 Mar 2000 16:10:43 -0500 (EST) (envelope-from cjc) Date: Fri, 3 Mar 2000 16:10:43 -0500 (EST) From: "Crist J. Clark" Message-Id: <200003032110.QAA44752@cc942873-a.ewndsr1.nj.home.com> To: FreeBSD-gnats-submit@freebsd.org Subject: Reply-To: cjc@cc942873-a.ewndsr1.nj.home.com Cc: freebsd-security@freebsd.org X-send-pr-version: 3.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Submitter-Id: current-users >Originator: Crist J. Clark >Organization: >Confidential: no >Synopsis: Add mount(8) check to /etc/security >Severity: non-critical >Priority: low >Category: misc >Release: FreeBSD 3.4-STABLE i386 >Class: change-request >Environment: FreeBSD 3.4-STABLE, distributed /etc/security file. >Description: The other day I had to change the way a filesystem was mounted to do some administrative tasks (specifically, I turned off the nosuid option). I guess I became distracted because I never re-enabled it until just noticing it recently. I was surprised and a little bit peeved that my /etc/security script would not notice a change in the way filesystems were mounted. Rather than just complain, I modified my own /etc/security's accordingly and decided the modification was something that no one could really argue against, so I'm submitting it here. >How-To-Repeat: Do anything to your filesystem mounts. /etc/security won't notice. >Fix: The structure of the added commands parallels the existing 'dmesg' check currently in place. Frankly, it's almost exactly the same, just different filenames and another command generating the initial output. The only thing I am unsure of is which is more asthetically pleasing, using 'mount -p' output or taking 'mount' output and running it through a quick sed script to clean out the "writes:" information. At this point, I perfer the more verbose mount-sed combo. Both patches are included. Any contructive comments or criticisms appreciated. The mount-sed combo, --- /usr/src/etc/security Tue Dec 21 04:46:02 1999 +++ security Fri Mar 3 15:56:52 2000 @@ -48,6 +48,21 @@ mv $TMP $LOG/setuid.today fi +if mount | sed 's/, writes: [^\)]*//' > $TMP; then + if [ ! -f $LOG/mount.today ]; then + separator + echo "no $LOG/mount.today" + cp $TMP $LOG/mount.today + fi + if cmp $LOG/mount.today $TMP >/dev/null 2>&1; then :; else + separator + echo "$host changes in mounted filesystems:" + diff -b $LOG/mount.today $TMP + mv $LOG/mount.today $LOG/mount.yesterday + mv $TMP $LOG/mount.today + fi +fi + separator echo "checking for uids of 0:" awk -F: '$3==0 {print $1,$3}' /etc/master.passwd Now for the mount-p version, --- /usr/src/etc/security Tue Dec 21 04:46:02 1999 +++ security Fri Mar 3 15:57:52 2000 @@ -48,6 +48,21 @@ mv $TMP $LOG/setuid.today fi +if mount -p > $TMP; then + if [ ! -f $LOG/mount.today ]; then + separator + echo "no $LOG/mount.today" + cp $TMP $LOG/mount.today + fi + if cmp $LOG/mount.today $TMP >/dev/null 2>&1; then :; else + separator + echo "$host changes in mounted filesystems:" + diff -b $LOG/mount.today $TMP + mv $LOG/mount.today $LOG/mount.yesterday + mv $TMP $LOG/mount.today + fi +fi + separator echo "checking for uids of 0:" awk -F: '$3==0 {print $1,$3}' /etc/master.passwd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message