From owner-svn-src-stable@FreeBSD.ORG  Sun Feb  6 13:59:04 2011
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 466A4106564A;
	Sun,  6 Feb 2011 13:59:04 +0000 (UTC)
	(envelope-from brooks@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 33E818FC08;
	Sun,  6 Feb 2011 13:59:04 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id p16Dx4ue067008;
	Sun, 6 Feb 2011 13:59:04 GMT (envelope-from brooks@svn.freebsd.org)
Received: (from brooks@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id p16Dx4WU067003;
	Sun, 6 Feb 2011 13:59:04 GMT (envelope-from brooks@svn.freebsd.org)
Message-Id: <201102061359.p16Dx4WU067003@svn.freebsd.org>
From: Brooks Davis <brooks@FreeBSD.org>
Date: Sun, 6 Feb 2011 13:59:04 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r218372 - in stable/8: etc/defaults
	etc/periodic/security share/man/man5
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Feb 2011 13:59:04 -0000

Author: brooks
Date: Sun Feb  6 13:59:03 2011
New Revision: 218372
URL: http://svn.freebsd.org/changeset/base/218372

Log:
  MFC r215213:
  
  Add an (off by default) check for negative permissions (where the
  group on a object has less permissions than everyone).  These
  permissions will not work reliably over NFS if you have more than
  14 supplemental groups and are usually not what you mean.

Added:
  stable/8/etc/periodic/security/110.neggrpperm
     - copied unchanged from r215213, head/etc/periodic/security/110.neggrpperm
Modified:
  stable/8/etc/defaults/periodic.conf
  stable/8/etc/periodic/security/Makefile
  stable/8/share/man/man5/periodic.conf.5
Directory Properties:
  stable/8/etc/   (props changed)
  stable/8/share/man/man5/   (props changed)

Modified: stable/8/etc/defaults/periodic.conf
==============================================================================
--- stable/8/etc/defaults/periodic.conf	Sun Feb  6 13:17:40 2011	(r218371)
+++ stable/8/etc/defaults/periodic.conf	Sun Feb  6 13:59:03 2011	(r218372)
@@ -157,6 +157,9 @@ daily_status_security_diff_flags="-b -u"
 # 100.chksetuid
 daily_status_security_chksetuid_enable="YES"
 
+# 110.neggrpperm
+daily_status_security_neggrpperm_enable="NO"
+
 # 200.chkmounts
 daily_status_security_chkmounts_enable="YES"
 #daily_status_security_chkmounts_ignore="^amd:"		# Don't check matching

Copied: stable/8/etc/periodic/security/110.neggrpperm (from r215213, head/etc/periodic/security/110.neggrpperm)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/8/etc/periodic/security/110.neggrpperm	Sun Feb  6 13:59:03 2011	(r218372, copy of r215213, head/etc/periodic/security/110.neggrpperm)
@@ -0,0 +1,54 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+rc=0
+
+case "$daily_status_security_neggrpperm_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo 'Checking negative group permissions:'
+	MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
+	n=$(find -sx $MP /dev/null -type f \
+	    \( \( ! -perm +010 -and -perm +001 \) -or \
+	    \( ! -perm +020 -and -perm +002 \) -or \
+	    \( ! -perm +040 -and -perm +004 \) \) \
+	    -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l)
+	[ $n -gt 0 ] && rc=1 || rc=0
+	;;
+esac
+
+exit $rc

Modified: stable/8/etc/periodic/security/Makefile
==============================================================================
--- stable/8/etc/periodic/security/Makefile	Sun Feb  6 13:17:40 2011	(r218371)
+++ stable/8/etc/periodic/security/Makefile	Sun Feb  6 13:59:03 2011	(r218372)
@@ -3,6 +3,7 @@
 .include <bsd.own.mk>
 
 FILES=	100.chksetuid \
+	110.neggrpperm \
 	200.chkmounts \
 	300.chkuid0 \
 	400.passwdless \

Modified: stable/8/share/man/man5/periodic.conf.5
==============================================================================
--- stable/8/share/man/man5/periodic.conf.5	Sun Feb  6 13:17:40 2011	(r218371)
+++ stable/8/share/man/man5/periodic.conf.5	Sun Feb  6 13:59:03 2011	(r218372)
@@ -482,6 +482,14 @@ Set to
 .Dq Li YES
 to compare the modes and modification times of setuid executables with
 the previous day's values.
+.It Va daily_status_security_neggrpperm_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to check for files where the group of a file has less permissions than
+the world at large.
+When users are in more than 14 supplemental groups these negative
+permissions may not be enforced via NFS shares.
 .It Va daily_status_security_chkmounts_enable
 .Pq Vt bool
 Set to