From owner-svn-src-all@freebsd.org Tue Sep 20 18:47:35 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 02E13BE2B2C; Tue, 20 Sep 2016 18:47:35 +0000 (UTC) (envelope-from asomers@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AE12EAF1; Tue, 20 Sep 2016 18:47:34 +0000 (UTC) (envelope-from asomers@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u8KIlX1N043024; Tue, 20 Sep 2016 18:47:33 GMT (envelope-from asomers@FreeBSD.org) Received: (from asomers@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u8KIlXAB043021; Tue, 20 Sep 2016 18:47:33 GMT (envelope-from asomers@FreeBSD.org) Message-Id: <201609201847.u8KIlXAB043021@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: asomers set sender to asomers@FreeBSD.org using -f From: Alan Somers Date: Tue, 20 Sep 2016 18:47:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r306048 - head/etc/periodic/security X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2016 18:47:35 -0000 Author: asomers Date: Tue Sep 20 18:47:33 2016 New Revision: 306048 URL: https://svnweb.freebsd.org/changeset/base/306048 Log: Fix periodic scripts when an NFS mount covers a local mount 100.chksetuid and 110.neggrpperm try to search through all UFS and ZFS filesystems. But their logic contains an error. They also search through remote filesystems that are mounted on top of the root of a local filesystem. For example, if a user installs a FreeBSD system with the default ZFS layout, he'll get a zroot/usr/home filesystem. If he then mounts /usr/home over NFS, these scripts would search through /usr/home. MFC after: 4 weeks Sponsored by: Spectra Logic Corp Differential Revision: https://reviews.freebsd.org/D7482 Modified: head/etc/periodic/security/100.chksetuid head/etc/periodic/security/110.neggrpperm Modified: head/etc/periodic/security/100.chksetuid ============================================================================== --- head/etc/periodic/security/100.chksetuid Tue Sep 20 18:38:16 2016 (r306047) +++ head/etc/periodic/security/100.chksetuid Tue Sep 20 18:47:33 2016 (r306048) @@ -46,7 +46,7 @@ then echo "" echo 'Checking setuid files and devices:' MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` - find -sx $MP /dev/null -type f \ + find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ | check_diff setuid - "${host} setuid diffs:" Modified: head/etc/periodic/security/110.neggrpperm ============================================================================== --- head/etc/periodic/security/110.neggrpperm Tue Sep 20 18:38:16 2016 (r306047) +++ head/etc/periodic/security/110.neggrpperm Tue Sep 20 18:47:33 2016 (r306048) @@ -44,7 +44,7 @@ then echo "" echo 'Checking negative group permissions:' MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` - n=$(find -sx $MP /dev/null -type f \ + n=$(find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ \( \( ! -perm +010 -and -perm +001 \) -or \ \( ! -perm +020 -and -perm +002 \) -or \ \( ! -perm +040 -and -perm +004 \) \) \