Date: Sat, 13 Nov 2010 00:40:43 +0000 (UTC) From: Brooks Davis <brooks@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r215213 - in head: etc/defaults etc/periodic/security share/man/man5 Message-ID: <201011130040.oAD0ehWw029100@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: brooks Date: Sat Nov 13 00:40:43 2010 New Revision: 215213 URL: http://svn.freebsd.org/changeset/base/215213 Log: Add an (off by default) check for negative permissions (where the group on a object has less permissions that everyone). These permissions will not work reliably over NFS if you have more than 14 supplemental groups and are usually not what you mean. MFC after: 1 week Added: head/etc/periodic/security/110.neggrpperm - copied, changed from r213358, head/etc/periodic/security/100.chksetuid Modified: head/etc/defaults/periodic.conf head/etc/periodic/security/Makefile head/share/man/man5/periodic.conf.5 Modified: head/etc/defaults/periodic.conf ============================================================================== --- head/etc/defaults/periodic.conf Fri Nov 12 22:59:50 2010 (r215212) +++ head/etc/defaults/periodic.conf Sat Nov 13 00:40:43 2010 (r215213) @@ -160,6 +160,9 @@ daily_status_security_diff_flags="-b -u" # 100.chksetuid daily_status_security_chksetuid_enable="YES" +# 110.neggrpperm +daily_status_security_neggrpperm_enable="NO" + # 200.chkmounts daily_status_security_chkmounts_enable="YES" #daily_status_security_chkmounts_ignore="^amd:" # Don't check matching Copied and modified: head/etc/periodic/security/110.neggrpperm (from r213358, head/etc/periodic/security/100.chksetuid) ============================================================================== --- head/etc/periodic/security/100.chksetuid Sat Oct 2 11:45:18 2010 (r213358, copy source) +++ head/etc/periodic/security/110.neggrpperm Sat Nov 13 00:40:43 2010 (r215213) @@ -35,23 +35,19 @@ then source_periodic_confs fi -. /etc/periodic/security/security.functions - rc=0 -case "$daily_status_security_chksetuid_enable" in +case "$daily_status_security_neggrpperm_enable" in [Yy][Ee][Ss]) echo "" - echo 'Checking setuid files and devices:' + echo 'Checking negative group permissions:' MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` - find -sx $MP /dev/null -type f \ - \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ - \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ | - check_diff setuid - "${host} setuid diffs:" - rc=$? - ;; - *) - rc=0 + n=$(find -sx $MP /dev/null -type f \ + \( \( ! -perm +010 -and -perm +001 \) -or \ + \( ! -perm +020 -and -perm +002 \) -or \ + \( ! -perm +040 -and -perm +004 \) \) \ + -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 ;; esac Modified: head/etc/periodic/security/Makefile ============================================================================== --- head/etc/periodic/security/Makefile Fri Nov 12 22:59:50 2010 (r215212) +++ head/etc/periodic/security/Makefile Sat Nov 13 00:40:43 2010 (r215213) @@ -3,6 +3,7 @@ .include <bsd.own.mk> FILES= 100.chksetuid \ + 110.neggrpperm \ 200.chkmounts \ 300.chkuid0 \ 400.passwdless \ Modified: head/share/man/man5/periodic.conf.5 ============================================================================== --- head/share/man/man5/periodic.conf.5 Fri Nov 12 22:59:50 2010 (r215212) +++ head/share/man/man5/periodic.conf.5 Sat Nov 13 00:40:43 2010 (r215213) @@ -482,6 +482,14 @@ Set to .Dq Li YES to compare the modes and modification times of setuid executables with the previous day's values. +.It Va daily_status_security_neggrpperm_enable +.Pq Vt bool +Set to +.Dq Li YES +to check for files where the group of a file has less permissions than +the world at large. +When users are in more than 14 supplemental groups these negative +permissions may not be enforced via NFS shares. .It Va daily_status_security_chkmounts_enable .Pq Vt bool Set to
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201011130040.oAD0ehWw029100>