From owner-freebsd-security Sat Feb 22 22:36:36 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA23497 for security-outgoing; Sat, 22 Feb 1997 22:36:36 -0800 (PST) Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA23492; Sat, 22 Feb 1997 22:36:34 -0800 (PST) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP id WAA25530; Sat, 22 Feb 1997 22:36:29 -0800 (PST) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id WAA06143; Sat, 22 Feb 1997 22:36:28 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id WAA22830; Sat, 22 Feb 1997 22:36:27 -0800 (PST) Date: Sat, 22 Feb 1997 22:36:27 -0800 (PST) From: Don Lewis Message-Id: <199702230636.WAA22830@salsa.gv.tsc.tdk.com> To: freebsd-isp@freebsd.org, freebsd-security@freebsd.org Subject: improved setuid and device file checker for /etc/security Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk A few weeks ago I solicited input on how to prevent locate.updatedb and /etc/security wasting a lot of time digging around the article spool on our news server. I got a lot of suggestions on different ways to tweak these scripts to prevent this, but the suggestions mostly involved making custom changes to these scripts that would be somewhat of a hassle to maintain. At least in the case of /etc/security, I came up with a scheme that should be a lot more automatic. It's more complete in that it checks filesystems other than UFS, such as NFS, since someone could sneak a setuid executable onto one of these other filesystems. It doesn't check filesystems that are mounted nosuid or noexec, since any setuid executables present on these filesystems aren't a security threat. These two features give you more incentive to mount filesystems nosuid or noexec unless you have a good reason to do otherwise ;-) I also added device file checking (other than their timestamps which tend do get updated). I also supress the checking of the ownerships and permissions on the tty devices, since these devices get chowned and chmoded. --------------------------------- Cut Here --------------------------- echo "checking setuid files:" # don't have ncheck, but this does the equivalent of the commented out block. # note that one of the original problem, the possibility of overrunning # the args to ls, is still here... # MP=`mount | awk '!/\([^(]*(noexec|nosuid)[^(]*\)$/{ print $3 }'` set $MP while test $# -ge 1; do mount=$1 shift find -X $mount -xdev -type f \ \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ \( -perm -u+s -or -perm -g+s \) | sort done | xargs -n 20 ls -lgTd > $TMP if [ ! -f $LOG/setuid.today ] ; then echo "no $LOG/setuid.today" cp $TMP $LOG/setuid.today fi if cmp $LOG/setuid.today $TMP >/dev/null; then :; else echo "$host setuid diffs:" diff -b $LOG/setuid.today $TMP mv $LOG/setuid.today $LOG/setuid.yesterday mv $TMP $LOG/setuid.today fi rm -f $TMP echo "" echo "" echo "checking device files:" MP=`mount | awk '!/\([^(]*nodev[^(]*\)$/{ print $3 }'` set $MP while test $# -ge 1; do mount=$1 shift find -X $mount -xdev \( -type b -o -type c \) | sort done | xargs -n 20 ls -lgTd | awk '{mode = $1; user = $3; group = $4; if ($11 ~ /\/tty/) { mode = substr(mode, 1, 1) "........."; user = ""; group = ""} printf "%7s %-2s %-8s %-8s %4s %9s %s\n", mode, $2, user, group, $5, $6, $11}' >> $TMP if [ ! -f $LOG/device.today ] ; then echo "no $LOG/device.today" cp $TMP $LOG/device.today fi if cmp $LOG/device.today $TMP >/dev/null; then :; else echo "$host device diffs:" diff -b $LOG/device.today $TMP mv $LOG/device.today $LOG/device.yesterday mv $TMP $LOG/device.today fi rm -f $TMP --------------------------------- Cut Here --------------------------- --- Truck