From owner-svn-src-all@FreeBSD.ORG  Sat Nov 13 00:40:44 2010
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 305B91065672;
	Sat, 13 Nov 2010 00:40:44 +0000 (UTC)
	(envelope-from brooks@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 1D1E38FC1F;
	Sat, 13 Nov 2010 00:40:44 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oAD0ei0n029105;
	Sat, 13 Nov 2010 00:40:44 GMT (envelope-from brooks@svn.freebsd.org)
Received: (from brooks@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oAD0ehWw029100;
	Sat, 13 Nov 2010 00:40:43 GMT (envelope-from brooks@svn.freebsd.org)
Message-Id: <201011130040.oAD0ehWw029100@svn.freebsd.org>
From: Brooks Davis <brooks@FreeBSD.org>
Date: Sat, 13 Nov 2010 00:40:43 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r215213 - in head: etc/defaults etc/periodic/security
	share/man/man5
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Nov 2010 00:40:44 -0000

Author: brooks
Date: Sat Nov 13 00:40:43 2010
New Revision: 215213
URL: http://svn.freebsd.org/changeset/base/215213

Log:
  Add an (off by default) check for negative permissions (where the
  group on a object has less permissions that everyone).  These
  permissions will not work reliably over NFS if you have more than
  14 supplemental groups and are usually not what you mean.
  
  MFC after:	1 week

Added:
  head/etc/periodic/security/110.neggrpperm
     - copied, changed from r213358, head/etc/periodic/security/100.chksetuid
Modified:
  head/etc/defaults/periodic.conf
  head/etc/periodic/security/Makefile
  head/share/man/man5/periodic.conf.5

Modified: head/etc/defaults/periodic.conf
==============================================================================
--- head/etc/defaults/periodic.conf	Fri Nov 12 22:59:50 2010	(r215212)
+++ head/etc/defaults/periodic.conf	Sat Nov 13 00:40:43 2010	(r215213)
@@ -160,6 +160,9 @@ daily_status_security_diff_flags="-b -u"
 # 100.chksetuid
 daily_status_security_chksetuid_enable="YES"
 
+# 110.neggrpperm
+daily_status_security_neggrpperm_enable="NO"
+
 # 200.chkmounts
 daily_status_security_chkmounts_enable="YES"
 #daily_status_security_chkmounts_ignore="^amd:"		# Don't check matching

Copied and modified: head/etc/periodic/security/110.neggrpperm (from r213358, head/etc/periodic/security/100.chksetuid)
==============================================================================
--- head/etc/periodic/security/100.chksetuid	Sat Oct  2 11:45:18 2010	(r213358, copy source)
+++ head/etc/periodic/security/110.neggrpperm	Sat Nov 13 00:40:43 2010	(r215213)
@@ -35,23 +35,19 @@ then
     source_periodic_confs
 fi
 
-. /etc/periodic/security/security.functions
-
 rc=0
 
-case "$daily_status_security_chksetuid_enable" in
+case "$daily_status_security_neggrpperm_enable" in
     [Yy][Ee][Ss])
 	echo ""
-	echo 'Checking setuid files and devices:'
+	echo 'Checking negative group permissions:'
 	MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
-	find -sx $MP /dev/null -type f \
-	    \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
-	    \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ |
-	check_diff setuid - "${host} setuid diffs:"
-	rc=$?
-	;;
-    *)
-	rc=0
+	n=$(find -sx $MP /dev/null -type f \
+	    \( \( ! -perm +010 -and -perm +001 \) -or \
+	    \( ! -perm +020 -and -perm +002 \) -or \
+	    \( ! -perm +040 -and -perm +004 \) \) \
+	    -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l)
+	[ $n -gt 0 ] && rc=1 || rc=0
 	;;
 esac
 

Modified: head/etc/periodic/security/Makefile
==============================================================================
--- head/etc/periodic/security/Makefile	Fri Nov 12 22:59:50 2010	(r215212)
+++ head/etc/periodic/security/Makefile	Sat Nov 13 00:40:43 2010	(r215213)
@@ -3,6 +3,7 @@
 .include <bsd.own.mk>
 
 FILES=	100.chksetuid \
+	110.neggrpperm \
 	200.chkmounts \
 	300.chkuid0 \
 	400.passwdless \

Modified: head/share/man/man5/periodic.conf.5
==============================================================================
--- head/share/man/man5/periodic.conf.5	Fri Nov 12 22:59:50 2010	(r215212)
+++ head/share/man/man5/periodic.conf.5	Sat Nov 13 00:40:43 2010	(r215213)
@@ -482,6 +482,14 @@ Set to
 .Dq Li YES
 to compare the modes and modification times of setuid executables with
 the previous day's values.
+.It Va daily_status_security_neggrpperm_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to check for files where the group of a file has less permissions than
+the world at large.
+When users are in more than 14 supplemental groups these negative
+permissions may not be enforced via NFS shares.
 .It Va daily_status_security_chkmounts_enable
 .Pq Vt bool
 Set to