Date: Fri, 4 May 2012 11:02:01 -0700 From: Freddie Cash <fjwcash@gmail.com> To: Bryan Drewery <bryan@shatow.net> Cc: FreeBSD Stable <freebsd-stable@freebsd.org> Subject: Re: Make filesystem type configurable for periodic(8)? Message-ID: <CAOjFWZ5gBNBcciDdXZhnykZY3HhxGaS1kXDvfs3QJbhr35XAHw@mail.gmail.com> In-Reply-To: <4FA3FF18.4000309@shatow.net> References: <CAOjFWZ4VxyMLSzzWsUMj21HccZkzwPUtM5PWAS-oaaocCLN8Dw@mail.gmail.com> <4FA3FF18.4000309@shatow.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Fri, May 4, 2012 at 9:08 AM, Bryan Drewery <bryan@shatow.net> wrote:
> On 05/04/2012 11:05 AM, Freddie Cash wrote:
>> A few of the periodic(8) scripts in FreeBSD have constructs similar to
>> the following to get which filesystems to scan for various things:
>> MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
>>
>> For systems with large ZFS pools, and many ZFS filesystems, these
>> periodic scripts can grind it to its knees, and then some. For
>> backups servers where we don't really care about the
>> ownership/permissions of files from the FreeBSD perspective, we really
>> don't want the ZFS filesytems to be scanned; only the UFS ones for the
>> FreeBSD OS install. To that end, I have to manually edit these files
>> to remove the ",zfs":
>> MP=`mount -t ufs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
>> ^^^^^^^^
>> Would it be worthwhile to anyone else to make the filesystem type(s)
>> to scan via the periodic(8) scripts a variable that's set by default
>> in /etc/defaults/periodic.conf and that user's can override via
>> /etc/periodic.conf?
>>
>> Or, am I the only one that's suffering here? :)
>>
>> If there's interesting in this, I can look into coming up with some
>> patches. But wanted to check if anyone else would find it useful.
>>
>
> I would find this useful. But further, I have a ZFS root pool as well as
> a ZFS backup pool. I don't want to exclude all of ZFS, just certain
> pools, or even certain datasets.
Would you mind testing the attached patch? It adds four new variables
for use in periodic.conf (defaults shown):
daily_status_security_chksetuid_fs="ufs,zfs"
daily_status_security_chksetuid_fs_ignore=""
daily_status_security_neggrpperm_fs="ufs,zfs"
daily_status_security_neggrpperm_fs_ignore=""
The _fs variables take filesystem types, as would be passed to
mount(8). These limit the entire search based on type, so an all or
nothing approach.
The _fs_ignore variables are space separated lists of mountpoints to
skip. So you can leave zfs in the _fs list, and then list specific
filesystems here that you do not want to be scanned.
I don't claim to be any great shell script writer, but this appears to
do the job. Any suggestions, pointers, comments, etc welcomed. :)
--
Freddie Cash
fjwcash@gmail.com
[-- Attachment #2 --]
--- defaults/periodic.conf.orig 2012-05-04 10:44:13.000000000 -0700
+++ defaults/periodic.conf 2012-05-04 09:38:18.000000000 -0700
@@ -170,9 +170,13 @@
# 100.chksetuid
daily_status_security_chksetuid_enable="YES"
+daily_status_security_chksetuid_fs="ufs,zfs" # Filesystem types to scan
+daily_status_security_chksetuid_fs_ignore="" # List of filesystems to skip
# 110.neggrpperm
daily_status_security_neggrpperm_enable="YES"
+daily_status_security_neggrpperm_fs="ufs,zfs" # Filesystem types to scan
+daily_status_security_neggrpperm_fs="" # List of filesystems to skip
# 200.chkmounts
daily_status_security_chkmounts_enable="YES"
--- periodic/security/100.chksetuid.orig 2012-05-04 10:46:05.000000000 -0700
+++ periodic/security/100.chksetuid 2012-05-04 10:46:47.000000000 -0700
@@ -43,7 +43,12 @@
[Yy][Ee][Ss])
echo ""
echo 'Checking setuid files and devices:'
- MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
+ if [ -z "$daily_status_security_chksetuid_fs_ignore" ]; then
+ MP=`mount -t $daily_status_security_chksetuid_fs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
+ else
+ daily_status_security_chksetuid_fs_ignore=` echo $daily_status_security_chksetuid_fs_ignore | sed 's/\ /\|/g'`
+ MP=`mount -t $daily_status_security_chksetuid_fs | awk '$0 !~ /no(suid|exec)/ { print $3 }'| egrep -ve "$daily_status_security_chksetuid_fs_ignore"`
+ fi
find -sx $MP /dev/null -type f \
\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
\( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ |
--- periodic/security/110.neggrpperm.orig 2012-05-04 10:54:23.000000000 -0700
+++ periodic/security/110.neggrpperm 2012-05-04 10:48:16.000000000 -0700
@@ -41,6 +41,12 @@
[Yy][Ee][Ss])
echo ""
echo 'Checking negative group permissions:'
+ if [ -z "$daily_status_security_neggrpperm_fs_ignore" ]; then
+ MP=`mount -t $daily_status_security_neggrpperm_fs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
+ else
+ daily_status_security_neggrpperm_fs_ignore=` echo $daily_status_security_neggrpperm_fs_ignore | sed 's/\ /\|/g'`
+ MP=`mount -t $daily_status_security_neggrpperm_fs | awk '$0 !~ /no(suid|exec)/ { print $3 }'| egrep -ve "$daily_status_security_neggrpperm_fs_ignore"`
+ fi
MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
n=$(find -sx $MP /dev/null -type f \
\( \( ! -perm +010 -and -perm +001 \) -or \
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOjFWZ5gBNBcciDdXZhnykZY3HhxGaS1kXDvfs3QJbhr35XAHw>