From owner-freebsd-security  Mon Dec 23 20:19:05 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id UAA07778
          for security-outgoing; Mon, 23 Dec 1996 20:19:05 -0800 (PST)
Received: from bitbucket.edmweb.com (bitbucket.edmweb.com [204.244.190.9])
          by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id UAA07771
          for <freebsd-security@freebsd.org>; Mon, 23 Dec 1996 20:18:58 -0800 (PST)
Received: from localhost (steve@localhost) by bitbucket.edmweb.com (8.6.12/8.6.12) with SMTP id UAA02759 for <freebsd-security@freebsd.org>; Mon, 23 Dec 1996 20:18:54 -0800
X-Authentication-Warning: bitbucket.edmweb.com: steve owned process doing -bs
Date: Mon, 23 Dec 1996 20:18:53 -0800 (PST)
From: Steve Reid <steve@edmweb.com>
Reply-To: Steve Reid <steve@edmweb.com>
To: freebsd-security@freebsd.org
Subject: Re: Holes in default cron jobs (fwd)
Message-ID: <Pine.BSF.3.95.961223201110.2670A-100000@bitbucket.edmweb.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

The only problem they mention in FreeBSD is in /etc/security. Rather than
use the OpenBSD /etc/security, I've copied the tmp file change into
FreeBSD's /etc/security. 

I'm running 2.1.6.1-RELEASE, but the machine was originally a
2.1.0-RELEASE... Has the /etc/security been updated since then? 

Here's my modified /etc/security. Let me know what you think. 


#!/bin/sh -
#
#       @(#)security    5.3 (Berkeley) 5/28/91
#       $Id: security,v 1.8 1995/05/27 01:37:44 ache Exp $
#
PATH=/sbin:/bin:/usr/bin

host=`hostname -s`
echo "Subject: $host security check output"

LOG=/var/log
TDIR=/tmp/_secure.$$

umask 027

# Here's my modification, also rmdir later
if ! mkdir $TDIR ; then
        echo $TDIR already exists
        ls -alF $TDIR
        exit 1
fi
TMP=$TDIR/secure


echo "checking setuid files and devices:"

# don't have ncheck, but this does the equivalent of the commented out block.
# note that one of the original problem, the possibility of overrunning
# the args to ls, is still here...
#
MP=`mount -t ufs | sed 's;/dev/;&r;' | awk '{ print $3 }'`
set $MP
while test $# -ge 1; do
        mount=$1
        shift
        find $mount -xdev \( -perm -u+s -or -perm -g+s \) | sort
done | xargs -n 20 ls -lgTd > $TMP

if cmp $LOG/setuid.today $TMP >/dev/null; then :; else
        echo "$host setuid/device diffs:"
        diff -b $LOG/setuid.today $TMP
        mv $LOG/setuid.today $LOG/setuid.yesterday
        mv $TMP $LOG/setuid.today
fi
rm -f $TMP
rmdir $TDIR

echo ""
echo ""
echo "checking for uids of 0:"
awk 'BEGIN {FS=":"} $3=="0" {print $1,$3}' /etc/master.passwd