From owner-svn-src-all@freebsd.org Mon Oct 3 15:17:24 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4EE76AF3291; Mon, 3 Oct 2016 15:17:24 +0000 (UTC) (envelope-from asomers@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 07321E09; Mon, 3 Oct 2016 15:17:23 +0000 (UTC) (envelope-from asomers@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u93FHNVk070258; Mon, 3 Oct 2016 15:17:23 GMT (envelope-from asomers@FreeBSD.org) Received: (from asomers@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u93FHNkT070256; Mon, 3 Oct 2016 15:17:23 GMT (envelope-from asomers@FreeBSD.org) Message-Id: <201610031517.u93FHNkT070256@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: asomers set sender to asomers@FreeBSD.org using -f From: Alan Somers Date: Mon, 3 Oct 2016 15:17:23 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r306644 - stable/10/etc/periodic/security X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2016 15:17:24 -0000 Author: asomers Date: Mon Oct 3 15:17:22 2016 New Revision: 306644 URL: https://svnweb.freebsd.org/changeset/base/306644 Log: MFC r306048 Fix periodic scripts when an NFS mount covers a local mount 100.chksetuid and 110.neggrpperm try to search through all UFS and ZFS filesystems. But their logic contains an error. They also search through remote filesystems that are mounted on top of the root of a local filesystem. For example, if a user installs a FreeBSD system with the default ZFS layout, he'll get a zroot/usr/home filesystem. If he then mounts /usr/home over NFS, these scripts would search through /usr/home. Modified: stable/10/etc/periodic/security/100.chksetuid stable/10/etc/periodic/security/110.neggrpperm Directory Properties: stable/10/ (props changed) Modified: stable/10/etc/periodic/security/100.chksetuid ============================================================================== --- stable/10/etc/periodic/security/100.chksetuid Mon Oct 3 15:14:58 2016 (r306643) +++ stable/10/etc/periodic/security/100.chksetuid Mon Oct 3 15:17:22 2016 (r306644) @@ -46,7 +46,7 @@ then echo "" echo 'Checking setuid files and devices:' MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` - find -sx $MP /dev/null -type f \ + find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ | check_diff setuid - "${host} setuid diffs:" Modified: stable/10/etc/periodic/security/110.neggrpperm ============================================================================== --- stable/10/etc/periodic/security/110.neggrpperm Mon Oct 3 15:14:58 2016 (r306643) +++ stable/10/etc/periodic/security/110.neggrpperm Mon Oct 3 15:17:22 2016 (r306644) @@ -44,7 +44,7 @@ then echo "" echo 'Checking negative group permissions:' MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` - n=$(find -sx $MP /dev/null -type f \ + n=$(find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ \( \( ! -perm +010 -and -perm +001 \) -or \ \( ! -perm +020 -and -perm +002 \) -or \ \( ! -perm +040 -and -perm +004 \) \) \