Default diff_options to -u, for unified-format context diffs,
because context is essential to a useful evaluation of differences.
This represents a behavior change.
Implements change-request PR security/17247 from
Takahiro Kambe <taca@sky.yamashina.kyoto.jp>.
check_passwd_nowarn_shells Don't warn about these non-/etc/shells shells
check_passwd_nowarn_users Don't warn about these users
check_passwd_permit_star Don't warn about "*" in the $2 field
Behavior change: check_passwd_nowarn_shells defaults to /sbin/nologin and
/usr/libexec/uucp/uucico, so that it will not warn about the default
master.passwd.
The rationale here is that an administrator who chooses to permit these
warnable conditions should not be warned about them day after day, yet
should not be forced to disable check_passwd entirely.
check_passwd_permit_star is primarily of interest to sites who use *'d
entries for Kerberos or ssh logins, despite the fact that we permit
"*ssh" (etc.) for this purpose (legacy).
never puts it back properly. As such, jobs run later that expect
there to be a path will lose badly (eg, run lintpkgsrc -i from
security.local). Let's just re-export the PATH.
including checks for "backups that exist when actual file is deleted", a la
the existing mechanism used for "/etc/ifconfig.*" ... "/etc/rc.d/*" checks.
This resolves [security/15798] from Bob Kemp <bob@allegory.demon.co.uk>.
- Resurrect /etc/changelist, even if it's an "empty" file by default,
because it's easier to use than /etc/mtree/special.local for adding
a couple of simple files. Back by popular demand (hi @@@! :-)
- Add /etc/rc.d/* to the list of "dynamic" files; this notices changes
in user-added scripts
- Only calculate the mtree -I nomail list once, and re-use
- Use "cat foo | while read file" instead of "for file in `cat foo`" ;
handles whitespace better...
Features:
- Add a bunch of stuff to /etc/mtree/special to enable removal of
/etc/changelist:
- files which we want to monitor for changes but don't want to
see the diffs of (master.passwd, ssh_host_key, ...) are
tagged with "nomail"
- files which we don't want to monitor are tagged with "exclude"
(such as netgroup.db, kvm.db, ...)
- monitor /etc/mtree/special.local, /root/.ssh/*
- remove /etc/changelist, and a bunch of XXX comments
- use mtree(8)'s -D, -I, and -E to generate lists of files to
actually do the changelist stuff on.
- support /etc/mtree/special.local as an optional user-provided
version of /etc/mtree/special (effectively, an enhanced
/etc/changelist)
- Add code to monitor: /etc/ifconfig.* /etc/raid*.conf /etc/rc.conf.d/*
including support for these files being added and removed at will.
- If /sbin/fdisk exists, backup the output of "fdisk $disk" for all
the active disk drives as part of $check_disklabels
- Check permissions on: ~/.ssh/* ~/.shosts
Details:
- Reorder initialisation of defaults
- Remove special case for /etc/master.passwd "monitor but don't email diffs"
with general case for other similar files.
- Keep all `autogenerated' files (such as disklabel.*, setuid.current, ...)
in "$backup_dir/work", to minimise name clashes.
- Add migrate_file(old, new) to do the hard work of migrating files
from the old `top level' /var/backups mechanism to the `full path'
mechanism recently added. Use this appropriately.
- Add backup_and_diff(file, printdiffs), to the hard work of backing-up
and diff-ing files.
- Cleanup use of shell redirects
- /bin/sh supports ~root globbing, so use it.
- Improve umask checking; use awk regex rather than awk math
of all installed pkgs and their +CONTENTS and +REQUIRED_BY files (if
they have one) and handling this file along with all the other
CHANGELIST stuff.
Greg Woods gets points for coming up with the idea.
Luke Mewburn asked me to do it, and provided lots of criticism along
the way.
1) If a password entry is of the form \*[A-z-]+, do not complain that
the account is off but has a valid password. Thus you can do
passwords like *ssh to indicate ssh only logins.
We should come up with a standard scheme for what various *keywords mean.
Note that if the field length is 13, 20 or 34 you'll still get
bitched at.
This code should be cleaned up. (So should the password scheme.)
2) If the entry is for "toor", don't complain that the account is off
but has a valid shell. We ship with toor:*:, there is no point in
complaining about it.
Part of the campaign against spurious security warning output.
to the basename of the file, use the whole path with $backup_dir
prepended, in effect mirrorring the directory tree. This eliminates
the possibility of a name collision.
Closes pr bin/12727.
directory from /var/backup (useful for those of us who have a separate /var
and would like to have our backup disklabels on the root filesystem).
Default behaviour unchanged. backup_dir being unset is taken as /var/backup.
directories with -maproot=nobody on the server. The argument to be
made is that if NetBSD's root can't read these files, it shouldn't
try to check them.
jhawk