Commit Graph

56 Commits

Author SHA1 Message Date
lukem
684e89f355 use mktemp(1) to create temporary directories, and ensure that cleanup traps
are setup asap.
2001-06-18 10:54:02 +00:00
lukem
bd7fad6c47 use symbolic signal names instead of numbers 2001-06-14 07:50:06 +00:00
atatat
6534ee3cfb When backing files listed in /etc/changelist, instead of truncating
to the basename of the file, use the whole path with $backup_dir
prepended, in effect mirrorring the directory tree.  This eliminates
the possibility of a name collision.

Closes pr bin/12727.
2001-05-10 14:19:27 +00:00
atatat
4e1cbd39fe Allow embedded hyphens in user names (and group names), just not as the
first or last character.
2001-05-10 14:10:15 +00:00
atatat
2811b1707a Provide the capability of storing backups via RCS instead of just a
"current" and a "last" (which is useless if you wanna know what you
changed last week).  Set the default to on.
2001-04-04 03:17:19 +00:00
hubertf
efc93d040b Run skeyaudit (only) from /etc/daily instead of /etc/security, else there's
some risk that the users don't get warned if an admin turns off running
/etc/security (by putting run_security=no into daily.conf).

Fixes PR 12267.
2001-03-15 02:23:47 +00:00
atatat
a99a7deee1 Allow md5 passwords of length 34 as passwords 2001-03-12 16:48:13 +00:00
jdolecek
4ceebb1156 Introduce max_grouplen - this determines the maximum permitted length
of group names, similarily to max_loginlen
2001-02-11 09:55:09 +00:00
abs
6258e0bf60 Add a new variable 'backup_dir', which can be used to change the backup
directory from /var/backup (useful for those of us who have a separate /var
and would like to have our backup disklabels on the root filesystem).
Default behaviour unchanged. backup_dir being unset is taken as /var/backup.
2001-01-09 17:30:29 +00:00
lukem
0c70e530af use ${foo##*/} instead of basename $foo. as suggested (with minor variation)
by Toru Nishimura <nisimura@itc.aist-nara.ac.jp>
2000-10-07 07:36:56 +00:00
christos
b4266bbcb7 PR/10982: kilbi@rad.rwth-aachen.de: Don't confuse printf with usernames
that start with -.
2000-09-10 21:27:50 +00:00
sommerfeld
9928e1fe95 Fix pr9320: improve umask checking for root's dotfiles.
Now even notices bogus umasks like 044
2000-07-02 22:27:47 +00:00
ad
fb3a33ff99 We may as well allow local additions to /etc/security, since it gets done
for the other periodic checks.
2000-05-26 17:08:21 +00:00
itojun
13c8f7a2df check /etc/mail/aliases on check_aliases.
/etc/aliases will be checked as well, if exists (for backward compatibility).
2000-05-05 18:28:53 +00:00
fair
065c791de8 Add skeyaudit to /etc/security (with a variable to disable) per PR 5871 2000-04-24 23:46:37 +00:00
christos
e597a72d0b Use cat -f to avoid denial of service attacks by people who make .rhosts
files fifos.
2000-01-15 01:15:12 +00:00
perry
4220708c27 We already had logic not to try to grab the disklabels of md's and
fd's -- add cd's to the list.
1999-09-05 15:11:42 +00:00
hubertf
8b10c79f68 Use standard variable "$0" for the whole line instead of the non-standard,
undocumented "$LINE".

Submitted in PR 7041 by Greg A. Woods <woods@weird.com>
1999-07-22 00:47:50 +00:00
kleink
357a0baaf8 Get rid of old-style chown operands. 1999-04-23 08:20:28 +00:00
wrstuden
ee6f8c2579 Add a commented-out duplicate id checker which doesn't exclude toor, and
add a comment saying how to switch it on.
1999-03-17 19:11:05 +00:00
wrstuden
d32be9a273 Modify duplicate user id check to exclude "toor". Any other uid 0
accounts will generate a message with that (those) account names, root, and
toor present in the list.
1999-03-17 02:58:11 +00:00
fair
7153b55a87 Fix PR 5068 - scanning ~user/.rhosts files on NFS mounted home
directories with -maproot=nobody on the server. The argument to be
made is that if NetBSD's root can't read these files, it shouldn't
try to check them.
1999-03-16 06:18:17 +00:00
abs
dade5b2993 Handle + in master.passwd (From PR#4802).
Also, handle + in group and allow max_loginlen to be configurable.
1999-02-18 18:53:32 +00:00
tv
850ab15c3b Nix "Login %s is off but still has a valid shell" warning for 20-character
encrypted passwords generated by the NEWSALT option to passwd(1).
1998-09-14 19:42:42 +00:00
lukem
3a3b03bdd7 * if $check_disklabels=YES, backup and compare of disklabels of current disks.
should detect added or removed disks as well. backup labels go in
  /var/backups/disklabel.XXX (XXX = disk name, e.g., sd0), and the
  changelist style backups have .current or .backup suffixes
* minor whitespace, formatting, and comment cleanup
1998-08-25 13:47:29 +00:00
lukem
8f59ce8e35 include rc.subr and use appropriately 1998-01-26 12:02:43 +00:00
mycroft
dae4e5df82 Deal with files in the changelist that are added or removed.
* When a file is removed, move its .current file to .backup.
* When a file is added, create its .current file.
* In either case, send a diff against /dev/null.
Mostly from Jim Bernard in PR 4183, with the removal case fixed.
1997-10-08 16:13:44 +00:00
lukem
90ec96df78 - use 'ftpd -C user' to check the format of /etc/ftpusers.
closes [security/4061]
- rename $MPPATH to $MPBYPATH, to clarify its use
1997-09-23 14:36:56 +00:00
lukem
f09b5e36c7 - don't print "Checking setuid files and devices:" if no problems
found (solves [security/4047])
- minor cleanup (rename a couple of variables, etc)
1997-09-18 05:16:19 +00:00
lukem
89fa41e9da - correct use of generated temporary files.
- clean up comments and generated output.
- clean up $SECUREDIR if SIGINT or SIGQUIT received.
- .rhosts may have to be world readable in NFS environments, so allow it to be.
- update list of disks to check for reasonable permissions
- don't show differences in /etc/master.passwd, as the encrypted strings may
  be sent. From reading comments earlier in the script, this was the intention
  anyway. Fix from Jim Bernard <jbernard@tater.mines.edu> in [security/3994].
- when checking /etc/ftpusers, skip comment lines and only match full
  usernames.
  XXX: this should be enhanced to check lines of the enhanced ftpusers format.
1997-08-22 09:40:17 +00:00
lukem
0f26a04544 * ensure that check for '.' in root's $PATH doesn't yield a false positive.
fix from Jim Bernard <jbernard@tater.mines.edu> in [security/3995]
* detect empty :: elements as '.' in a sh(1) path (leading :, trailing :,
  or ::)
1997-08-19 12:08:35 +00:00
lukem
fb34424eb0 * when checking /etc/master.passwd, read in /etc/shells for a list of
valid shells and then check each active account against that
* remove unnecessary ()s in a few printf's.
1997-06-24 02:32:38 +00:00
lukem
ff2ea5d139 * take advantage of xargs -0 when finding devices and set?id files
* use 'ls -q' in the above, so that characters that may cause problems
  in the output are replaced with '?'
1997-06-24 01:16:47 +00:00
lukem
d0b6172bfe Also check /etc/profile for setting of umask.
From Chris Jones <cjones@rupert.oscs.montana.edu> in [misc/3763]
1997-06-23 11:59:30 +00:00
lukem
b07aea8e1c Ignore blank lines and comments in /etc/exports
From Jaromir Dolecek <dolecek@moria.ics.muni.cz> in [misc/3691]
1997-06-23 01:49:15 +00:00
mycroft
d8dcc6580c Don't list directories with the setuid bit set or FIFOs. 1997-04-21 17:38:39 +00:00
mycroft
df1a64b9f5 Minor cleanup. 1997-04-21 11:19:57 +00:00
mycroft
4a0848acd9 When doing security checks in user home directory, sort by home directory, to
optimize lookups a little.
Also, add some more files to the naughty lists.
1997-04-21 11:14:41 +00:00
mikel
cae2f3b253 make /etc/aliases check a bit more discriminating: the line must be
uncommented, and it must contain a '|' character (forwarding to program).
1997-04-17 07:42:07 +00:00
mycroft
814cb67087 Minor cleanup. 1997-03-10 09:45:58 +00:00
mikel
5b5eddafe2 Don't leave logs in /etc/mtree; from Andrew Wheadon in PR misc/3106.
Also fixed some comments.
1997-02-14 08:52:05 +00:00
mrg
a9efb63860 add configuration file for security, as security.conf.
the file allows each action taken by security to be
turned on or off.
1997-01-05 11:46:12 +00:00
mrg
2bc04b57a8 ignore setgid on dirs. 1996-05-22 00:51:08 +00:00
pk
1377ee0906 Several fixes from Arne H. Juul (PR#1814). 1996-01-14 00:58:25 +00:00
thorpej
0763a85671 New-style RCS ids. 1995-12-17 02:01:10 +00:00
jtc
62b86c41b9 Change .emacsrc to .emacs in list of files to be checked.
From Mike Long, in PR #768.
1995-01-31 16:09:45 +00:00
mycroft
3df08b7f25 Fix the fstype-based pruning algorithms. Partly suggested by John Kohl. 1994-10-18 16:52:56 +00:00
cgd
91778fe0ca update to new security script 1994-06-15 04:28:06 +00:00
cgd
7e3b99ee2b people importing trees from SunOS should be shot; add -d to ls. 1994-01-15 18:32:06 +00:00
mycroft
cb4c5af110 Find only set[gu]id files and devices, like old ncheck(1). 1993-12-15 07:07:36 +00:00