christos
e597a72d0b
Use cat -f to avoid denial of service attacks by people who make .rhosts
...
files fifos.
2000-01-15 01:15:12 +00:00
perry
4220708c27
We already had logic not to try to grab the disklabels of md's and
...
fd's -- add cd's to the list.
1999-09-05 15:11:42 +00:00
hubertf
8b10c79f68
Use standard variable "$0" for the whole line instead of the non-standard,
...
undocumented "$LINE".
Submitted in PR 7041 by Greg A. Woods <woods@weird.com>
1999-07-22 00:47:50 +00:00
kleink
357a0baaf8
Get rid of old-style chown operands.
1999-04-23 08:20:28 +00:00
wrstuden
ee6f8c2579
Add a commented-out duplicate id checker which doesn't exclude toor, and
...
add a comment saying how to switch it on.
1999-03-17 19:11:05 +00:00
wrstuden
d32be9a273
Modify duplicate user id check to exclude "toor". Any other uid 0
...
accounts will generate a message with that (those) account names, root, and
toor present in the list.
1999-03-17 02:58:11 +00:00
fair
7153b55a87
Fix PR 5068 - scanning ~user/.rhosts files on NFS mounted home
...
directories with -maproot=nobody on the server. The argument to be
made is that if NetBSD's root can't read these files, it shouldn't
try to check them.
1999-03-16 06:18:17 +00:00
abs
dade5b2993
Handle + in master.passwd (From PR#4802).
...
Also, handle + in group and allow max_loginlen to be configurable.
1999-02-18 18:53:32 +00:00
tv
850ab15c3b
Nix "Login %s is off but still has a valid shell" warning for 20-character
...
encrypted passwords generated by the NEWSALT option to passwd(1).
1998-09-14 19:42:42 +00:00
lukem
3a3b03bdd7
* if $check_disklabels=YES, backup and compare of disklabels of current disks.
...
should detect added or removed disks as well. backup labels go in
/var/backups/disklabel.XXX (XXX = disk name, e.g., sd0), and the
changelist style backups have .current or .backup suffixes
* minor whitespace, formatting, and comment cleanup
1998-08-25 13:47:29 +00:00
lukem
8f59ce8e35
include rc.subr and use appropriately
1998-01-26 12:02:43 +00:00
mycroft
dae4e5df82
Deal with files in the changelist that are added or removed.
...
* When a file is removed, move its .current file to .backup.
* When a file is added, create its .current file.
* In either case, send a diff against /dev/null.
Mostly from Jim Bernard in PR 4183, with the removal case fixed.
1997-10-08 16:13:44 +00:00
lukem
90ec96df78
- use 'ftpd -C user' to check the format of /etc/ftpusers.
...
closes [security/4061]
- rename $MPPATH to $MPBYPATH, to clarify its use
1997-09-23 14:36:56 +00:00
lukem
f09b5e36c7
- don't print "Checking setuid files and devices:" if no problems
...
found (solves [security/4047])
- minor cleanup (rename a couple of variables, etc)
1997-09-18 05:16:19 +00:00
lukem
89fa41e9da
- correct use of generated temporary files.
...
- clean up comments and generated output.
- clean up $SECUREDIR if SIGINT or SIGQUIT received.
- .rhosts may have to be world readable in NFS environments, so allow it to be.
- update list of disks to check for reasonable permissions
- don't show differences in /etc/master.passwd, as the encrypted strings may
be sent. From reading comments earlier in the script, this was the intention
anyway. Fix from Jim Bernard <jbernard@tater.mines.edu> in [security/3994].
- when checking /etc/ftpusers, skip comment lines and only match full
usernames.
XXX: this should be enhanced to check lines of the enhanced ftpusers format.
1997-08-22 09:40:17 +00:00
lukem
0f26a04544
* ensure that check for '.' in root's $PATH doesn't yield a false positive.
...
fix from Jim Bernard <jbernard@tater.mines.edu> in [security/3995]
* detect empty :: elements as '.' in a sh(1) path (leading :, trailing :,
or ::)
1997-08-19 12:08:35 +00:00
lukem
fb34424eb0
* when checking /etc/master.passwd, read in /etc/shells for a list of
...
valid shells and then check each active account against that
* remove unnecessary ()s in a few printf's.
1997-06-24 02:32:38 +00:00
lukem
ff2ea5d139
* take advantage of xargs -0 when finding devices and set?id files
...
* use 'ls -q' in the above, so that characters that may cause problems
in the output are replaced with '?'
1997-06-24 01:16:47 +00:00
lukem
d0b6172bfe
Also check /etc/profile for setting of umask.
...
From Chris Jones <cjones@rupert.oscs.montana.edu> in [misc/3763]
1997-06-23 11:59:30 +00:00
lukem
b07aea8e1c
Ignore blank lines and comments in /etc/exports
...
From Jaromir Dolecek <dolecek@moria.ics.muni.cz> in [misc/3691]
1997-06-23 01:49:15 +00:00
mycroft
d8dcc6580c
Don't list directories with the setuid bit set or FIFOs.
1997-04-21 17:38:39 +00:00
mycroft
df1a64b9f5
Minor cleanup.
1997-04-21 11:19:57 +00:00
mycroft
4a0848acd9
When doing security checks in user home directory, sort by home directory, to
...
optimize lookups a little.
Also, add some more files to the naughty lists.
1997-04-21 11:14:41 +00:00
mikel
cae2f3b253
make /etc/aliases check a bit more discriminating: the line must be
...
uncommented, and it must contain a '|' character (forwarding to program).
1997-04-17 07:42:07 +00:00
mycroft
814cb67087
Minor cleanup.
1997-03-10 09:45:58 +00:00
mikel
5b5eddafe2
Don't leave logs in /etc/mtree; from Andrew Wheadon in PR misc/3106.
...
Also fixed some comments.
1997-02-14 08:52:05 +00:00
mrg
a9efb63860
add configuration file for security, as security.conf.
...
the file allows each action taken by security to be
turned on or off.
1997-01-05 11:46:12 +00:00
mrg
2bc04b57a8
ignore setgid on dirs.
1996-05-22 00:51:08 +00:00
pk
1377ee0906
Several fixes from Arne H. Juul (PR#1814).
1996-01-14 00:58:25 +00:00
thorpej
0763a85671
New-style RCS ids.
1995-12-17 02:01:10 +00:00
jtc
62b86c41b9
Change .emacsrc to .emacs in list of files to be checked.
...
From Mike Long, in PR #768 .
1995-01-31 16:09:45 +00:00
mycroft
3df08b7f25
Fix the fstype-based pruning algorithms. Partly suggested by John Kohl.
1994-10-18 16:52:56 +00:00
cgd
91778fe0ca
update to new security script
1994-06-15 04:28:06 +00:00
cgd
7e3b99ee2b
people importing trees from SunOS should be shot; add -d to ls.
1994-01-15 18:32:06 +00:00
mycroft
cb4c5af110
Find only set[gu]id files and devices, like old ncheck(1).
1993-12-15 07:07:36 +00:00
cgd
2d1f5986f3
use of xargs wasn't strictly a security hole, but could lead to fouled-
...
up results. xargs should really have an option to automatically
'quote' input.
1993-10-27 16:59:13 +00:00
mycroft
8b6b8bad1e
Use xargs(1) to avoid overflowing the argument list to ls(1).
1993-10-27 09:54:31 +00:00
cgd
8379ac2852
from FreeBSD: check for set*id devices in a way closer to the original.
...
note that you can still overflow the args buffer for the ls (and it does
that on lamp), but it's better than before.
1993-10-26 01:38:57 +00:00
mycroft
74ccbe814f
Rewrite set[gu]id find command to avoid walking non-local file systems.
1993-10-19 06:13:08 +00:00
cgd
1c2ae9dcc3
updated to reflect the fact that we don't have an ncheck
1993-04-02 08:00:48 +00:00
cgd
61f282557f
initial import of 386bsd-0.1 sources
1993-03-21 09:45:37 +00:00