tb/contrib
1
0
Fork 0
forked from ports/contrib
Code Pull Requests Activity
contrib/security/security
Han Boetes 32295a9faf abiword: initial release
2006-11-13 21:12:21 +01:00

169 lines
4.0 KiB
Bash
Raw Blame History

#!/bin/sh -
#
# $OpenBSD: security,v 1.68 2004/08/25 19:59:29 millert Exp $
# from: @(#)security 8.1 (Berkeley) 6/9/93
# I borrowed excerpts from the OpenBSD-script security for use on
# Linux. Although the file doesn't explicitly mention it consider
# the script BSD-licensed.
#
# If you get problems with this script don't bother the people
# from OpenBSD. And don't bother me either. :p
PATH=/bin:/usr/bin:/sbin:/usr/sbin
FILESYSTEMS="ext2 ext3 xfs jfs reiserfs hfs hpfs"
PRUNEPATHS="/proc /mnt /dev /tmp /usr/tmp /var/tmp /lib/udev"
umask 077
BACKUPSDIR=/var/backups
SHADOW=/etc/shadow
if ! DIR=$(mktemp -d /tmp/_secure.XXXXXXXXXX) ; then
echo "Can't create TEMPFILE, /etc/security didn't run!!!"
exit 1
fi
ERR=$DIR/_secure1
TMP1=$DIR/_secure2
TMP2=$DIR/_secure3
TMP3=$DIR/_secure4
LIST=$DIR/_secure5
OUTPUT=$DIR/_secure6
trap 'rm -rf $DIR' 0 1 2 3 13 15
if [ ! -d $BACKUPSDIR ] ; then
mkdir -m 700 $BACKUPSDIR
fi
# Backup the master password file; a special case, the normal backup
# mechanisms also print out file differences and we don't want to do
# that because this file has encrypted passwords in it.
CUR=$BACKUPSDIR/shadow.current
BACK=$BACKUPSDIR/shadow.backup
if [ -s $CUR ] ; then
if ! cmp -s $CUR $SHADOW ; then
cp -p $CUR $BACK
cp -p $SHADOW $CUR
chown root:root $CUR
fi
else
cp -p $SHADOW $CUR
chown root:root $CUR
fi
# This function converts the string `/usr/bin/ls' into `usr_bin_ls'
_fnchg() {
echo "$1" | sed 's/^\///;s/\//_/g'
}
# List of files that get backed up and checked for any modifications. Each
# file is expected to have two backups, $BACKUPSDIR/file.{current,backup}.
# Any changes cause the files to rotate.
# Check changelist(5) for refference.
for changesfile in /etc/changelist /etc/changelist.local; do
if [ -s $changesfile ] ; then
for file in $(egrep -v "^(#|\+|$SHADOW)" $changesfile); do
CUR=$BACKUPSDIR/$(_fnchg "$file").current
BACK=$BACKUPSDIR/$(_fnchg "$file").backup
if [ -s $file -a ! -d $file ] ; then
if [ -s $CUR ] ; then
diff -u $CUR $file > $OUTPUT
if [ -s $OUTPUT ] ; then
echo "======"
echo "${file} diffs (-OLD +NEW)"
echo "======"
cat $OUTPUT
cp -p $CUR $BACK
cp -p $file $CUR
chown root:root $CUR $BACK
fi
else
cp -p $file $CUR
chown root:root $CUR
fi
fi
done
for file in $(egrep "^\+" $changesfile); do
file="${file#+}"
CUR=$BACKUPSDIR/$(_fnchg "$file").current.md5
BACK=$BACKUPSDIR/$(_fnchg "$file").backup.md5
if [ -s $file -a ! -d $file ] ; then
MD5_NEW=$(md5sum $file | sed 's/ .*$//')
if [ -s $CUR ] ; then
MD5_OLD=$(cat $CUR)
if [ "$MD5_NEW" != "$MD5_OLD" ]; then
echo "======"
echo "${file} MD5 checksums"
echo "======"
echo "OLD: $MD5_OLD"
echo "NEW: $MD5_NEW"
cp -p $CUR $BACK
echo $MD5_NEW > $CUR
chown root:root $CUR $BACK
chmod 600 $CUR
fi
else
echo $MD5_NEW > $CUR
chown root:root $CUR
chmod 600 $CUR
fi
fi
done
fi
done
#
# Check for world/groupwritable files.
#
unset includes or
if [ -n "$PRUNEPATHS" ]; then
for path in $PRUNEPATHS; do
includes="$includes $or -path $path -prune"
or="-or"
done
fi
unset or
if [ -n "$FILESYSTEMS" ]; then
includes="$includes -or ("
for fstype in $FILESYSTEMS; do
includes="$includes $or -fstype $fstype"
or="-or"
done
includes="$includes )"
fi
find / $includes \( -perm -0002 -or -perm -0020 \) ! -perm -1000 ! -type l > $TMP1 2>&1
# Now filter out the prunepath names since with this command they
# show up.
if [ -n "$PRUNEPATHS" ]; then
filters="("
set -- $PRUNEPATHS
while [ $# -gt 1 ]; do
filters="$filters$1|"
shift
done
filters="$filters$1)"
egrep -v "^$filters\$" $TMP1 > $TMP2
cat $TMP2 > $TMP1
fi
if [ -s $TMP1 ]; then
echo
echo 'These files are world-writeable or group writable!!'
echo '---------------------------------------------------'
cat $TMP1 | while read filename; do
ls -ld "$filename"
done
fi
View Git Blame Copy Permalink