xref: /original-bsd/etc/security (revision 753853ba) 
1#!/bin/sh -
2#
3#	@(#)security	5.12 (Berkeley) 02/27/92
4#
5PATH=/sbin:/usr/sbin:/bin:/usr/bin
6
7host=`hostname`
8umask 22
9
10DONE=/tmp/_secure1.$$
11LIST=/tmp/_secure2.$$
12TMP=/tmp/_secure3.$$
13
14trap 'rm -f $DONE $LIST $TMP' 0
15
16echo ""
17echo "Checking for uids of 0:"
18awk -F: "\$3==\"0\" {print \"user: \" \$1 \", uid: \" \$3 }" /etc/master.passwd
19
20echo ""
21echo "Checking for uids without passwords:"
22awk -F: "\$2==\"\" {print \"user: \" \$1 \", uid: \" \$3 }" /etc/master.passwd
23
24echo ""
25echo "Checking setuid files and devices:"
26(find / \( ! -fstype local \) -a -prune -o \
27    \( -perm -u+s -o -perm -g+s -o ! -type d -a ! -type f -a ! -type l \) | \
28    sort | sed -e 's/^/ls -lgT /' | sh >$LIST) 2>$TMP
29
30if [ -s $TMP ] ; then
31	echo "$host setuid/device find errors:"
32	cat $TMP
33	echo ""
34fi
35
36if [ -s $LIST ] ; then
37	SETCUR=/var/log/setuid.current
38	SETBACK=/var/log/setuid.backup
39
40	if [ -s $SETCUR ] ; then
41		if cmp -s $SETCUR $LIST ; then
42			:
43		else
44			:> $DONE
45			join -110 -210 -v2 $SETCUR $LIST >$TMP
46			if [ -s $TMP ] ; then
47				echo "$host setuid/device additions:"
48				tee -a $DONE < $TMP
49				echo ""
50			fi
51
52			join -110 -210 -v1 $SETCUR $LIST >$TMP
53			if [ -s $TMP ] ; then
54				echo "$host setuid/device deletions:"
55				tee -a $DONE < $TMP
56				echo ""
57			fi
58
59			sort +9 $DONE $SETCUR $LIST | uniq -u >$TMP
60			if [ -s $TMP ] ; then
61				echo "$host setuid/device changes:"
62				cat $TMP
63				echo ""
64			fi
65
66			mv $SETCUR $SETBACK
67			mv $LIST $SETCUR
68		fi
69	else
70		echo "$host setuid/device additions:"
71		cat $LIST
72		echo ""
73		mv $LIST $SETCUR
74	fi
75fi
76
77# Check the system binaries.
78# Create the mtree tree specifications using:
79#
80#	mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure
81#	chown bin.bin DIR.SECURE
82#	chmod 444 DIR.SECURE
83#
84# Note, this is not complete protection against Trojan horsed binaries, as
85# the hacker can modify the tree specification to match the replaced binary.
86# For details on really protecting yourself against modified binaries, see
87# the mtree(8) manual page.
88
89if cd /etc/mtree; then
90	echo ""
91	echo "Checking system binaries:"
92	for file in *.secure; do
93		tree=`sed -n -e '3s/.* //p' -e 3q $file`
94		echo ""
95		echo "Checking $tree:"
96		mtree -f $file -p $tree
97	done
98fi
99