summaryrefslogtreecommitdiffstats
path: root/libexec/security (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Don't skip file systems just because the parent fs is nodev and nosuid.millert2020-10-111-8/+13
| | | | | | Fixes instances where a mount point uses the nodev and nosuid options but another file system mounted inside that hierarchy does not. OK schwarze@
* afs, nnpfs, and procfs are no longer supported,schwarze2020-09-171-3/+3
| | | | | | so stop looking for them in mount(8) output; no functional change intended; OK millert@
* Do not bother scanning file systems that are both nodev and nosuidschwarze2020-09-141-3/+4
| | | | | | | | | | | for SUID, SGID, and device files, implementing an idea that deraadt@ came up with based on a somewhat similar idea from millert@ after a loosely related comment from Rupert Gallagher on misc@. While here, minimally simplify the way mount options are parsed, hoping to make the parsing more readable and also more robust. OK millert@ deraadt@
* Remove user uucp and group news from base.jca2016-12-271-3/+2
|
* When checking ownership and modes of files in /var/mail/,schwarze2016-10-221-1/+2
| | | | | | ignore *.lock files, to avoid pointless warning mails reported by Philippe Meunier <meunier at ccs dot neu dot edu>; OK florian@ jca@
* When reading untrusted user files, don't risk blocking, such thatschwarze2015-07-211-3/+6
| | | | | | | | | | | users can't mount a DOS attack against security(8), and for additional safety against race attacks, make sure they are regular files after opening and before actually reading them. Issue originally hinted at by Sevan Janiyan <venture37 at geeklan dot com dot uk> based on a NetBSD commit message, then commented on by tedu@, problem finally confirmed by guenther@, who also provided feedback on the actual patch.
* When diff(1) finds differences, it returns an exit status of 1.schwarze2015-04-211-2/+6
| | | | | | | | In that particular case, refrain from printing "diff: exit code 1" because that exit status doesn't indicate an error condition. Issue noticed by and patch OK'ed by ajacoutot@. "I agree with the goal, and I suspect the diff actually achieves it" guenther@.
* In mount(8) output, do not misparse lines where fs_spec ends with theschwarze2015-03-271-2/+2
| | | | | two characters "on", which can for example happen for NFS mounts. Patch from Lauri Tirkkonen <lotheac at iki dot fi> on bugs@.
* If /etc/passwd contains incomplete lines ending before theschwarze2015-03-271-3/+12
| | | | | | | home directory field, warn explicitly rather than stumbling into Perl "uninitialized value" warnings. Issue reported by Denis Lapshin <deniza at mindall dot org>. OK afresh1@
* AnonCVS is designed to work with a user account that has no password and aschwarze2014-12-041-2/+3
| | | | | | very special shell, so do not complain about that particular combination. Idea originally brought up by landry@ five years ago, repeatedly forgotten. Using feedback from sthen@ millert@ halex@; OK landry@ ajacoutot@.
* The file /etc/exports is now optional and not installed by default,schwarze2014-07-141-1/+2
| | | | | | | so do not complain when it is absent. issue found by and patch ok by ajacoutot@ "I don't do perl, but seems ok" deraadt@
* Do not redirect STDERR of the main security(8) script to /dev/null,schwarze2014-06-261-7/+3
| | | | | | | | | | | | | not even for calling three particular functions, as that carries a risk of hiding serious errors in the security(8) script itself: otto@ found and reported a bug (already fixed by now) where that hurt him. Instead, only do the redirection where it is really needed, that is, inside the forked csh(1) child process. The csh(1) "eval" builtin is required because the csh(1) "source" builtin apparently ignores redirections. No objections came up when showing this diff on tech@.
* The Perl close() function, when called on pipe file descriptors,schwarze2014-06-241-9/+17
| | | | | | | | | provides information from wait(2), which needs careful inspection in order to not hide errors. Problem identified by florian@ after a bug report from otto@. Fix based on a patch from florian@, considerably tweaked by me. OK florian@
* Do not try to pass potentially non-existent array elements intoschwarze2014-06-241-8/+10
| | | | | | | | | | | functions since that is going to kill the Perl interpreter. While here, do not attempt to parse $PATH or $ENV when undefined. Crash found the hard way with a dubious /root/.login file by otto@ who declares himself unable to read perl code even though he can apparently debug it with ktrace(1) - thanks for the excellent bug report! Feedback and ok florian@.
* tedu ~/.klogindcoppa2014-04-291-3/+3
| | | | ok henning@ deraadt@
* check perms on .ssh/id_ed25519; Fritjof Bornebuschsthen2014-04-211-2/+2
|
* check_hosts_equiv -> check_hosts_lpdajacoutot2014-04-201-15/+11
| | | | | | i.e. don't check for hosts.equiv anymore. input/ok schwarze@, ok sthen@
* don't check ftpusers in security(8), from gsoares@, ok afresh1@ schwarze@sthen2014-03-231-16/+1
|
* Correct the last change to untaint $fmt; it caused the final parameter ofsthen2013-03-211-3/+3
| | | | | the format string to be dropped, causing the year to be printed instead of the filename, as reported by ajacoutot. ok espie@
* Untaint a variable used in an sprintf format string by using a regex and back-sthen2013-03-191-2/+2
| | | | | | | | | reference. This diff from espie@ after we worked through a few alternatives. (Background: with perl's taint mode, any operation other than RE+backref, even just taking a length of a tainted [user-supplied/untrusted] string, results in a tainted variable. Perl 5.14 improves the checks in format strings to sprintf which triggers with this script).
* create an empty %skip even if SUIDSKIP is not set, newer perl complains.sthen2013-03-181-2/+4
| | | | "I don't even see how this could work before" and ok espie@
* Enclose qw()...) literals in parentheses where required; this was historicallysthen2013-03-181-8/+8
| | | | assumed anyway, but recent versions of Perl deprecate this. ok espie@
* To detect changes of system files, use SHA-256 rather than MD5,schwarze2012-07-081-24/+25
| | | | | | | taking advantage of naddy@'s recent mtree(8) modernization. While here, do not provide an example protecting a home directory from file changes; protect some system binaries instead. ok naddy@ jmc@
* Also check permissions of .ssh/id_ecdsa.pascal2012-05-171-2/+3
| | | | ok schwarze@
* During mailbox and special file checks, skip all files that can'tschwarze2011-07-201-7/+10
| | | | | | | | be stat(2)'ed, but do not complain about those that were just removed, because removing files is not a security risk in itself. Sorry, i can't remember the original reporter of the issue; reported again by mk@; patch looks good to Andrew Fresh.
* In lists of setuid/setgid files and devices, do not pad the last columnschwarze2011-07-201-1/+2
| | | | | with trailing spaces; ugliness spotted by daniel dot c dot sinclair at gmail dot com, fix from Andrew Fresh.
* Restore changelist(5) wildcard support that we inadvertently killedschwarze2011-06-201-10/+27
| | | | | | | | | | | | | by the recent security(8) rewrite. While here: 1) Skip relative paths in changelist(5), and complain about them. 2) Skip file names ending in a tilde ('~') unless the tilde is explicitly specified in the changelist(5). That is, trailing wildcards will not match trailing tildes, as suggested by matthew@. Bug reported by both mk@ and matthew@. OK Andrew Fresh, also tested by and "move forward" mk@
* Fix two bugs where race conditions might cause stat(2) to fail,schwarze2011-05-251-7/+9
| | | | | | | | such that security(8) would output garbage on stderr. One reported by <RD at thrush dot com>, the other found by code audit. While here, remove dead code in two other places: stat(_) uses cashed data and cannot fail, not even if the file is removed in between. ok Andrew Fresh
* Do not complain about an /etc/group line "+\n" as "wrong number of fields",schwarze2011-05-101-2/+9
| | | | | | | | | | | | | that abbreviated syntax is explicitly allowed by group(5). While here, warn if it isn't the last line in the group file. Regression reported, fix tested and ok miod@, and seems good to ajacoutot@. Note: I'm not removing the advice to put "+\n" at the end of the group file right now because i'm not 100% sure that advice is pointless, even though guenther@ looked at the code an came to the conclusion OpenBSD libc ought to cope. And i'd rather have the manuals and the syntax checker be consistent. In case this really annoys people, it can be carefully tested and changed later.
* When a device or setuid file is owned by a nonexistent user or group,schwarze2011-04-231-8/+8
| | | | | | | | | | undefined data got used. Fix this by reporting the UID/GID numerically in that case. Problem reported and patch provided by rd at thrush dot com. While here, use // rather than || everywhere to detect get*id failure, as suggested by RD Thrush. The edge case where it matters - a username of "0" - is rather insane, but the // is more precise anyway.
* Very nice bugfix from Andrew Fresh, who writes:schwarze2011-04-231-11/+10
| | | | | | | >> "return if !%changed;" in check_filelist would never return because just above "for @{$changed{xxx}}" autovivifys $changed{xxx} = [] if it is not set already. << I hate autovivification, and it hates me.
* remove a bogus blank line; from Andrew Freshschwarze2011-04-171-2/+2
|
* Keep the exact format of the message:schwarze2011-04-171-4/+5
| | | | | | user %s mailbox is %s, group %s This is easy because we now have the strmode() function. From Andrew Fresh, minimally tweaked myself.
* Reviewing my version of the code, Andrew Fresh found an elegant way toschwarze2011-04-101-4/+9
| | | | | | keep the format of the "Block device changes:" output exactly the same as it was in the past. As a bonus, this also avoids lies in variable names, making it more obvious what is actually being compared here.
* implement one last check that Andrew overlookedschwarze2011-04-091-8/+26
|
* implementation of the remaining checks;schwarze2011-04-091-22/+432
| | | | | | | heavily based on code written by Andrew Fresh, but with considerable tweaking, mainly for simplicity; lightly tested - there are probably still bugs, but auditing and fixing it in the tree will be easier than with floating diffs
* style cleanup:schwarze2011-03-301-14/+14
| | | | | | * include the colon into $check_title, where needed * always use the same style for stat calls * and a few minor points
* umask and path checks;schwarze2011-03-261-1/+126
| | | | | heavily based on code written by Andrew Fresh; tweaked in team-work
* home directory checks;schwarze2011-03-251-1/+89
| | | | large parts from a submission by Andrew Fresh <andrew at afresh1 dot com>
* fix "german" typo; from <markus dot lude at gmx dot de>schwarze2011-03-241-2/+2
|
* Work in progress to replace /etc/security, not yet linked to the build.schwarze2011-03-232-0/+262
Main design goals: 1. Safely handle untrusted file names and file content. 2. Output compatibility with current security(8) to please people parsing the output with scripts (except when improving functionality right away saves considerable implementation effort). Substantial functional enhancements are for later. Prodding to do this in Perl by deraadt@. Using some feedback from espie@. Agree to put this in now and at this place even though only about one third of the functionality is ready, to complete it in the tree: beck@ espie@ millert@ deraadt@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.