Subject: misc/1814: /etc/security bugs and misfeatures
To: None <gnats-bugs@gnats.netbsd.org>
From: Arne Henrik Juul <arnej@imf.unit.no>
List: netbsd-bugs
Date: 12/05/1995 23:12:13
>Number: 1814
>Category: misc
>Synopsis: /etc/security has various bugs and misfeatures
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: misc-bug-people (Misc Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Dec 5 17:35:02 1995
>Last-Modified:
>Originator: Arne H. Juul
>Organization:
Norwegian University of Technology and Science (NUTS)
>Release: 1.1
>Environment:
System: NetBSD leon.imf.unit.no 1.1 NetBSD 1.1 (NIKITA) #0: Fri Dec 1 18:22:20 MET 1995 arnej@leon.imf.unit.no:/usr/src/sys/arch/i386/compile/NIKITA i386
>Description:
/etc/security has various bugs and misfeatures.
The most irritating is a bug in use of 'find'. Because of the
somewhat illogical behaviour of 'find' when used without any actions,
all the prune points are included as 'setuid files or devices'.
This is easily fixed by including the wanted implied -print (patch below).
In addition, certain files are always assumed to exist,
notably /etc/exports, /etc/hosts.equiv, and /etc/mtree/*.secure.
None of these needs exist and (for the first two atleast)
security would not be adversely affected. Patches for these are also
included.
Third, a login with empty password field is duly warned
about at first, but afterwards it's taken as an indication that the
account is disabled. Patch for this is included as well.
These fixes don't quiet all the output you'll get
on a virgin 1.1 system. If you do things like add YP '+' fields
it will complain a *lot*.
Some `standard' warnings:
: Login daemon is off but still has a valid shell.
: Login games is off but still has a valid shell.
: Login ingres is off but still has a valid shell.
These accounts should probably have /dev/null as shell in the
distributed password file.
: /etc/master.passwd has duplicate user id's.
: root 0 toor 0
This is expected, so it probably shouldn't warn about it, but
this may be a feature for people who are not aware of the 'toor'
account. Anyway it's not so easy to fix without ugly special cases.
: Checking root csh paths, umask values:
: /etc/csh.cshrc /etc/csh.login /root/.cshrc /root/.login
: Root csh startup files do not set the umask.
: Checking root sh paths, umask values:
: /root/.profile
: Root sh startup files do not set the umask.
Should the distributed dot files set the umask, or is this
warning intended to get people to set their own? This may
be a feature, but I find it irritating (my root account uses
bash as login shell, so none of the above files are really
relevant anyway)
: Checking for special users with .rhosts files.
: daemon: -rw-r--r-- 1 root wheel 21 Oct 26 14:49:00 1995 /root/.rhosts
daemon should probably have / as home directory in the distributed
password files.
: Checking dot files.
: user arnej .rhosts file is group readable
: user arnej .rhosts file is other readable
[and many more like this]
This check is of somewhat dubious value, if you ask me.
Checking for writable .rhosts files is very useful, but in NFS
environment they will most often *have* to be group/world readable
to work at all.
: Checking disk ownership and permissions.
: Disk /dev/fd0a is user root, group operator, permissions brw-rw-rw-.
: Disk /dev/rfd0a is user root, group operator, permissions crw-rw-rw-.
Doesn't most people want to be able to use the floppy station?
The check is strictly speaking correct, but I always turn it off.
I'm not sure about this, though; it may be somewhat philosophical.
Also, there's lots of errors because /etc/mtree/special is out of
sync with the standard distrubution kit. All the files and
directories that aren't distributed as standard with NetBSD should
be marked as 'optional'. That way you will get them checked if/when
you manually create them, but it shouldn't complain in a
default-installation. (I think I've PRed this before, it may even
already be fixed in trunk).
>How-To-Repeat:
Run /etc/security on a newly-installed NetBSD 1.1 system.
Personally I feel this kind of scripts should be absolutely quiet
when you've fixed all the holes they check for, but that may be a bit
too ambitious for the distributed version to aim for.
>Fix:
The ones most clearly classifiable as 'bugs' are corrected by this patch:
--- security.orig Wed Oct 11 12:29:59 1995
+++ security Tue Dec 5 19:04:02 1995
@@ -32,7 +32,7 @@
printf("Login %s has more than 8 characters.\n", $1);
if ($2 == "")
printf("Login %s has no password.\n", $1);
- if (length($2) != 13 && ($10 ~ /.*sh$/ || $10 == ""))
+ if (length($2) != 13 && $2 != "" && ($10 ~ /.*sh$/ || $10 == ""))
printf("Login %s is off but still has a valid shell.\n", $1);
if ($3 == 0 && $1 != "root" && $1 != "toor")
printf("Login %s has a user id of 0.\n", $1);
@@ -216,7 +216,7 @@
# Files that should not have + signs.
list="/etc/hosts.equiv /etc/hosts.lpd"
for f in $list ; do
- if egrep '\+' $f > /dev/null ; then
+ if [ -f $f ] && egrep '\+' $f > /dev/null ; then
printf "\nPlus sign in $f file.\n"
fi
done
@@ -325,8 +325,9 @@
cat $OUTPUT
fi
-# File systems should not be globally exported.
-awk '{
+if [ -f /etc/exports ]; then
+ # File systems should not be globally exported.
+ awk '{
readonly = 0;
for (i = 2; i <= NF; ++i) {
if ($i ~ /-ro/)
@@ -338,10 +339,11 @@
print "File system " $1 " globally exported, read-only."
else
print "File system " $1 " globally exported, read-write."
-}' < /etc/exports > $OUTPUT
-if [ -s $OUTPUT ] ; then
+ }' < /etc/exports > $OUTPUT
+ if [ -s $OUTPUT ] ; then
printf "\nChecking for globally exported file systems.\n"
cat $OUTPUT
+ fi
fi
# Display any changes in setuid files and devices.
@@ -349,7 +351,7 @@
(find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \
-o -fstype procfs \) -a -prune -o \
\( -perm -u+s -o -perm -g+s -o ! -type d -a ! -type f -a ! -type l -a \
- ! -type s \) | \
+ ! -type s \) -print | \
sort | sed -e 's/^/ls -ldgT /' | sh > $LIST) 2> $OUTPUT
# Display any errors that occurred during system file walk.
@@ -497,6 +499,7 @@
> $OUTPUT
for file in *.secure; do
+ [ $file = '*.secure' ] && continue
tree=`sed -n -e '3s/.* //p' -e 3q $file`
mtree -f $file -p $tree > $TMP1
if [ -s $TMP1 ]; then
>Audit-Trail:
>Unformatted: