Subject: Re: misc/29173
To: None <elad@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: netbsd-bugs
Date: 09/24/2005 16:52:02
The following reply was made to PR misc/29173; it has been noted by GNATS.

From: "Jeremy C. Reed" <reed@reedmedia.net>
To: elad@netbsd.org
Cc: netbsd-bugs@netbsd.org, gnats-bugs@netbsd.org,
	gnats-admin@netbsd.org, tikhonoff@users.sourceforge.net
Subject: Re: misc/29173
Date: Sat, 24 Sep 2005 09:51:37 -0700 (PDT)

 On Sat, 24 Sep 2005 elad@netbsd.org wrote:
 
 > Half-baked ``solution'' to a problem I can't put my finger on.
 
 This is not fair response to someone who filed a legitimate PR. (Maybe 
 there was discussion not included in the PR?)
 
 "Find all world writeable elements of dangerous directories in a 
 filesystem" is a great idea.
 
 This could be added to /etc/security and /etc/defaults/security.conf as 
 check_worldwritable.
 
 I'd just have it check entire filesystem and not selected directories, but 
 that would be easy with another security.conf(5) setting: 
 check_worldwritable_dirs="/" or check_worldwritable_dirs="/bin /sbin", 
 etc.
 
 The find option in the PR should use -0002 instead of +0002. Also it 
 should exclude symlinks.
 
 Please reopen this PR.
 
 Here is a simple, untested idea:
 
 # Find all world writeable files
 if checkyesno check_worldwritable ; then
  	check_worldwritable_dirs=${check_worldwritable_dirs:-/}
  	find ${check_worldwritable_dirs} -perm -0002 \
  		\! -type l -ls > $LIST 2> $ERR
 
  	# Display any errors that occurred during system file walk.
  	if [ -s $ERR ] ; then
  		echo World writable find errors:
  		cat $ERR
  		echo
  	fi
  	if [ -s $LIST ] ; then
  		World writable files:
  		cat $LIST
  		echo
  	fi
 fi
 
 
 Also another variable could be used to exclude, such as:
 check_worldwritable_exclude="/tmp /var/tmp"
 maybe using grep or parsing and putting on find command itself.
 
   Jeremy C. Reed
 
   	  	 	 BSD News, BSD tutorials, BSD links
  	  	 	 http://www.bsdnewsletter.com/