Subject: Re: misc/29173
To: None <elad@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: netbsd-bugs
Date: 09/24/2005 16:52:02
The following reply was made to PR misc/29173; it has been noted by GNATS.
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: elad@netbsd.org
Cc: netbsd-bugs@netbsd.org, gnats-bugs@netbsd.org,
gnats-admin@netbsd.org, tikhonoff@users.sourceforge.net
Subject: Re: misc/29173
Date: Sat, 24 Sep 2005 09:51:37 -0700 (PDT)
On Sat, 24 Sep 2005 elad@netbsd.org wrote:
> Half-baked ``solution'' to a problem I can't put my finger on.
This is not fair response to someone who filed a legitimate PR. (Maybe
there was discussion not included in the PR?)
"Find all world writeable elements of dangerous directories in a
filesystem" is a great idea.
This could be added to /etc/security and /etc/defaults/security.conf as
check_worldwritable.
I'd just have it check entire filesystem and not selected directories, but
that would be easy with another security.conf(5) setting:
check_worldwritable_dirs="/" or check_worldwritable_dirs="/bin /sbin",
etc.
The find option in the PR should use -0002 instead of +0002. Also it
should exclude symlinks.
Please reopen this PR.
Here is a simple, untested idea:
# Find all world writeable files
if checkyesno check_worldwritable ; then
check_worldwritable_dirs=${check_worldwritable_dirs:-/}
find ${check_worldwritable_dirs} -perm -0002 \
\! -type l -ls > $LIST 2> $ERR
# Display any errors that occurred during system file walk.
if [ -s $ERR ] ; then
echo World writable find errors:
cat $ERR
echo
fi
if [ -s $LIST ] ; then
World writable files:
cat $LIST
echo
fi
fi
Also another variable could be used to exclude, such as:
check_worldwritable_exclude="/tmp /var/tmp"
maybe using grep or parsing and putting on find command itself.
Jeremy C. Reed
BSD News, BSD tutorials, BSD links
http://www.bsdnewsletter.com/