[src/trunk]: src Introduce a variable for security.conf, default empty, to li...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src Introduce a variable for security.conf, default empty, to li...
From: spz <spz%NetBSD.org@localhost>
Date: Tue, 07 Apr 2020 01:30:14 +0000

details:   https://anonhg.NetBSD.org/src/rev/c174ef39c7f6
branches:  trunk
changeset: 791141:c174ef39c7f6
user:      spz <spz%NetBSD.org@localhost>
date:      Wed Nov 06 19:37:05 2013 +0000

description:
Introduce a variable for security.conf, default empty, to list users
whose home is (allowed to be) owned by another user.

It's a separate variable and not just check_passwd_permit_dups so I can
make security shut up about my uucp users.

Fixes the second half of PR misc/36063

diffstat:

 etc/defaults/security.conf     |   3 ++-
 etc/security                   |  29 ++++++++++++++++++++++-------
 share/man/man5/security.conf.5 |   7 ++++++-
 3 files changed, 30 insertions(+), 9 deletions(-)

diffs (97 lines):

diff -r 4df754e869d7 -r c174ef39c7f6 etc/defaults/security.conf
--- a/etc/defaults/security.conf        Wed Nov 06 19:30:20 2013 +0000
+++ b/etc/defaults/security.conf        Wed Nov 06 19:37:05 2013 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: security.conf,v 1.25 2013/05/01 05:36:25 agc Exp $
+#      $NetBSD: security.conf,v 1.26 2013/11/06 19:37:05 spz Exp $
 #
 # /etc/defaults/security.conf --
 #      default configuration of /etc/security.conf
@@ -32,6 +32,7 @@
 diff_options=-u
 
 check_homes_permit_usergroups=NO
+check_homes_permit_other_owner=""
 
 check_devices_ignore_fstypes="!local fdesc kernfs null procfs ptyfs ntfs msdos"
 check_devices_ignore_paths=""
diff -r 4df754e869d7 -r c174ef39c7f6 etc/security
--- a/etc/security      Wed Nov 06 19:30:20 2013 +0000
+++ b/etc/security      Wed Nov 06 19:37:05 2013 +0000
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#      $NetBSD: security,v 1.114 2013/11/06 19:30:20 spz Exp $
+#      $NetBSD: security,v 1.115 2013/11/06 19:37:05 spz Exp $
 #      from: @(#)security      8.1 (Berkeley) 6/9/93
 #
 
@@ -529,8 +529,13 @@
                        printf -- "$uid $file\n"
                fi
        done < $MPBYPATH |
-       awk -v "usergroups=$permit_usergroups" '
-            $1 != $4 && $4 != "root" \
+       awk -v "usergroups=$permit_usergroups" \
+            -v "permit_owners_list=$check_homes_permit_other_owner"  '
+            BEGIN {
+               split(permit_owners_list, a);
+               for (i in a) permit_owners[a[i]]++;
+            }
+            $1 != $4 && $4 != "root" && !permit_owners[$1] \
                { print "user " $1 " home directory is owned by " $4 }
             $2 ~ /^d....w/ && (!usergroups || $5 != $1) \
                { print "user " $1 " home directory is group writable" }
@@ -552,8 +557,13 @@
                        fi
                done
        done < $MPBYPATH |
-       awk  -v "usergroups=$permit_usergroups" '
-            $1 != $5 && $5 != "root" \
+       awk -v "usergroups=$permit_usergroups" \
+            -v "permit_owners_list=$check_homes_permit_other_owner"  '
+            BEGIN {
+               split(permit_owners_list, a);
+               for (i in a) permit_owners[a[i]]++;
+            }
+            $1 != $5 && $5 != "root" && !permit_owners[$1] \
                { print "user " $1 " " $2 " file is owned by " $5 }
             $3 ~ /^-...r/ && (!usergroups || $6 != $1) \
                { print "user " $1 " " $2 " file is group readable" }
@@ -581,8 +591,13 @@
                        fi
                done
        done < $MPBYPATH |
-       awk -v "usergroups=$permit_usergroups" '
-            $1 != $5 && $5 != "root" \
+       awk -v "usergroups=$permit_usergroups" \
+            -v "permit_owners_list=$check_homes_permit_other_owner"  '
+            BEGIN {
+               split(permit_owners_list, a);
+               for (i in a) permit_owners[a[i]]++;
+            }
+            $1 != $5 && $5 != "root" && !permit_owners[$1] \
                { print "user " $1 " " $2 " file is owned by " $5 }
             $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
                { print "user " $1 " " $2 " file is group writable" }
diff -r 4df754e869d7 -r c174ef39c7f6 share/man/man5/security.conf.5
--- a/share/man/man5/security.conf.5    Wed Nov 06 19:30:20 2013 +0000
+++ b/share/man/man5/security.conf.5    Wed Nov 06 19:37:05 2013 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: security.conf.5,v 1.39 2012/04/05 09:15:56 wiz Exp $
+.\"    $NetBSD: security.conf.5,v 1.40 2013/11/06 19:37:06 spz Exp $
 .\"
 .\" Copyright (c) 1996 Matthew R. Green
 .\" All rights reserved.
@@ -171,6 +171,11 @@
 .Sy check_homes
 phase, allow the checked files to be group-writable if the group name is
 the same as the username.
+.It Sy check_homes_permit_other_owner
+During the
+.Sy check_homes
+phase, allow the home directory and files of the listed users to be owned
+by a different user.
 .It Sy check_devices_ignore_fstypes
 Lists filesystem types to ignore during the
 .Sy check_devices

Prev by Date: [src/trunk]: src/distrib/sets/lists/comp Fix the build for amd64.
Next by Date: [src/trunk]: src/lib/libpuffs XXX: gcc initialization (mc68k gcc-4.5.x gcc-4....
Previous by Thread: [src/trunk]: src/distrib/sets/lists/comp Fix the build for amd64.
Next by Thread: [src/trunk]: src/lib/libpuffs XXX: gcc initialization (mc68k gcc-4.5.x gcc-4....
Indexes:

Home | Main Index | Thread Index | Old Index