NetBSD Problem Report #29173
From www@netbsd.org Mon Jan 31 17:05:49 2005
Return-Path: <www@netbsd.org>
Received: by narn.netbsd.org (Postfix, from userid 31301)
id 5DCB563B400; Mon, 31 Jan 2005 17:05:49 +0000 (UTC)
Message-Id: <20050131170549.5DCB563B400@narn.netbsd.org>
Date: Mon, 31 Jan 2005 17:05:49 +0000 (UTC)
From: tikhonoff@users.sourceforge.net
Reply-To: tikhonoff@users.sourceforge.net
To: gnats-bugs@netbsd.org
Subject: This script find all world writeable elements of dangerous directories in a filesystem.
X-Send-Pr-Version: www-1.0
>Number: 29173
>Category: misc
>Synopsis: This script find all world writeable elements of dangerous directories in a filesystem.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: reed
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Mon Jan 31 17:06:00 +0000 2005
>Closed-Date:
>Last-Modified: Fri Sep 30 14:19:03 +0000 2005
>Originator: Alexandr S. Tikhonoff
>Release: NetBSD 1.6
>Organization:
ASTI
>Environment:
NetBSD 1.6 NetBSD 1.6 (GENERIC) #0: Sun Sep 8 19:43:40 UTC 2002 autobuild@tgm.daemon.org:/autobuild/i386/OBJ/autobuild/src/sys/arch/i386/compile/GENERIC i386
>Description:
This script find all world writeable elements of dangerous directories
in a filesystem. Frequently there accumulate many "interest" objects
escape administrator's attention. Especially this problem may be
enough sirrious in multi-user platform.
>How-To-Repeat:
>Fix:
--- Security Tue Jan 25 04:41:09 2005
+++ SecurityEditer Tue Jan 25 04:42:01 2005
@@ -911,3 +911,15 @@
fi
fi
+#
+# Find all world writeable elements of dangerous directories in a filesystem.
+#
+
+ echo "File permission errors "
+ date
+ find /bin -perm +0002 -print
+ find /sbin -perm +0002 -print
+ find /etc -perm +0002 -print
+ find /usr/bin -perm +0002 -print
+ find /usr/sbin -perm +0002 -print
+ find /root -perm +0002 -print
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: misc-bug-people->security-officer
Responsible-Changed-By: fair@netbsd.org
Responsible-Changed-When: Sat, 16 Jul 2005 20:28:29 +0000
Responsible-Changed-Why:
This problem report is more properly the province of the
NetBSD Security Officer.
Responsible-Changed-From-To: security-officer->elad
Responsible-Changed-By: elad@netbsd.org
Responsible-Changed-When: Sun, 18 Sep 2005 17:00:28 +0000
Responsible-Changed-Why:
I'll handle it...
State-Changed-From-To: open->closed
State-Changed-By: elad@netbsd.org
State-Changed-When: Sat, 24 Sep 2005 10:29:00 +0000
State-Changed-Why:
Half-baked ``solution'' to a problem I can't put my finger on.
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: elad@netbsd.org
Cc: netbsd-bugs@netbsd.org, gnats-bugs@netbsd.org,
gnats-admin@netbsd.org, tikhonoff@users.sourceforge.net
Subject: Re: misc/29173
Date: Sat, 24 Sep 2005 09:51:37 -0700 (PDT)
On Sat, 24 Sep 2005 elad@netbsd.org wrote:
> Half-baked ``solution'' to a problem I can't put my finger on.
This is not fair response to someone who filed a legitimate PR. (Maybe
there was discussion not included in the PR?)
"Find all world writeable elements of dangerous directories in a
filesystem" is a great idea.
This could be added to /etc/security and /etc/defaults/security.conf as
check_worldwritable.
I'd just have it check entire filesystem and not selected directories, but
that would be easy with another security.conf(5) setting:
check_worldwritable_dirs="/" or check_worldwritable_dirs="/bin /sbin",
etc.
The find option in the PR should use -0002 instead of +0002. Also it
should exclude symlinks.
Please reopen this PR.
Here is a simple, untested idea:
# Find all world writeable files
if checkyesno check_worldwritable ; then
check_worldwritable_dirs=${check_worldwritable_dirs:-/}
find ${check_worldwritable_dirs} -perm -0002 \
\! -type l -ls > $LIST 2> $ERR
# Display any errors that occurred during system file walk.
if [ -s $ERR ] ; then
echo World writable find errors:
cat $ERR
echo
fi
if [ -s $LIST ] ; then
World writable files:
cat $LIST
echo
fi
fi
Also another variable could be used to exclude, such as:
check_worldwritable_exclude="/tmp /var/tmp"
maybe using grep or parsing and putting on find command itself.
Jeremy C. Reed
BSD News, BSD tutorials, BSD links
http://www.bsdnewsletter.com/
State-Changed-From-To: closed->open
State-Changed-By: elad@netbsd.org
State-Changed-When: Sat, 24 Sep 2005 21:12:14 +0000
State-Changed-Why:
Re-open at reed@'s request. Perhaps if I close all PRs someone will reply with a fix for them? :)
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: misc/29173
Date: Sat, 24 Sep 2005 19:19:52 -0700 (PDT)
I will test this (and improve as needed) for a week or so and commit to
/etc/security (and /etc/defaults/security.conf). I will keep it disabled
by default when committed so it won't break anything for more testing.
Feel free to assign this pr to "reed" if you want.
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: matthew green <mrg@eterna.com.au>
Cc: gnats-bugs@netbsd.org
Subject: re: misc/29173
Date: Sat, 24 Sep 2005 19:24:52 -0700 (PDT)
On Sun, 25 Sep 2005, matthew green wrote:
> FWIW, i really don't want yet another global find(1) in
> /etc/{daily,security} and if this feature isn't enabled by default
> then it's largely useless.
I just got this after I sent my other email a moment ago.
I am doing the find immediately before the "check_devices" find in the
hope that it will still be cached.
(This reminds me that many times I have thought it would be useful to have
a "multifind" tool that can output to different file handles its results.)
My plan is to enable by default.
Checking for world writable files is common and seems like a good addition
to the /etc/security. (I think it is more important that some checks
already there.)
Anyone else have a thought on this?
Jeremy C. Reed
BSD News, BSD tutorials, BSD links
http://www.bsdnewsletter.com/
From: matthew green <mrg@eterna.com.au>
To: gnats-bugs@netbsd.org
Cc: elad@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: re: misc/29173
Date: Sun, 25 Sep 2005 14:25:50 +1000
while i agree this functionality is pretty useful i strongly object
to adding any additional "find /"'s being added to the default install.
i don't believe most systems caches are large enough for this not to
cycle the inode cache twice. a single find should be run (if any of
the users of it want it) and then each user of the output should parse
for their files. your "multifind" idea would also work, if you could
be convinced to code it up ;-)
thanks.
.mrg.
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: matthew green <mrg@eterna.com.au>
Cc: gnats-bugs@netbsd.org
Subject: re: misc/29173
Date: Sat, 24 Sep 2005 23:17:07 -0700 (PDT)
On Sun, 25 Sep 2005, matthew green wrote:
> for their files. your "multifind" idea would also work, if you could
> be convinced to code it up ;-)
I am working on it. I posted to tech-userlevel.
Jeremy C. Reed
technical support & remote administration
http://www.pugetsoundtechnology.com/
Responsible-Changed-From-To: elad->reed
Responsible-Changed-By: elad@netbsd.org
Responsible-Changed-When: Fri, 30 Sep 2005 14:19:03 +0000
Responsible-Changed-Why:
reed@ said he'll handle it.
Btw: I've been missing emails about this PR even though I was listed as responsible for it. :/
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home