Merged our changes back into 4.4BSD version.

Can't do "find -ls" since we need to store the date in an absolute format
(ls -T).  Use "find -print0" | xargs -0 instead.

src/etc/security

@@ -1,7 +1,9 @@
 #!/bin/sh -
 #
-#	$OpenBSD: security,v 1.12 1996/11/23 19:10:43 millert Exp $
+#	$OpenBSD: security,v 1.13 1996/11/30 17:50:58 millert Exp $
+#	from: @(#)security	8.1 (Berkeley) 6/9/93
 #
+
 PATH=/sbin:/usr/sbin:/bin:/usr/bin
 
 umask 077
@@ -14,7 +16,6 @@ TMP3=$DIR/_secure4
 LIST=$DIR/_secure5
 OUTPUT=$DIR/_secure6
 
-
 if ! mkdir $DIR ; then
 	printf "tmp directory %s already exists, looks like:\n" $DIR
 	ls -alF $DIR
@@ -35,7 +36,7 @@ awk -F: '{
 	if ($1 ~ /^[+-].*$/)
 		next;
 	if ($1 == "")
-		printf("Line %d has an empty login field.\n",NR);
+		printf("Line %d has an empty login field.\n", NR);
 	else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_-]*$/)
 		printf("Login %s has non-alphanumeric characters.\n", $1);
 	if (length($1) > 8)
@@ -104,7 +105,7 @@ awk -F: '{
 		next;
 	if (NF != 4)
 		printf("Line %d has the wrong number of fields.\n", NR);
-	if ($1 !~ /^[A-za-z0-9]*$/)
+	if ($1 !~ /^[A-za-z0-9][A-za-z0-9_-]*$/)
 		printf("Group %s has non-alphanumeric characters.\n", $1);
 	if (length($1) > 8)
 		printf("Group %s has more than 8 characters.\n", $1);
@@ -160,7 +161,7 @@ end-of-csh
 done
 if [ $umaskset = "no" -o -s $OUTPUT ] ; then
 	printf "\nChecking root csh paths, umask values:\n$list\n"
-	if [ -s $OUTPUT ]; then
+	if [ -s $OUTPUT ] ; then
 		cat $OUTPUT
 	fi
 	if [ $umaskset = "no" ] ; then
@@ -204,7 +205,7 @@ end-of-sh
 done
 if [ $umaskset = "no" -o -s $OUTPUT ] ; then
 	printf "\nChecking root sh paths, umask values:\n$list\n"
-	if [ -s $OUTPUT ]; then
+	if [ -s $OUTPUT ] ; then
 		cat $OUTPUT
 	fi
 	if [ $umaskset = "no" ] ; then
@@ -234,17 +235,17 @@ list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd"
 for f in $list ; do
 	if [ -s $f ] ; then
 		awk '{
-			if ($0 ~ /^\+@.*$/ )
+			if ($0 ~ /^\+@.*$/)
 				next;
-			if ($0 ~ /^\+.*$/ )
+			if ($0 ~ /^\+.*$/)
 				printf("\nPlus sign in %s file.\n", FILENAME);
 		}' $f
 	fi
 done
 
-# Check for special users with .rhosts/.shosts files.  Only root should
-# have .rhosts/.shosts files.  Also, .rhosts/.shosts files
-# should not have plus signs.
+# Check for special users with .rhosts/.shosts files.  Only root
+# should have .rhosts/.shosts files.  Also, .rhosts/.shosts
+# files should not have plus signs.
 awk -F: '$1 != "root" && $1 !~ /^[+-].*$/ && \
 	($3 < 100 || $1 == "ftp" || $1 == "uucp") \
 		{ print $1 " " $6 }' /etc/passwd |
@@ -264,13 +265,13 @@ fi
 awk -F: '{ print $1 " " $6 }' /etc/passwd | \
 while read uid homedir; do
 	for j in .rhosts .shosts; do
-		if [ -f ${homedir}/$j ] ; then
+		if [ -s ${homedir}/$j ] ; then
 			awk '{
 				if ($0 ~ /^+@.*$/ )
 					next;
 				if ($0 ~ /^\+[ 	]*$/ )
 					printf("%s has + sign in it.\n",
-					    FILENAME);
+						FILENAME);
 			}' ${homedir}/$j
 		fi
 	done
@@ -282,7 +283,7 @@ fi
 
 # Check home directories.  Directories should not be owned by someone else
 # or writeable.
-awk -F: '{ if ( $1 !~ /^[+-].*$/ ) print $1 " " $6 }' /etc/passwd | \
+awk -F: '{ if ($1 !~ /^[+-].*$/) print $1 " " $6 }' /etc/passwd | \
 while read uid homedir; do
 	if [ -d ${homedir}/ ] ; then
 		file=`ls -ldgT ${homedir}`
@@ -313,6 +314,8 @@ while read uid homedir; do
 done |
 awk '$1 != $5 && $5 != "root" \
 	{ print "user " $1 " " $2 " file is owned by " $5 }
+     $3 ~ /^-...r/ \
+	{ print "user " $1 " " $2 " file is group readable" }
      $3 ~ /^-......r/ \
 	{ print "user " $1 " " $2 " file is other readable" }
      $3 ~ /^-....w/ \
@@ -354,36 +357,36 @@ if [ -s $OUTPUT ] ; then
 	cat $OUTPUT
 fi
 
-if [ -f /etc/exports ]; then
-    # File systems should not be globally exported.
-    awk '{
-	if ($1 ~ /^#/)
-		next;
-	readonly = 0;
-	for (i = 2; i <= NF; ++i) {
-		if ($i ~ /-ro/)
-			readonly = 1;
-		else if ($i !~ /^-/)
+# File systems should not be globally exported.
+if [ -s /etc/exports ] ; then
+	awk '{
+		if ($1 ~ /^#/)
 			next;
-	}
-	if (readonly)
-		print "File system " $1 " globally exported, read-only."
-	else
-		print "File system " $1 " globally exported, read-write."
-    }' < /etc/exports > $OUTPUT
-    if [ -s $OUTPUT ] ; then
-	printf "\nChecking for globally exported file systems.\n"
-	cat $OUTPUT
-    fi
+		readonly = 0;
+		for (i = 2; i <= NF; ++i) {
+			if ($i ~ /-ro/)
+				readonly = 1;
+			else if ($i !~ /^-/)
+				next;
+		}
+		if (readonly)
+			print "File system " $1 " globally exported, read-only."
+		else
+			print "File system " $1 " globally exported, read-write."
+	}' < /etc/exports > $OUTPUT
+	if [ -s $OUTPUT ] ; then
+		printf "\nChecking for globally exported file systems.\n"
+		cat $OUTPUT
+	fi
 fi
 
 # Display any changes in setuid/setgid files and devices.
 pending="\nChecking setuid/setgid files and devices:\n"
 (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \
-		-o -fstype procfs \) -a -prune -o \
-	-type f -a \( -perm -u+s -o -perm -g+s \) -ls -o \
-	! -type d -a ! -type f -a ! -type l -a ! -type s -ls | \
-sort > $LIST) 2> $OUTPUT
+	-o -fstype procfs \) -a -prune -o \
+	-type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \
+	! -type d -a ! -type f -a ! -type l -a ! -type s -print0 | \
+xargs -0 ls -ldgT | sort +9 > $LIST) 2> $OUTPUT
 
 # Display any errors that occurred during system file walk.
 if [ -s $OUTPUT ] ; then
@@ -394,7 +397,7 @@ if [ -s $OUTPUT ] ; then
 fi
 
 # Display any changes in the setuid/setgid file list.
-egrep -v '^ *[0-9]+ +[0-9]+ +[bc]' $LIST > $TMP1
+egrep -v '^[bc]' $LIST > $TMP1
 if [ -s $TMP1 ] ; then
 	# Check to make sure uudecode isn't setuid.
 	if grep -w uudecode $TMP1 > /dev/null ; then
@@ -410,7 +413,7 @@ if [ -s $TMP1 ] ; then
 			:
 		else
 			> $TMP2
-			join -112 -212 -v2 $CUR $TMP1 > $OUTPUT
+			join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
 			if [ -s $OUTPUT ] ; then
 				printf "${pending}Setuid additions:\n"
 				pending=
@@ -418,7 +421,7 @@ if [ -s $TMP1 ] ; then
 				printf "\n"
 			fi
 
-			join -112 -212 -v1 $CUR $TMP1 > $OUTPUT
+			join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
 			if [ -s $OUTPUT ] ; then
 				printf "${pending}Setuid deletions:\n"
 				pending=
@@ -426,7 +429,7 @@ if [ -s $TMP1 ] ; then
 				printf "\n"
 			fi
 
-			sort +11 $TMP2 $CUR $TMP1 | \
+			sort +9 $TMP2 $CUR $TMP1 | \
 			    sed -e 's/[	 ][	 ]*/ /g' | uniq -u > $OUTPUT
 			if [ -s $OUTPUT ] ; then
 				printf "${pending}Setuid changes:\n"
@@ -450,7 +453,7 @@ fi
 # Check for block and character disk devices that are readable or writeable
 # or not owned by root.operator.
 >$TMP1
-DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx xd rz sd up wd vnd ccd"
+DISKLIST="ccd dk fd hd hk hp jb kra ra rb rd rl rx rz sd up vnd wd xd"
 for i in $DISKLIST; do
 	egrep "^b.*/${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
 	egrep "^c.*/r${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
@@ -527,7 +530,7 @@ fi
 # the hacker can modify the tree specification to match the replaced binary.
 # For details on really protecting yourself against modified binaries, see
 # the mtree(8) manual page.
-if [ -d /etc/mtree ]; then
+if [ -d /etc/mtree ] ; then
 	cd /etc/mtree
 	mtree -e -p / -f /etc/mtree/special > $OUTPUT
 	if [ -s $OUTPUT ] ; then
@@ -540,7 +543,7 @@ if [ -d /etc/mtree ]; then
 		[ $file = '*.secure' ] && continue
 		tree=`sed -n -e '3s/.* //p' -e 3q $file`
 		mtree -f $file -p $tree > $TMP1
-		if [ -s $TMP1 ]; then
+		if [ -s $TMP1 ] ; then
 			printf "\nChecking $tree:\n" >> $OUTPUT
 			cat $TMP1 >> $OUTPUT
 		fi
@@ -560,7 +563,7 @@ if [ -s /etc/changelist ] ; then
 	for file in `cat /etc/changelist`; do
 		CUR=/var/backups/`basename $file`.current
 		BACK=/var/backups/`basename $file`.backup
-		if [ -s $file ]; then
+		if [ -s $file ] ; then
 			if [ -s $CUR ] ; then
 				diff $CUR $file > $OUTPUT
 				if [ -s $OUTPUT ] ; then