be9f1ce9eb
Use $file shorthand instead of specifying /var/backups/disklabel.$d.
Noticed by ian@
20 years ago
a117f51a18
store a copy of the disklabel for mounted filesystems and report changes
OK deraadt@
20 years ago
8610a95b88
Update based on PR 2208:
o Prepare for the update to join(1).
o Handle non-ascii chars in pathnames for setuid and device checks.
ok millert@ deraadt@
21 years ago
6a07898f48
fix regexp for group names
ok millert@
21 years ago
647d0cdbb1
when testing passwd(5) expire field, force its value to an int before
checking for non-zero since an empty field is equivalent to 0.
Problem noted by Graeme Lee.
21 years ago
c3a8fa3c18
Fix setting of umaskset. Also, there is no need to use TMP3 for
umask detection.
21 years ago
ba8f3ee996
We need the "/ 10" in the group writability check after all; marc@
21 years ago
c877ad0d6f
Make the test for unsafe umask more bullet-proof. With help from marc@
21 years ago
ef01e76670
some more extra mktemp randomness; millert@ ok
21 years ago
bccca5e422
The hyphen in regexp should really be escaped
ok millert@
21 years ago
2e71a0e51b
Add dot ('.') in usernames too for consistency with adduser/useradd.
Noted by Brian Poole
21 years ago
cf8c1465dc
Don't complain about usernames that end in '$' which may be needed by
samba; this is consistent with useradd and adduser. From Dan Brosemer.
21 years ago
642ff1ce89
Use POSIX chown semantics (user:group); noted by Leandro Costa
22 years ago
8736cb4dab
put bin dirs before sbin dirs in PATH for consistency with other cron scripts
22 years ago
e07978f161
writeable -> writable; torh at bogus dot net
22 years ago
35165da9c8
check account expiration time as well; from hamajima@nagoya.ydc.co.jp pr2835
22 years ago
0b40d89296
don't complain about our new usernames that start with underscores
deraadt and millert ok
22 years ago
8596724be4
Check for S/Key entries in /etc/skey, not /etc/skeyeys; David Krause
We could use skeyinfo(1) to check but this is much cheaper.
22 years ago
8f3f4efdd9
use mktemp; help & ok millert
23 years ago
79bd272191
mtree -l (loose permissions check) on /etc/mtree/special. ok millert@.
23 years ago
90f9fa54db
fix username and groupname length checks.
--
Patch from: wilfried@ via PR#1761
Ok'd by: deraadt@
24 years ago
291b1c42d4
Skip entries starting with '+' in duplicate user ID check so we don't
get false positives for YP stuff. Closes PR 1755
24 years ago
678f2ac821
Don't provide diffs of sensitive files like ssh host keys. Instead,
just save the md5 checksums so we can still determine when something
change. Entries in /etc/changelist that are prefixed with a '+'
will only have their md5 checksums saved, not the actual files.
24 years ago
e2f7d1725e
Add ~/.ssh/id_dsa and ~/.ssh/id_rsa to the "must be owned by user and
not readable by other" block. Remove ~/.ssh/random_seed as it is
not used in OpenSSH.
Add ~/.ssh/authorized_keys2, and ~/.ssh/known_hosts to the "must be
owned by user and not writable" block.
24 years ago
ac223fc9c0
more fat utmp; ianm@cit.uws.edu.au
24 years ago
06e9a61dc6
gnupg ring/data ownership/permission checking added; ok millert@
24 years ago
39a1183d94
Todd, Aaron, Dug, and me all prefer unidiff
24 years ago
95c109f653
Since sh's bulitin echo(1) supports /t and /n there is no reason to
use printf(1) here. This way there is no possibility of format
string problems and we use a shell builtin instead of an external
command.
24 years ago
ac5c85ae03
printf(1) format string fixes! checked by theo.
inspiration from dynamo@ime.net .
also a typo fix.
24 years ago
0a2ee57885
When including the listing of a directory in root's security mail, pass the
-q flag to ls(1) so that non-printable characters will appear as '?'. This
prevents a malicious user from fooling the administrator into thinking the
contents of a file name are actually valid script output (note that you can
put newlines in file names); deraadt@ ok
24 years ago
f69c6ad0ce
Add a little blurb explaing the meaning of mtree's output.
millert@ ok.
24 years ago
c1a88d66cc
fix inspired by pr 744 from karls@inet.no
changed so files are e.g. backups/etc_passwd not backups/_etc_passwd
24 years ago
d57c53f78c
Capitalize 'id' to be consistent with our man pages.
24 years ago
71b4a7b88d
sendmail support files now live in /etc/mail
25 years ago
9f8e4d853e
existance -> existence
25 years ago
8ea805fe52
match /dev/fd{0,1,2,3}{,B,C,D,E,F,G,H}[abcdefghijklmnop] when doing device checks; closes PR #750
25 years ago
bad13e3a6b
Give line printout along with line number.
25 years ago
aad99d26ce
make /var/backups same as mtree says; mickey
26 years ago
646731011d
don't include FIFOs in check for set[ug]id files and devices; andrew@nfr.net
26 years ago
692caaedb2
better checks for . in path from "Denis A. Doroshenko" <cyxob@isl.vtu.lt>
26 years ago
4003b60995
Check a few more DOTfiles that could potentially compromise security on a per
user basis.
27 years ago
0b582277ad
fix ksh.kshrc; check ksh.kshrc, .kshrc for owner/mode/path
27 years ago
f8b73365a5
Deal with non-existent /etc/skeykeys
27 years ago
eadfd2f525
be more careful during termination
27 years ago
b7fb34043d
completely avoid master.passwd in the changelist processing; jbernard@tater.mines.edu
27 years ago
5d22791c21
handling for closed home directories; yensid@afri.imsa.edu
27 years ago
dc14af3f0f
oops, detect blowfish-a as OK; yensid@imsa.edu, PR#321
27 years ago
699300c397
better path handling; jbernard@tater.mines.edu, netbsd pr#3995
27 years ago
13286d26c2
/etc/profile should be checked along with .profile for consistency with
/etc/csh.login and .login. From Chris Jones <cjones@rupert.oscs.montana.edu>
27 years ago
e64c7ac1e7
1. ignore blank lines
2. /-ro/ -> /^-ro$/ : allows hostnames containing "*-ro*" and
ignores "-root"
27 years ago
millert