diff options
author | trhodes <trhodes@FreeBSD.org> | 2006-08-25 07:34:36 +0000 |
---|---|---|
committer | trhodes <trhodes@FreeBSD.org> | 2006-08-25 07:34:36 +0000 |
commit | f21ca27dec120ddd47431efedfd649193c779f87 (patch) | |
tree | 24689f32b6ff7d72fc6d4d609fa5ba7b33d30496 /etc/periodic | |
parent | 31d250192d20e47d63a122189d1487f80e624dc1 (diff) | |
download | FreeBSD-src-f21ca27dec120ddd47431efedfd649193c779f87.zip FreeBSD-src-f21ca27dec120ddd47431efedfd649193c779f87.tar.gz |
Add login.conf checking to periodic security scripts. If the login.conf file
is not UID/GID 0, limits will be ignored and a strange error sent to auth.log.
Head nod: ru, rwatson
Diffstat (limited to 'etc/periodic')
-rw-r--r-- | etc/periodic/security/410.logincheck | 52 | ||||
-rw-r--r-- | etc/periodic/security/Makefile | 1 |
2 files changed, 53 insertions, 0 deletions
diff --git a/etc/periodic/security/410.logincheck b/etc/periodic/security/410.logincheck new file mode 100644 index 0000000..ab4ab65 --- /dev/null +++ b/etc/periodic/security/410.logincheck @@ -0,0 +1,52 @@ +#!/bin/sh - +# +# Copyright (c) 2006 Tom Rhodes +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_security_logincheck_enable" in + [Yy][Ee][Ss]) + echo "" + echo 'Checking login.conf permissions:' + if [ -G /etc/login.conf -a -O /etc/login.conf ] then + n=0 + else + echo "Bad ownership of /etc/login.conf" + n=1 + fi + [ $n -gt 0 ] && rc=1 || rc=0;; + *) rc=0;; +esac + +exit "$rc" diff --git a/etc/periodic/security/Makefile b/etc/periodic/security/Makefile index caf772c..c7a9b2b 100644 --- a/etc/periodic/security/Makefile +++ b/etc/periodic/security/Makefile @@ -4,6 +4,7 @@ FILES= 100.chksetuid \ 200.chkmounts \ 300.chkuid0 \ 400.passwdless \ + 410.logincheck \ 500.ipfwdenied \ 510.ipfdenied \ 520.pfdenied \ |