From f21ca27dec120ddd47431efedfd649193c779f87 Mon Sep 17 00:00:00 2001 From: trhodes Date: Fri, 25 Aug 2006 07:34:36 +0000 Subject: Add login.conf checking to periodic security scripts. If the login.conf file is not UID/GID 0, limits will be ignored and a strange error sent to auth.log. Head nod: ru, rwatson --- etc/periodic/security/410.logincheck | 52 ++++++++++++++++++++++++++++++++++++ etc/periodic/security/Makefile | 1 + 2 files changed, 53 insertions(+) create mode 100644 etc/periodic/security/410.logincheck (limited to 'etc/periodic') diff --git a/etc/periodic/security/410.logincheck b/etc/periodic/security/410.logincheck new file mode 100644 index 0000000..ab4ab65 --- /dev/null +++ b/etc/periodic/security/410.logincheck @@ -0,0 +1,52 @@ +#!/bin/sh - +# +# Copyright (c) 2006 Tom Rhodes +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_security_logincheck_enable" in + [Yy][Ee][Ss]) + echo "" + echo 'Checking login.conf permissions:' + if [ -G /etc/login.conf -a -O /etc/login.conf ] then + n=0 + else + echo "Bad ownership of /etc/login.conf" + n=1 + fi + [ $n -gt 0 ] && rc=1 || rc=0;; + *) rc=0;; +esac + +exit "$rc" diff --git a/etc/periodic/security/Makefile b/etc/periodic/security/Makefile index caf772c..c7a9b2b 100644 --- a/etc/periodic/security/Makefile +++ b/etc/periodic/security/Makefile @@ -4,6 +4,7 @@ FILES= 100.chksetuid \ 200.chkmounts \ 300.chkuid0 \ 400.passwdless \ + 410.logincheck \ 500.ipfwdenied \ 510.ipfdenied \ 520.pfdenied \ -- cgit v1.1