[Bug 1054477] [NEW] check-diskfree ignores fs with media anywhere in mount path

2012-09-22 Thread Martin Carpenter 
Public bug reported:

check-diskfree attempts to exlucde external automatically mounted disks
by removing mount paths containing media/ from the output of df(1),
like so:

df -klP |
grep ^/ |
grep -v /media/ |
...

If you have a standard filesystem mounted at, say, /mnt/media/press (any
mount point with media as the non-terminating component), then this will
be unintentionally excluded.

Suggested fix:

42c42
 grep -v /media/ |
---
 grep -v ^/media/ |

** Affects: checksecurity (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to checksecurity in Ubuntu.
https://bugs.launchpad.net/bugs/1054477

Title:
  check-diskfree ignores fs with media anywhere in mount path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/checksecurity/+bug/1054477/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1048248] [NEW] check-setuid does not check all filesystems

2012-09-09 Thread Martin Carpenter 
Public bug reported:


Description:Ubuntu 12.04.1 LTS
Release:12.04
ii  checksecurity  2.0.14ubuntu1  basic system security checks

Symptom: check-setuid reporting results look strange/incomplete on
initial run:

--- setuid.today2012-09-09 15:09:26.858820173 +0200
+++ /var/log/setuid/setuid.new.tmp  2012-09-09 15:09:26.858820173 +0200
@@ -0,0 +1,7 @@
+  128575  4755   1 root   root   31304 Fri Mar  2 
16:35:03.00 2012 ./bin/fusermount
+  128610  4755   1 root   root   94792 Fri Mar 30 
07:34:18.00 2012 ./bin/mount
+  128648  4755   1 root   root   35712 Tue Nov  8 
14:26:22.00 2011 ./bin/ping
+  128649  4755   1 root   root   40256 Tue Nov  8 
14:26:22.00 2011 ./bin/ping6
+  128676  4755   1 root   root   36832 Mon Apr  9 
04:32:06.00 2012 ./bin/su
+  128685  4755   1 root   root   69096 Fri Mar 30 
07:34:18.00 2012 ./bin/umount
+  136537  2755   1 root   shadow 35432 Thu Feb  9 
02:44:43.00 2012 ./sbin/unix_chkpwd

1. Does not appear to have examined /usr/bin (or anywhere else outside of /).
2. Paths are relative (./...).

The problem is the set of start paths given to find(1) in
/usr/share/checksecurity/check-setuid:

find `mount | grep -vE $CHECKSECURITY_FILTER | cut -d ' ' -f 3`

The grep -v excludes mount lines matching the pattern
CHECKSECURITY_FILTER.  CHECKSECURITY_FILTER is set in
/etc/checksecurity/check-setuid.conf by alternating CS_NFSAFS, CS_TYPES,
CS_OPTS, CS_DEVS, CS_DIRS. The first of these contains the bug:

CS_NFSAFS='(type (nfs|afs|coda|lustre|mfs|nnpfs|)|^(arla .* type xfs))'
   ^ here

The pipe and closing parenthesis after nnpfs provide an empty term in
the alternation.  This matches any type and so all lines from mount(1)'s
output are excluded.

In the absence of an argument list find(1) uses the current working
directory (and -xdev ensures we don't escape from this directory).
(In the example output above /bin and /sbin are directories on the
root filesystem /. /usr is a separate filesystem). Consequently
check-setuid is not checking any other filesystem than /.

** Affects: checksecurity (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to checksecurity in Ubuntu.
https://bugs.launchpad.net/bugs/1048248

Title:
  check-setuid does not check all filesystems

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/checksecurity/+bug/1048248/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1048248] Re: check-setuid does not check all filesystems

2012-09-09 Thread Martin Carpenter 
I forgot the (trivial) fix:

51c51
 CS_NFSAFS='(type (nfs|afs|coda|lustre|mfs|nnpfs|)|^(arla .* type xfs))'
---
 CS_NFSAFS='(type (nfs|afs|coda|lustre|mfs|nnpfs)|^(arla .* type xfs))'

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to checksecurity in Ubuntu.
https://bugs.launchpad.net/bugs/1048248

Title:
  check-setuid does not check all filesystems

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/checksecurity/+bug/1048248/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs