Module Name: src
Committed By: spz
Date: Wed Nov 6 19:37:06 UTC 2013
Modified Files:
src/etc: security
src/etc/defaults: security.conf
src/share/man/man5: security.conf.5
Log Message:
Introduce a variable for security.conf, default empty, to list users
whose home is (allowed to be) owned by another user.
It's a separate variable and not just check_passwd_permit_dups so I can
make security shut up about my uucp users.
Fixes the second half of PR misc/36063
To generate a diff of this commit:
cvs rdiff -u -r1.114 -r1.115 src/etc/security
cvs rdiff -u -r1.25 -r1.26 src/etc/defaults/security.conf
cvs rdiff -u -r1.39 -r1.40 src/share/man/man5/security.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/etc/security
diff -u src/etc/security:1.114 src/etc/security:1.115
--- src/etc/security:1.114 Wed Nov 6 19:30:20 2013
+++ src/etc/security Wed Nov 6 19:37:05 2013
@@ -1,6 +1,6 @@
#!/bin/sh -
#
-# $NetBSD: security,v 1.114 2013/11/06 19:30:20 spz Exp $
+# $NetBSD: security,v 1.115 2013/11/06 19:37:05 spz Exp $
# from: @(#)security 8.1 (Berkeley) 6/9/93
#
@@ -529,8 +529,13 @@ if checkyesno check_homes; then
printf -- "$uid $file\n"
fi
done < $MPBYPATH |
- awk -v "usergroups=$permit_usergroups" '
- $1 != $4 && $4 != "root" \
+ awk -v "usergroups=$permit_usergroups" \
+ -v "permit_owners_list=$check_homes_permit_other_owner" '
+ BEGIN {
+ split(permit_owners_list, a);
+ for (i in a) permit_owners[a[i]]++;
+ }
+ $1 != $4 && $4 != "root" && !permit_owners[$1] \
{ print "user " $1 " home directory is owned by " $4 }
$2 ~ /^d....w/ && (!usergroups || $5 != $1) \
{ print "user " $1 " home directory is group writable" }
@@ -552,8 +557,13 @@ if checkyesno check_homes; then
fi
done
done < $MPBYPATH |
- awk -v "usergroups=$permit_usergroups" '
- $1 != $5 && $5 != "root" \
+ awk -v "usergroups=$permit_usergroups" \
+ -v "permit_owners_list=$check_homes_permit_other_owner" '
+ BEGIN {
+ split(permit_owners_list, a);
+ for (i in a) permit_owners[a[i]]++;
+ }
+ $1 != $5 && $5 != "root" && !permit_owners[$1] \
{ print "user " $1 " " $2 " file is owned by " $5 }
$3 ~ /^-...r/ && (!usergroups || $6 != $1) \
{ print "user " $1 " " $2 " file is group readable" }
@@ -581,8 +591,13 @@ if checkyesno check_homes; then
fi
done
done < $MPBYPATH |
- awk -v "usergroups=$permit_usergroups" '
- $1 != $5 && $5 != "root" \
+ awk -v "usergroups=$permit_usergroups" \
+ -v "permit_owners_list=$check_homes_permit_other_owner" '
+ BEGIN {
+ split(permit_owners_list, a);
+ for (i in a) permit_owners[a[i]]++;
+ }
+ $1 != $5 && $5 != "root" && !permit_owners[$1] \
{ print "user " $1 " " $2 " file is owned by " $5 }
$3 ~ /^-....w/ && (!usergroups || $6 != $1) \
{ print "user " $1 " " $2 " file is group writable" }
Index: src/etc/defaults/security.conf
diff -u src/etc/defaults/security.conf:1.25 src/etc/defaults/security.conf:1.26
--- src/etc/defaults/security.conf:1.25 Wed May 1 05:36:25 2013
+++ src/etc/defaults/security.conf Wed Nov 6 19:37:05 2013
@@ -1,4 +1,4 @@
-# $NetBSD: security.conf,v 1.25 2013/05/01 05:36:25 agc Exp $
+# $NetBSD: security.conf,v 1.26 2013/11/06 19:37:05 spz Exp $
#
# /etc/defaults/security.conf --
# default configuration of /etc/security.conf
@@ -32,6 +32,7 @@ backup_uses_rcs=YES
diff_options=-u
check_homes_permit_usergroups=NO
+check_homes_permit_other_owner=""
check_devices_ignore_fstypes="!local fdesc kernfs null procfs ptyfs ntfs msdos"
check_devices_ignore_paths=""
Index: src/share/man/man5/security.conf.5
diff -u src/share/man/man5/security.conf.5:1.39 src/share/man/man5/security.conf.5:1.40
--- src/share/man/man5/security.conf.5:1.39 Thu Apr 5 09:15:56 2012
+++ src/share/man/man5/security.conf.5 Wed Nov 6 19:37:06 2013
@@ -1,4 +1,4 @@
-.\" $NetBSD: security.conf.5,v 1.39 2012/04/05 09:15:56 wiz Exp $
+.\" $NetBSD: security.conf.5,v 1.40 2013/11/06 19:37:06 spz Exp $
.\"
.\" Copyright (c) 1996 Matthew R. Green
.\" All rights reserved.
@@ -171,6 +171,11 @@ During the
.Sy check_homes
phase, allow the checked files to be group-writable if the group name is
the same as the username.
+.It Sy check_homes_permit_other_owner
+During the
+.Sy check_homes
+phase, allow the home directory and files of the listed users to be owned
+by a different user.
.It Sy check_devices_ignore_fstypes
Lists filesystem types to ignore during the
.Sy check_devices
