On Sat, 24 Sep 2005 elad@netbsd.org wrote:

> Half-baked ``solution'' to a problem I can't put my finger on.

This is not fair response to someone who filed a legitimate PR. (Maybe 
there was discussion not included in the PR?)

"Find all world writeable elements of dangerous directories in a 
filesystem" is a great idea.

This could be added to /etc/security and /etc/defaults/security.conf as 
check_worldwritable.

I'd just have it check entire filesystem and not selected directories, but 
that would be easy with another security.conf(5) setting: 
check_worldwritable_dirs="/" or check_worldwritable_dirs="/bin /sbin", 
etc.

The find option in the PR should use -0002 instead of +0002. Also it 
should exclude symlinks.

Please reopen this PR.

Here is a simple, untested idea:

# Find all world writeable files
if checkyesno check_worldwritable ; then
 	check_worldwritable_dirs=${check_worldwritable_dirs:-/}
 	find ${check_worldwritable_dirs} -perm -0002 \
 		\! -type l -ls > $LIST 2> $ERR

 	# Display any errors that occurred during system file walk.
 	if [ -s $ERR ] ; then
 		echo World writable find errors:
 		cat $ERR
 		echo
 	fi
 	if [ -s $LIST ] ; then
 		World writable files:
 		cat $LIST
 		echo
 	fi
fi


Also another variable could be used to exclude, such as:
check_worldwritable_exclude="/tmp /var/tmp"
maybe using grep or parsing and putting on find command itself.

  Jeremy C. Reed

  	  	 	 BSD News, BSD tutorials, BSD links
 	  	 	 http://www.bsdnewsletter.com/