tech-userlevel: Re: rc local [security]

Subject: Re: rc local [security]
To: None <tech-userlevel@NetBSD.org>
From: None <tlaronde@polynum.com>
List: tech-userlevel
Date: 03/20/2007 14:00:46
--dDRMvlgZJXvWKvBx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

The patch about the /etc/security is incorrect since rcorder(8) always
print the files in order and may return a non zero status code if an
error was detected. Exiting if rcorder(8) returns non zero is a security
fault since it aborts the script (skipping further checks), and since
the information about the inconsistency of the rc.d* set is of some
value.

Here is a corrected patch.
-- 
Thierry Laronde (Alceste) <tlaronde +AT+ polynum +dot+ com>
                 http://www.kergis.com/
Key fingerprint = 0FF7 E906 FBAF FE95 FD89  250D 52B1 AE95 6006 F40C

--dDRMvlgZJXvWKvBx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="security.diff"

--- /usr/src/etc/security	2006-11-27 15:25:25.000000000 +0100
+++ etc/security	2007-03-20 13:53:35.000000000 +0100
@@ -60,6 +60,9 @@
 PKGS=pkgs.$$
 CHANGEFILES=changefiles.$$
 SPECIALSPEC=specialspec.$$
+RC0=rc.d.$$
+RC1=rc.d.pkgsrc.$$
+RC2=rc.d.local.$$
 
 
 # migrate_file old new
@@ -901,11 +904,15 @@
 		#	/etc/raid*.conf
 		#	/etc/rc.d/*
 		#	/etc/rc.conf.d/*
+		#	/etc/rc.d.pkgsrc/*
+		#	/etc/rc.d.local/*
 		#
 		echo "/etc/ifconfig.*"
 		echo "/etc/raid*.conf"
 		echo "/etc/rc.d/*"
 		echo "/etc/rc.conf.d/*"
+		echo "/etc/rc.d.pkgsrc/*"
+		echo "/etc/rc.d.local/*"
 
 		# Add /etc/changelist
 		#
@@ -931,6 +938,40 @@
 		esac
 	done >> $CHANGEFILES
 	CHANGELIST="$CHANGEFILES $CHANGELIST"
+
+	# Since there are three directories holding rc scripts, the same
+	# basename for a service can be found in more than one directory.
+	# This may be a security concern---this can be an administration
+	# decision too. At least give the information.
+	#
+	# We do consider only services returned by rcorder(8) called with
+	# the skip `nostart' argument---as done by rc(8).
+	#
+	# rcorder(8) will always print in order the files, but may return
+	# a non zero exit status if a problem was found.
+	# Intercept the exit code to avoid aborting, and warn the 
+	# administrator about a problem in the set.
+	#
+	rcorder -s nostart /etc/rc.d/* \
+		/etc/rc.d.pkgsrc/* \
+		/etc/rc.d.local/* >$OUTPUT 2>$TMP1 || { printf \
+			"\nErrors detected by rcorder(8) in the rc.d.* set:\n";
+			cat $TMP1;
+			}
+	cat $OUTPUT | sed 's,^\(.*\)/\([^/]*\)$,\2 \1,' \
+		| sort -k 1 \
+		| sed -n -e '\; /etc/rc\.d$;'w$RC0 \
+			-e '\; /etc/rc\.d\.pkgsrc$;'w$RC1 \
+			-e '\; /etc/rc\.d\.local$;'w$RC2 
+	
+	# then join by pair
+	join $RC0 $RC1 >$OUTPUT
+	join $RC0 $RC2 >>$OUTPUT
+	join $RC1 $RC2 >>$OUTPUT
+	if [ -s $OUTPUT ] ; then
+		printf "\nChecking identical service names in /etc/rc.d*:\n"
+		cat $OUTPUT | sort -k 1
+	fi
 fi
 
 # Special case backups, including the master password file and

--dDRMvlgZJXvWKvBx--