Subject: security/4183: /etc/security ignores empty files from changelist
To: None <>
From: None <>
List: netbsd-bugs
Date: 09/28/1997 21:33:56
>Number:         4183
>Category:       security
>Synopsis:       /etc/security ignores empty files from changelist
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Sep 28 20:35:02 1997
>Originator:     Jim Bernard
	Speaking for myself
>Release:        Sept. 28, 1997
System: NetBSD zoo 1.2G NetBSD 1.2G (ZOO) #0: Sat Jul 19 12:48:58 MDT 1997 jim@zoo:/jaz/home/local/compile/sys/arch/i386/compile/ZOO i386

	/etc/security backs up the files listed in /etc/changelist whenever
	they change, notifying root of any changes (as a warning of the
	possibility of foul play).  However, there are two cases in which its
	habit of ignoring empty files could allow an intrusion to go

	  (1) If the file to be checked is empty, no check is done.  So, all
	      an intruder needs to do (if it suits his purposes) is to
	      remove the contents of one of the checked files, and no alert
	      will be generated.  (This also applies to files that are
	      deleted, provided the mtree check doesn't notice.)

	  (2) If the most recent backup file (CUR) is empty, the current
	      version of the file is unconditionally copied over it, with
	      no checks for the fact that the file has changed.  One would
	      like to be notified if a previously empty file (e.g., hosts.equiv)
	      suddenly acquired contents.  (Actually, the current version of
	      the script would not have backed it up at all.)

	Read the script--the relevant lines use the "-s" argument to test.

	(1) Back up files even if empty, so additions or deletions of
	    content such that the initial or final content is null will
	    be detected.

	(2) If a file in /etc/changelist does not exist, but a backup for
	    it does, complain about the deletion.  This may be annoying
	    (can be fixed by deleting the backup(s)), but is preferable to
	    not noticing the removal (though some removals may be detected
	    by the separate mtree checks).

	(3) When a file is added (CUR backup doesn't exist), notification
	    is given, rather than simply silently backing it up.

	(NB: I haven't tested this patch yet, but I don't see any obvious
	blunders or typos.)

--- security-dist	Wed Sep 24 05:08:09 1997
+++ security	Sun Sep 28 21:24:14 1997
@@ -599,22 +599,33 @@
 # Any changes cause the files to rotate.
 if [ "$check_changelist" = YES ] && [ -s /etc/changelist ] ; then
 	for file in `egrep -v "^#|$MP" /etc/changelist`; do
 		CUR=/var/backups/`basename $file`.current
 		BACK=/var/backups/`basename $file`.backup
-		if [ -s $file ]; then
-			if [ -s $CUR ] ; then
+		if [ -f $file ]; then
+			if [ -f $CUR ]; then
 				diff $CUR $file > $OUTPUT
 				if [ -s $OUTPUT ] ; then
 		printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file
 					cat $OUTPUT
 					cp -p $CUR $BACK
 					cp -p $file $CUR
 					chown root.wheel $CUR $BACK
+		printf "\n======\n%s has been added\n======\n" $file
+				diff /dev/null $file
 				cp -p $file $CUR
 				chown root.wheel $CUR
+			fi
+		else
+			if [ -f $CUR -o -f $BACK ]; then
+		printf "\n======\n%s has been removed\n======\n" $file
+				if [ -f $CUR ]; then
+					diff $CUR /dev/null
+				elif [ -f $BACK ]; then
+					diff $BACK /dev/null
+				fi