Subject: security/4183: /etc/security ignores empty files from changelist
To: None <gnats-bugs@gnats.netbsd.org>
From: None <jbernard@tater.mines.edu>
List: netbsd-bugs
Date: 09/28/1997 21:33:56
>Number: 4183
>Category: security
>Synopsis: /etc/security ignores empty files from changelist
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: gnats-admin (GNATS administrator)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Sep 28 20:35:02 1997
>Last-Modified:
>Originator: Jim Bernard
>Organization:
Speaking for myself
>Release: Sept. 28, 1997
>Environment:
System: NetBSD zoo 1.2G NetBSD 1.2G (ZOO) #0: Sat Jul 19 12:48:58 MDT 1997 jim@zoo:/jaz/home/local/compile/sys/arch/i386/compile/ZOO i386
>Description:
/etc/security backs up the files listed in /etc/changelist whenever
they change, notifying root of any changes (as a warning of the
possibility of foul play). However, there are two cases in which its
habit of ignoring empty files could allow an intrusion to go
undetected:
(1) If the file to be checked is empty, no check is done. So, all
an intruder needs to do (if it suits his purposes) is to
remove the contents of one of the checked files, and no alert
will be generated. (This also applies to files that are
deleted, provided the mtree check doesn't notice.)
(2) If the most recent backup file (CUR) is empty, the current
version of the file is unconditionally copied over it, with
no checks for the fact that the file has changed. One would
like to be notified if a previously empty file (e.g., hosts.equiv)
suddenly acquired contents. (Actually, the current version of
the script would not have backed it up at all.)
>How-To-Repeat:
Read the script--the relevant lines use the "-s" argument to test.
>Fix:
(1) Back up files even if empty, so additions or deletions of
content such that the initial or final content is null will
be detected.
(2) If a file in /etc/changelist does not exist, but a backup for
it does, complain about the deletion. This may be annoying
(can be fixed by deleting the backup(s)), but is preferable to
not noticing the removal (though some removals may be detected
by the separate mtree checks).
(3) When a file is added (CUR backup doesn't exist), notification
is given, rather than simply silently backing it up.
(NB: I haven't tested this patch yet, but I don't see any obvious
blunders or typos.)
--- security-dist Wed Sep 24 05:08:09 1997
+++ security Sun Sep 28 21:24:14 1997
@@ -599,22 +599,33 @@
# Any changes cause the files to rotate.
if [ "$check_changelist" = YES ] && [ -s /etc/changelist ] ; then
for file in `egrep -v "^#|$MP" /etc/changelist`; do
CUR=/var/backups/`basename $file`.current
BACK=/var/backups/`basename $file`.backup
- if [ -s $file ]; then
- if [ -s $CUR ] ; then
+ if [ -f $file ]; then
+ if [ -f $CUR ]; then
diff $CUR $file > $OUTPUT
if [ -s $OUTPUT ] ; then
printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file
cat $OUTPUT
cp -p $CUR $BACK
cp -p $file $CUR
chown root.wheel $CUR $BACK
fi
else
+ printf "\n======\n%s has been added\n======\n" $file
+ diff /dev/null $file
cp -p $file $CUR
chown root.wheel $CUR
+ fi
+ else
+ if [ -f $CUR -o -f $BACK ]; then
+ printf "\n======\n%s has been removed\n======\n" $file
+ if [ -f $CUR ]; then
+ diff $CUR /dev/null
+ elif [ -f $BACK ]; then
+ diff $BACK /dev/null
+ fi
fi
fi
done
fi
>Audit-Trail:
>Unformatted: