conf/178005: setuid periodic checks do dumb diff of file information; emits unnecessary noise

Sat, 20 Apr 2013 12:20:18 -0700 

>Number:         178005
>Category:       conf
>Synopsis:       setuid periodic checks do dumb diff of file information; emits 
>unnecessary noise
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Apr 20 19:20:02 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Garrett Cooper
>Release:        9-STABLE/10-CURRENT
>Organization:
EMC Isilon
>Environment:
FreeBSD forza.west.isilon.com 9.1-STABLE FreeBSD 9.1-STABLE #3 r+164ee96: Fri 
Apr 19 22:50:09 PDT 2013 
[email protected]:/usr/obj/scratch/freebsd/stable-9/sys/FORZA amd64
>Description:
The setuid periodic script is checking the ls -l output of files and diffing it 
versus old data instead of just checking whether or not the mode has changed, 
which results in a lot of noise in the periodic emails that get sent out 
whenever an installworld is run. Here's the code that does this ( ls -liTd in 
etc/periodic/security/100.chksetuid )...

46         MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
47         find -sx $MP /dev/null -type f \
48             \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
49             \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ |
50         check_diff setuid - "${host} setuid diffs:"

While this might catch other issues (files being modified), it really doesn't 
make sense why this script should be doing this. Furthermore, changing the 
system locale will mess up output with -T in use because it's very locale 
dependent.

Ultimately, the only things that should really matter are:
1. Whether or not the permissions changed.
2. The path for the permissions (so the result can be properly correlated and 
diffed).

For debuggability the inode number and date should be included in the email, 
but not in the diff parsing. Thus, check_diff in 
etc/periodic/security/security.functions should be modified to only diff 
certain fields, potentially.
>How-To-Repeat:
- Run 100.chksetuid .
- make installworld .
- Reboot.
- Run 100.chksetuid .
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"

Reply via email to