conf/135160: 100.chksetuid and non local filesystem mounted on subdirs

Roberto Grassi r.grassi-at-obicon.it at FreeBSD.org
Mon Jun 1 17:20:06 UTC 2009 

>Number:         135160
>Category:       conf
>Synopsis:       100.chksetuid and non local filesystem mounted on subdirs
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jun 01 17:20:04 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Roberto Grassi
>Release:        7.2-STABLE
>Organization:
>Environment:
FreeBSD nessus.obicon.local 7.2-STABLE FreeBSD 7.2-STABLE #0: Wed May 27 10:26:48 CEST 2009     root at ux-builder:/usr/obj/usr/src/sys/vmware-esx35  i386

>Description:
The find options in the 100.chksetuid script will traverse mount points found as local (ufs or zfs) but the test if they are local is done on the mount point itself, no further checks are done for non local file system file below them.
In the case a mount point is a subdir of a local mount point, the find will traverse it, causing the traverse go to other machine.
Example:
with this mount command output :
   /dev/da0d on /usr
   10.10.10.10:/usr/ports on /usr/ports
   10.10.10.11:/usr/src on /usr/src
the command inside 100.chksetuid 
   find -sx $MP /dev/null -type f \
     \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
     ...
will go on 10.10.10.10 and 10.10.10.11 server.

Moreover, in the case the NFS, SMBFS or other non local FS server did not respond all the periodic checks will not finish.
>How-To-Repeat:
use mountpoints for non local FS in subdirectory of /.
>Fix:
--- 100.chksetuid.orig  2008-12-27 19:07:31.000000000 +0100
+++ 100.chksetuid       2009-06-01 19:01:51.000000000 +0200
@@ -46,4 +46,5 @@
        MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
        find -sx $MP /dev/null -type f \
+           \( -fstype ufs -or -ftype zfs \) \
            \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
            \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ |


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list