bin/119464: Add 'sorted' option to etc/periodic/security/security.functions

Tue Jan 8 11:30:02 PST 2008

>Number:         119464
>Category:       bin
>Synopsis:       Add 'sorted' option to etc/periodic/security/security.functions
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 08 19:30:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Esa Karkkainen
>Release:        FreeBSD 6.3-RC2 i386
>Organization:
Is in state of disintegration
>Environment:

System: FreeBSD 6.3-RC2 Sun Dec 30 14:33:03 EET 2007

>Description:

Add option to check_diff function which changes "setuid diffs" from

---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---
Amnesiac setuid diffs:

--- /var/log/setuid.today       Mon May  8 03:01:22 2006
+++ /tmp/security.DSozUbFb      Tue Jun 13 03:01:22 2006
@@ -33,7 +33,7 @@
 612402 -r-sr-xr-x  2 root  wheel     5828 May  7 13:25:03 2006 /usr/bin/yppasswd
 141367 -r-sr-xr-x  1 root  wheel     3400 May  7 13:14:41 2006 /usr/libexec/pt_chown
 141330 -r-xr-sr-x  1 root  smmsp   582752 May  7 13:28:03 2006 /usr/libexec/sendmail/sendmail
-730599 -rwsr-xr-x  1 root  wheel   278660 Oct 28 18:09:06 2005 /usr/local/bin/screen
+730291 -rwsr-xr-x  1 root  wheel   285580 Jun 12 20:56:14 2006 /usr/local/bin/screen
 730672 ---s--x--x  2 root  wheel    89020 Jan 27 01:52:14 2006 /usr/local/bin/sudo
 730672 ---s--x--x  2 root  wheel    89020 Jan 27 01:52:14 2006 /usr/local/bin/sudoedit
 329886 -r-sr-sr-x  1 root  authpf   14724 May  7 13:26:08 2006 /usr/sbin/authpf
---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---

to

---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---
Amnesiac setuid diffs:
+++ /tmp/security.DSozUbFb      Tue Jun 13 03:01:22 2006
--- /var/log/setuid.today       Mon May  8 03:01:22 2006
+730291 -rwsr-xr-x  1 root  wheel   285580 Jun 12 20:56:14 2006 /usr/local/bin/screen
-730599 -rwsr-xr-x  1 root  wheel   278660 Oct 28 18:09:06 2005 /usr/local/bin/screen
---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---

IMHO the latter output is easier to comprehend.

Patch does not change traditional FreeBSD behaviour (POLA).

Admin must add "sorted" as first argument to check_diff funtion call in
"/etc/periodic/security/100.chksetuid" file.

>How-To-Repeat:
N/A
>Fix:

--- /usr/src/etc/periodic/security/security.functions	2005-08-27 11:21:02.000000000 +0300
+++ security.functions	2007-11-07 22:39:30.000000000 +0200
@@ -37,16 +37,25 @@
 # Usage: COMMAND | check_diff [new_only] LABEL - MSG
 #        COMMAND > TMPFILE; check_diff [new_only] LABEL TMPFILE MSG
 #   if $1 is new_only, show only the 'new' part of the diff.
+#   if $1 is sorted, show 'old' and 'new' parts of the diff sorted by filename
 #   LABEL is the base name of the ${LOG}/${label}.{today,yesterday} files.
 
 check_diff() {
   rc=0
-  if [ "$1" = "new_only" ]; then
-    shift
-    filter="grep '^[>+]'"
-  else
-    filter="cat"
-  fi
+  case "$1" 
+    in
+      "new_only")
+        shift
+        filter="grep '^[>+]'"
+        ;;
+      "sorted")
+        shift
+        filter="grep '^[>+-]' | sort -k 11"
+        ;;
+      *)
+        filter="cat"
+        ;;
+  esac
   label="$1"; shift
   tmpf="$1"; shift
   msg="$1"; shift
>Release-Note:
>Audit-Trail:
>Unformatted:
