From ekarkkai@pp.htv.fi  Tue Jan  8 19:28:16 2008
Return-Path: <ekarkkai@pp.htv.fi>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C7D0A16A46E
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  8 Jan 2008 19:28:16 +0000 (UTC)
	(envelope-from ekarkkai@pp.htv.fi)
Received: from smtp5.pp.htv.fi (smtp5.pp.htv.fi [213.243.153.39])
	by mx1.freebsd.org (Postfix) with ESMTP id 4B46C13C4DB
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  8 Jan 2008 19:28:16 +0000 (UTC)
	(envelope-from ekarkkai@pp.htv.fi)
Received: from zero.my.domain (cs181095217.pp.htv.fi [82.181.95.217])
	by smtp5.pp.htv.fi (Postfix) with ESMTP id 6CC185BC017;
	Tue,  8 Jan 2008 20:56:34 +0200 (EET)
Received: from thunderbolt.my.domain (thunderbolt.my.domain [10.192.168.30])
	by zero.my.domain (8.13.8/8.13.8) with ESMTP id m08IuXA0026032;
	Tue, 8 Jan 2008 20:56:34 +0200 (EET)
	(envelope-from ekarkkai@pp.htv.fi)
Received: from thunderbolt.my.domain (localhost [127.0.0.1])
	by thunderbolt.my.domain (8.14.2/8.14.2) with ESMTP id m08IuXtY003474;
	Tue, 8 Jan 2008 20:56:33 +0200 (EET)
	(envelope-from ejk@thunderbolt.my.domain)
Received: (from ejk@localhost)
	by thunderbolt.my.domain (8.14.2/8.14.2/Submit) id m08IuXnf003473;
	Tue, 8 Jan 2008 20:56:33 +0200 (EET)
	(envelope-from ejk)
Message-Id: <200801081856.m08IuXnf003473@thunderbolt.my.domain>
Date: Tue, 8 Jan 2008 20:56:33 +0200 (EET)
From: Esa Karkkainen <ejk@iki.fi>
Reply-To: Esa Karkkainen <ejk@iki.fi>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Esa Karkkainen <ejk@iki.fi>
Subject: Add 'sorted' option to etc/periodic/security/security.functions
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         119464
>Category:       conf
>Synopsis:       [patch] [request] Add 'sorted' option to etc/periodic/security/security.functions
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 08 19:30:01 UTC 2008
>Closed-Date:    
>Last-Modified:  Sat Jan 26 05:09:06 UTC 2008
>Originator:     Esa Karkkainen
>Release:        FreeBSD 6.3-RC2 i386
>Organization:
Is in state of disintegration
>Environment:

System: FreeBSD 6.3-RC2 Sun Dec 30 14:33:03 EET 2007

>Description:

Add option to check_diff function which changes "setuid diffs" from

---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---
Amnesiac setuid diffs:
--- /var/log/setuid.today       Mon May  8 03:01:22 2006
+++ /tmp/security.DSozUbFb      Tue Jun 13 03:01:22 2006
@@ -33,7 +33,7 @@
 612402 -r-sr-xr-x  2 root  wheel     5828 May  7 13:25:03 2006 /usr/bin/yppasswd
 141367 -r-sr-xr-x  1 root  wheel     3400 May  7 13:14:41 2006 /usr/libexec/pt_chown
 141330 -r-xr-sr-x  1 root  smmsp   582752 May  7 13:28:03 2006 /usr/libexec/sendmail/sendmail
-730599 -rwsr-xr-x  1 root  wheel   278660 Oct 28 18:09:06 2005 /usr/local/bin/screen
+730291 -rwsr-xr-x  1 root  wheel   285580 Jun 12 20:56:14 2006 /usr/local/bin/screen
 730672 ---s--x--x  2 root  wheel    89020 Jan 27 01:52:14 2006 /usr/local/bin/sudo
 730672 ---s--x--x  2 root  wheel    89020 Jan 27 01:52:14 2006 /usr/local/bin/sudoedit
 329886 -r-sr-sr-x  1 root  authpf   14724 May  7 13:26:08 2006 /usr/sbin/authpf
---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---

to

---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---
Amnesiac setuid diffs:
+++ /tmp/security.DSozUbFb      Tue Jun 13 03:01:22 2006
--- /var/log/setuid.today       Mon May  8 03:01:22 2006
+730291 -rwsr-xr-x  1 root  wheel   285580 Jun 12 20:56:14 2006 /usr/local/bin/screen
-730599 -rwsr-xr-x  1 root  wheel   278660 Oct 28 18:09:06 2005 /usr/local/bin/screen
---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---

IMHO the latter output is easier to comprehend.

Patch does not change traditional FreeBSD behaviour (POLA).

Admin must add "sorted" as first argument to check_diff funtion call in
"/etc/periodic/security/100.chksetuid" file.

>How-To-Repeat:
N/A
>Fix:

--- /usr/src/etc/periodic/security/security.functions	2005-08-27 11:21:02.000000000 +0300
+++ security.functions	2007-11-07 22:39:30.000000000 +0200
@@ -37,16 +37,25 @@
 # Usage: COMMAND | check_diff [new_only] LABEL - MSG
 #        COMMAND > TMPFILE; check_diff [new_only] LABEL TMPFILE MSG
 #   if $1 is new_only, show only the 'new' part of the diff.
+#   if $1 is sorted, show 'old' and 'new' parts of the diff sorted by filename
 #   LABEL is the base name of the ${LOG}/${label}.{today,yesterday} files.
 
 check_diff() {
   rc=0
-  if [ "$1" = "new_only" ]; then
-    shift
-    filter="grep '^[>+]'"
-  else
-    filter="cat"
-  fi
+  case "$1" 
+    in
+      "new_only")
+        shift
+        filter="grep '^[>+]'"
+        ;;
+      "sorted")
+        shift
+        filter="grep '^[>+-]' | sort -k 11"
+        ;;
+      *)
+        filter="cat"
+        ;;
+  esac
   label="$1"; shift
   tmpf="$1"; shift
   msg="$1"; shift
>Release-Note:
>Audit-Trail:
>Unformatted:
