From cjc@cc942873-a.ewndsr1.nj.home.com  Fri Mar  3 13:05:19 2000
Return-Path: <cjc@cc942873-a.ewndsr1.nj.home.com>
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2179F37B667; Fri,  3 Mar 2000 13:05:18 -0800 (PST)
	(envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id QAA44752;
	Fri, 3 Mar 2000 16:10:43 -0500 (EST)
	(envelope-from cjc)
Message-Id: <200003032110.QAA44752@cc942873-a.ewndsr1.nj.home.com>
Date: Fri, 3 Mar 2000 16:10:43 -0500 (EST)
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
Reply-To: cjc@cc942873-a.ewndsr1.nj.home.com
To: FreeBSD-gnats-submit@freebsd.org
Cc: freebsd-security@freebsd.org
Subject: Add mount(8) check to /etc/security
X-Send-Pr-Version: 3.2

>Number:         17155
>Category:       misc
>Synopsis:       Add mount(8) check to /etc/security
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    sheldonh
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar  3 13:10:00 PST 2000
>Closed-Date:    Sun Aug 6 12:45:39 PDT 2000
>Last-Modified:  Sun Aug 06 12:46:52 PDT 2000
>Originator:     Crist J. Clark
>Release:        FreeBSD 3.4-STABLE i386
>Organization:
>Environment:

	FreeBSD 3.4-STABLE, distributed /etc/security file.

>Description:

	The other day I had to change the way a filesystem was mounted
to do some administrative tasks (specifically, I turned off the nosuid
option). I guess I became distracted because I never re-enabled it
until just noticing it recently.

	I was surprised and a little bit peeved that my /etc/security
script would not notice a change in the way filesystems were
mounted. Rather than just complain, I modified my own /etc/security's
accordingly and decided the modification was something that no one
could really argue against, so I'm submitting it here.

>How-To-Repeat:

	Do anything to your filesystem mounts. /etc/security won't
notice.

>Fix:
	
	The structure of the added commands parallels the existing
'dmesg' check currently in place. Frankly, it's almost exactly the
same, just different filenames and another command generating the
initial output.

	The only thing I am unsure of is which is more asthetically
pleasing, using 'mount -p' output or taking 'mount' output and running
it through a quick sed script to clean out the "writes:"
information. At this point, I perfer the more verbose mount-sed 
combo. Both patches are included.

	Any contructive comments or criticisms appreciated.

	The mount-sed combo,

--- /usr/src/etc/security       Tue Dec 21 04:46:02 1999
+++ security    Fri Mar  3 15:56:52 2000
@@ -48,6 +48,21 @@
        mv $TMP $LOG/setuid.today
 fi
 
+if mount | sed 's/, writes: [^\)]*//' > $TMP; then
+       if [ ! -f $LOG/mount.today ]; then
+               separator
+               echo "no $LOG/mount.today"
+               cp $TMP $LOG/mount.today
+       fi
+       if cmp $LOG/mount.today $TMP >/dev/null 2>&1; then :; else
+               separator
+               echo "$host changes in mounted filesystems:"
+               diff -b $LOG/mount.today $TMP
+               mv $LOG/mount.today $LOG/mount.yesterday
+               mv $TMP $LOG/mount.today
+       fi
+fi
+
 separator
 echo "checking for uids of 0:"
 awk -F: '$3==0 {print $1,$3}' /etc/master.passwd



	Now for the mount-p version,

--- /usr/src/etc/security       Tue Dec 21 04:46:02 1999
+++ security    Fri Mar  3 15:57:52 2000
@@ -48,6 +48,21 @@
        mv $TMP $LOG/setuid.today
 fi
 
+if mount -p > $TMP; then
+       if [ ! -f $LOG/mount.today ]; then
+               separator
+               echo "no $LOG/mount.today"
+               cp $TMP $LOG/mount.today
+       fi
+       if cmp $LOG/mount.today $TMP >/dev/null 2>&1; then :; else
+               separator
+               echo "$host changes in mounted filesystems:"
+               diff -b $LOG/mount.today $TMP
+               mv $LOG/mount.today $LOG/mount.yesterday
+               mv $TMP $LOG/mount.today
+       fi
+fi
+
 separator
 echo "checking for uids of 0:"
 awk -F: '$3==0 {print $1,$3}' /etc/master.passwd

>Release-Note:
>Audit-Trail:

From: Daniel Hagan <dhagan@cs.vt.edu>
To: freebsd-gnats-submit@FreeBSD.org,
	cjc@cc942873-a.ewndsr1.nj.home.com
Cc: freebsd-security@freebsd.org
Subject: Re: misc/17155: Add mount(8) check to /etc/security
Date: Wed, 05 Apr 2000 21:32:00 -0400

 This seems like a good idea.  There aren't any objections logged in the PR,
 so is someone interested in committing this?
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=17155
 
 Daniel
 
 
Responsible-Changed-From-To: freebsd-bugs->sheldonh 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Thu Apr 6 03:37:58 PDT 2000 
Responsible-Changed-Why:  
I'll take this one. :-) 
State-Changed-From-To: open->analyzed 
State-Changed-By: sheldonh 
State-Changed-When: Thu Apr 6 03:47:11 PDT 2000 
State-Changed-Why:  
I've committed the mount -p version of your patch in rev 1.38.  I 
chose this version because its output is more useful for  
cut and paste operations on /etc/fstab. :-) 

While I'm convinced that there are no problems with this, I'm 
still going to stick to the rule of thumb that only critical 
bug fixes should be merged to stable branches immediately. 
Bug me in a month if I haven't merged this yet. ;-) 
State-Changed-From-To: analyzed->closed 
State-Changed-By: nbm 
State-Changed-When: Sun Aug 6 12:45:39 PDT 2000 
State-Changed-Why:  
MFC'd by asmodai in rev 1.36.2.2 of src/security 

http://www.freebsd.org/cgi/query-pr.cgi?pr=17155 
>Unformatted:
