/usr/lib/tiger/scripts/check_accounts is in tiger 1:3.2.3-10.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 | #!/bin/sh
#
# tiger - A UN*X security checking system
# Copyright (C) 1993 Douglas Lee Schales, David K. Hess, David R. Safford
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Please see the file `COPYING' for the complete copyright notice.
#
# check_accounts - created 06/14/93
#
# Checks the accounts provided in the system, looking for disabled accounts
# with cron, rhosts, and .forward files as well as proper configuration
# (home directory accesibility, shell configuration files, dormant accounts
# and .hushlogin files)
#
# 08/12/2011 jfs Sort the user files before joining them (Debian bug #624258)
# 10/11/2006 jfs Redirect find errors in $HOME to null (Debian bug #386163)
# 20/04/2006 jfs Fix the pipe check in forward files (Debian bug #329610)
# 15/06/2005 jfs Check for null $uids before using them in comparisons
# (Debian bug #312080)
# 17/11/2004 jfs Fixed eval in check_accounts so that find is _only_
# executed for users which are not part of
# Tiger_Admin_Accounts, this prevents Tiger from accesing
# filesystems when not needed (Debian bug #280653)
# It also should speed this check by removing unnecesary
# filesystem checks.
# 05/02/2004 jfs Try to avoid eval problems if user/shells/directories contain
# non-empty (but invalid) characters (such as space)
# (Debian bug #246987)
# 01/21/2004 jfs Removed TODO (no longer applies here), expanded description and
# fixed typo.
# 01/18/2004 rbrad Applying 4 Savannah patches:
# * 2466 - Remove redundant check (check was moved to check_passwd).
# * 2467 - Fix bug in USERDOTFILES when USERDOTFILES is empty.
# * 2468 - Cleanup and comment check_disabled().
# * 2469 - New check: Verify parent of $home is owned by administrative
# user.
# 10/01/2003 jfs For some reason this script stopped working in Linux
# massaged it to work again (changed while read in function
# to explicit parameter calling). Also added a check to
# avoid going through all the filesystem if $home is not defined.
# 09/19/2003 jfs Add root to Tiger_Admin_Accounts if already defined.
# Also permit empty USERDOTFILES and fix dependancies.
# 08/15/2003 jfs ETCSHELLS is not indispensable to running this script.
# 08/14/2003 jfs Included ARSC changes including an update for Linux
# in which no shell equals shell to address no
# login programs.
# 08/08/2003 jfs Changed the creation of temporary file to avoid race
# conditions.
# 08/08/2003 jfs Added Ryan Bradetich's patch which:
# * Fixed the join statement to properly handle empty fields for
# check_user.
# * Fixed the home directory permission check.
# * Simplified the parent directory check.
# * Removed the "root" requirement for checking the shell initilizaion
# files.
# * Added .bashrc and .kshrc to the default list of .dotfiles.
# * Removed the following checks (Duplicates will be merged, the
# remaining checks will be relocated to a more appropriate module:
# check_passwd or check_passwdformat): acc001w, acc020w, acco14f,
# acc013w, acc010a, acc011w, acc012w, acc015w, add018w, acc016w,
# acc017w
#
# 05/01/2003 jfs Fixed dependancy
#
# 07/26/2002 jfs Fixed to work in Solaris. Added WC as required command
#
# 07/25/2002 jfs Added a sanity check for password files
#
# 12/26/2001 jfs Added Tiger_Accounts_Trust to define valid users which will
# not be so thoroughly checked. Useful for UN*X systems that
# ship with a default number of administrative (but disabled) users
# for services/files (like Debian GNU/Linux)
#
# 04/28/93 dls Added -L to 'ls' so we get the permissions off the file
# instead of the link.
#
# 04/27/93 dls Rename from check_passwd to check_accounts
# Now checks *all* accounts, not just disabled ones
# and checks config files in home directories for
# writability.
#-----------------------------------------------------------------------------
# TODO:
# - Some 'valid' shells such as nologin or noshell might be listed under
# /etc/shells but are really invalid. The script should maybe check these
# cases or provide a way to define $NOSHELL in order to exclude these.
#-----------------------------------------------------------------------------
#
TigerInstallDir="/usr/lib/tiger"
#
# Set default base directory.
# Order or preference:
# -B option
# TIGERHOMEDIR environment variable
# TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}
for parm
do
case $parm in
-B) basedir=$2; break;;
esac
done
#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
exit 1
}
. $basedir/config
#
# Grab subroutines
#
. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
haveallcmds AWK CAT CHECK_CRON FIND GEN_PASSWD_SETS GREP JOIN SORT MV LS TR WC RM || exit 1
haveallfiles BASEDIR WORKDIR || exit 1
haveallvars HOSTNAME TESTEXEC || exit 1
echo "--CONFIG-- [init003c] $0: Configuration ok..."
exit 0
}
#------------------------------------------------------------------------
echo
echo "# Performing check of user accounts..."
haveallcmds AWK CAT CHECK_CRON FIND GEN_PASSWD_SETS GREP JOIN SORT MV LS TR WC RM || exit 1
haveallfiles BASEDIR WORKDIR || exit 1
haveallvars HOSTNAME TESTEXEC || exit 1
safe_temp "$WORKDIR/pass.list.$$" "$WORKDIR/home.hosts.$$"
trap 'delete $WORKDIR/pass.list.$$ $WORKDIR/home.hosts.$$ ; exit 1' 1 2 3 15
# Just in case: sanity check
# If Not defined Tiger_Accounts_Trust then it's the lowest
# possible to assure that -lt checks will be always false
[ -z "$Tiger_Accounts_Trust" ] && Tiger_Accounts_Trust=-1
# If not defined we disable this check
[ -z "$Tiger_Dormant_Limit" ] && Tiger_Dormant_Limit=0
if [ -z "$Tiger_Admin_Accounts" ]
then
Tiger_Admin_Accounts="root"
else
Tiger_Admin_Accounts="$Tiger_Admin_Accounts|root"
fi
#
# This function checks for potential access to an "disabled" account.
#
check_disabled()
{
user=$1
home=$2
host=$3
# Check for an active cron file.
[ -n "$CHECK_CRON" -a "`$CHECK_CRON $user`" = 'YES' ] &&
message WARN acc005w "" "Login ID $user is disabled, but has a 'cron' file or cron entries."
# Return if home directory is not local or does not exists.
([ ! -d "$home/" ] || [ "$host" != "$HOSTNAME" ]) && return
# Check the .forward file.
[ -s $home/.forward ] && $GREP -F '|' $home/.forward 2>&1 >/dev/null &&
message WARN acc003w "" "Login ID $user is disabled, but has a .forward file which executes commands."
# Check the .rhosts file.
[ -s $home/.rhosts ] && {
owner=`$LS -ld $home/.rhosts | $AWK '{print $3}'`
[ "$owner" = "$user" ] && {
message WARN acc004w "" "Login ID $user is disabled, but has a .rhosts file"
}
}
}
check_users()
{
saveifs=$IFS
IFS=:
while read user home host shell uid hash
do
# Perform checks on "disabled" accounts (i.e. accounts without
# a valid password).
case $hash in
'*')
check_disabled "$user" "$home" "$host"
;;
esac
# Verify the home directory is accessable.
[ ! -d "$home/" ] && {
[ -n "$uid" ] && [ $Tiger_Accounts_Trust -lt $uid ] && [ "$host" = "$HOSTNAME" ] && {
message WARN acc022w "" "Login ID $user home directory ($home) is not accessible."
}
continue
}
IFS=$saveifs
# Check the permissions on $home.
getpermit "$home/" | {
read _f owner group ur uw ux gr gw gx or ow ox suid sgid sticky
# Note: in Debian GNU/Linux systems, there might be one user in a single
# group so this check does
# TODO: make it check if there are more than a single user in the group
# and if it is = owner
# There is also usually a list of groups that we might want to
# white list here (such as 'adm' or 'staff')
[ "$ow" = 1 ] || [ "$owner" != "$group" -a "$gw" = 1 ] && {
str="Login ID $user's home directory ($home) has"
case "$gw$ow" in
01) str="$str world write"
mode='o-w'
;;
10) str="$str group \`$group' write"
mode='g-w'
;;
11) mode='o=w'
[ "$owner" != "$group" ] && {
str="$str group \`$group' and "
mode='go-w'
}
str="$str world write"
;;
esac
message WARN acc006w "" "${str} access."
changelog "WARN : chmod : $mode : $home/."
}
}
# Check permissions on the parent home directory
[ -n "$uid" ] && [ $uid -gt $Tiger_Accounts_Trust ] && {
getpermit ${home%/*}/ | {
read _f owner group ur uw ux gr gw gx or ow ox suid sgid sticky
eval "case \"$owner\" in
$Tiger_Admin_Accounts)
;;
*)
message WARN acc023w \"\" \"Login ID $user's parent directory (${home%/*}) has non-administrative \\\`$owner' ownership.\"
esac"
[ "${gw}${ow}" != '00' ] && {
str="Login ID $user's parent directory (${home%/*}/) has"
case "$gw$ow" in
01) str="$str world write"
;;
10) str="$str group \`$group' write"
;;
11) str="$str group \`$group' and world write"
;;
esac
message WARN acc023w "" "${str} access."
}
}
}
# Dormant account check.
[ "$home" != / -a -n "$home" -a "$Tiger_Dormant_Limit" != 0 ] && {
notadmin=`eval "case \"$user\" in $Tiger_Admin_Accounts) ;; *) echo $user;; esac"`
[ -n "$notadmin" ] && \
[ `$FIND "$home/" -mtime -$Tiger_Dormant_Limit 2>/dev/null | $WC -l` -eq 0 ] &&
message WARN acc021w "" "Login ID $user appears to be a dormant account."
}
# Non-zero sized .hushlogin
[ -s "$home/.hushlogin" ] &&
message ALERT acc007a '' "Login ID $user has a non-zero length .hushlogin"
# Check shell initialization files.
# TODO: Bob Hall suggest disabling the check for standard UNIX accounts.
# In HP-UX these are: daemon|bin|sys|adm|lp|nobody|hpdb.
# However, this might leave some "holes" open
# (just rename the account so that it will not be check for).
# A secure approach has to be determined for this to work properly.
[ -z "$shell" ] && shell=/bin/sh
[ $TESTEXEC $shell ] && [ -n "$uid" ] && [ $uid -gt $Tiger_Accounts_Trust ] && {
eval "
case \"$shell\" in
$shcase)
[ ! -r "${home}/.${shell##*/}rc" ] && {
message WARN acc019w \"\" \"Login ID $user may be missing a shell initialization file ${home}/.${shell##*/}rc.\"
}
;;
*)
# Invalid shells are handled in the check_password module.
;;
esac"
}
# Check permissions on user dotfiles.
dotfiles=${USERDOTFILES:-".cshrc .bashrc .kshrc .profile .login .exrc .forward"}
for file in $dotfiles
do
[ -f "$home/$file" ] && {
getpermit "$home/$file" | {
read _f owner group ur uw ux gr gw gx or ow ox suid sgid stk
[ "${gw}${ow}" != '00' ] && {
str="Login ID $user's $file config file has"
case "$gw$ow" in
01) str="$str world write"
mode='o-w'
;;
10) str="$str group \`$group' write"
mode='g-w'
;;
11) str="$str group \`$group' and world write"
mode='go-w'
;;
esac
message WARN acc008w '' "${str} access."
changelog "WARN : chmod : $mode : $home/$file"
}
}
}
done
IFS=:
done
IFS=$saveifs
}
# Define shcase to be a list of valid shells, so we can check for
# shell initilization files.
shcase='/bin/sh|/bin/csh|/bin/bash|/bin/tcsh|/bin/ksh'
[ -n "$ETCSHELLS" -a -s "$ETCSHELLS" ] && {
shells=`$GREP -v '^#' $ETCSHELLS`
shcase=`echo $shells | $TR ' ' '|'`
}
if [ -n "$Tiger_PasswdFiles" ]; then
[ -f $Tiger_PasswdFiles ] && $CAT "$Tiger_PasswdFiles" > $WORKDIR/pass.list.$$
else
$GEN_PASSWD_SETS $WORKDIR/pass.list.$$
fi
while read passwd_set
do
source=`$CAT $passwd_set.src`
echo "# Checking accounts from $source."
$AWK -F: '{print $1, $6}' $passwd_set |
$BASEDIR/util/${GETFSHOST:=getfs-std} |
$TR ' ' : | $SORT > $WORKDIR/home.hosts.$$
$SORT $passwd_set > $WORKDIR/passwd.set.$$
$JOIN -t: -o 1.1 1.6 2.3 1.7 1.3 1.2 $WORKDIR/passwd.set.$$ $WORKDIR/home.hosts.$$ |
check_users
[ ! -n "$Tiger_PasswdFiles" ] && delete $passwd_set $passwd_set.src
delete "$WORKDIR/home.hosts.$$" "$WORKDIR/passwd.set.$$"
done < $WORKDIR/pass.list.$$
delete "$WORKDIR/pass.list.$$"
exit 0
|