From 816f4a7f8b09dde13410d871bd68e9ed603d88f3 Mon Sep 17 00:00:00 2001 From: asomers Date: Mon, 3 Oct 2016 15:17:22 +0000 Subject: [PATCH] MFC r306048 Fix periodic scripts when an NFS mount covers a local mount 100.chksetuid and 110.neggrpperm try to search through all UFS and ZFS filesystems. But their logic contains an error. They also search through remote filesystems that are mounted on top of the root of a local filesystem. For example, if a user installs a FreeBSD system with the default ZFS layout, he'll get a zroot/usr/home filesystem. If he then mounts /usr/home over NFS, these scripts would search through /usr/home. git-svn-id: svn://svn.freebsd.org/base/stable/10@306644 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- etc/periodic/security/100.chksetuid | 2 +- etc/periodic/security/110.neggrpperm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/periodic/security/100.chksetuid b/etc/periodic/security/100.chksetuid index 95920a6fa..da8d29d98 100755 --- a/etc/periodic/security/100.chksetuid +++ b/etc/periodic/security/100.chksetuid @@ -46,7 +46,7 @@ then echo "" echo 'Checking setuid files and devices:' MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` - find -sx $MP /dev/null -type f \ + find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ | check_diff setuid - "${host} setuid diffs:" diff --git a/etc/periodic/security/110.neggrpperm b/etc/periodic/security/110.neggrpperm index 1d545ac5f..bd9401595 100755 --- a/etc/periodic/security/110.neggrpperm +++ b/etc/periodic/security/110.neggrpperm @@ -44,7 +44,7 @@ then echo "" echo 'Checking negative group permissions:' MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` - n=$(find -sx $MP /dev/null -type f \ + n=$(find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ \( \( ! -perm +010 -and -perm +001 \) -or \ \( ! -perm +020 -and -perm +002 \) -or \ \( ! -perm +040 -and -perm +004 \) \) \ -- 2.42.0