#!/bin/sh -- # # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License (the "License"). # You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. # See the License for the specific language governing permissions # and limitations under the License. # # When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at usr/src/OPENSOLARIS.LICENSE. # If applicable, add the following below this CDDL HEADER, with the # fields enclosed by brackets "[]" replaced with your own identifying # information: Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # Check :include: aliases (in files configured in sendmail.cf) and .forward # files to make sure the files and their parent directory paths all have # proper permissions. And check the master alias file(s) too. # # See http://www.sendmail.org/vendor/sun/migration.html#Security for details. # # Copyright (c) 1998, 2011, Oracle and/or its affiliates. All rights reserved. # PATH=/bin # Check the group- and world-writable bits on the given file. analyze() { case "`ls -Lldn $1`" in ?????w??w?*) echo $2: $1 is group and world writable bogus_dirs=true ;; ????????w?*) echo $2: $1 is world writable bogus_dirs=true ;; ?????w????*) echo $2: $1 is group writable bogus_dirs=true ;; esac } # Break down the given file name into its components, and call analyze with # each of them. E.g., an argument of /usr/local/aliases/foo.list would call # analyze in turn with arguments: # * /usr/local/aliases/foo.list # * /usr/local/aliases # * /usr/local # * /usr break_down() { for j in `echo $1 | \ awk '{ n = split($0, parts, "/"); for (i = n; i >= 2; i--){ string = ""; for (j = 2; j <= i; j++){ string = sprintf("%s/%s", string, parts[j]); } print string } }'` "/" do analyze $j $1 done } config=/etc/mail/sendmail.cf bogus_dirs=false afl1=`grep "^OA" $config | sed 's/^OA//' | sed 's/,/ /g' | sed 's/.*://'` afl2=`grep "^O AliasFile=" $config | sed 's/^O AliasFile=//' | \ sed 's/,/ /g' | sed 's/.*://'` # These should be OK themselves, but other packages may have screwed up the # permissions on /etc or /etc/mail . And best to check in case non-standard # alias paths are used. break_down $afl1 $afl2 # Find all valid :include: files used in alias files configured in sendmail.cf for i in `sed 's/^[#].*$//' $afl1 $afl2 | \ grep :include: | \ sed 's/.*:include://' | \ sed 's/,.*$//'` do break_down $i done # Check .forward files as well. If the argument "ALL" is given, do it for # everyone. If no argument to the script is given, just do it for the current # user. O/w, do it for all arguments. if [ $# -eq 0 ] ; then arg="$(id -u -n -r)" elif [ $1 = "ALL" ] ; then arg="" else arg="$*" fi for i in `getent passwd $arg | nawk -F: '{print $6}'` do if [ -f $i/.forward ] ; then break_down $i/.forward fi done $bogus_dirs || echo "No unsafe directories found."