jdp c54bd25952 Security fix. Strip the encrypted passwords out of the "master.passwd"
diff output, and replace them with "(password)".  The diffs get
mailed to root, which in many cases is forwarded across the
Internet.  A patient sniffer could acquire the entire "master.passwd"
file by saving all the diffs.  With this fix, you still see that the
password changed, but you don't see the details.

Unless somebody talks me out of it, I am going to merge this into -2.2
in 48 hours.
1997-02-08 20:54:38 +00:00

174 lines
4.0 KiB
Bash

#!/bin/sh -
#
# @(#)daily 5.12 (Berkeley) 5/24/91
#
PATH=/bin:/usr/bin:/sbin:/usr/sbin
host=`hostname -s`
echo "Subject: $host daily run output"
bak=/var/backups
echo ""
echo "Removing scratch and junk files:"
if [ -d /var/preserve ]; then
cd /var/preserve && {
find . ! -name . -mtime +7 -exec rm -f -- {} \; ; }
fi
if [ -d /var/rwho ] ; then
cd /var/rwho && {
find . ! -name . -mtime +7 -exec rm -f -- {} \; ; }
fi
cd /tmp
# This is a security hole, never use 'find' on a public directory
# with -exec rm -f as root. This can be exploited to delete any file
# on the system.
#
#find / ! -fstype local -a -prune -o \
# \( -name '[#,]*' -o -name '.#*' -o -name a.out -o -name *.core \
# -o -name '*.CKP' -o -name '.emacs_[0-9]*' \) \
# -a -atime +3 -exec rm -f -- {} \;
#
#
# The same security hole. Purge the temp directories from unused stuff.
# Note that we must not accidentally clean the X11 lock files.
#
# Use at your own risk, but for a long-living system, this might come
# more useful than the boot-time cleaning of /tmp. If /var/tmp and
# /tmp are symlinked together, only one of the below will actually
# run.
#
# if [ -d /tmp ]; then
# cd /tmp && {
# find . -type f -atime +3 -ctime +3 ! -name '.X*-lock' -exec rm -f -- {} \;
# find -d . ! -name . -type d -mtime +1 -exec rmdir -- {} \; \
# >/dev/null 2>&1; }
# fi
#
# if [ -d /var/tmp ]; then
# cd /var/tmp && {
# find . ! -name . -atime +7 -ctime +3 -exec rm -f -- {} \;
# find -d . ! -name . -type d -mtime +1 -exec rmdir -- {} \; \
# >/dev/null 2>&1; }
# fi
#
#
# remove system messages older than 21 days
msgs -c
if [ -f /etc/news.expire ]; then
/etc/news.expire
fi
if [ -f /var/account/acct ] ; then
echo ""
echo "Gathering accounting statistics:"
cd /var/account
if [ -f acct.2 ] ; then mv -f acct.2 acct.3 ; fi
if [ -f acct.1 ] ; then mv -f acct.1 acct.2 ; fi
if [ -f acct.0 ] ; then mv -f acct.0 acct.1 ; fi
cp -pf acct acct.0
sa -s > /dev/null
fi
echo ""
echo "Backup passwd and group files:"
if [ ! -f $bak/master.passwd.bak ] ; then
echo "no $bak/master.passwd.bak"
cp -p /etc/master.passwd $bak/master.passwd.bak
fi
if cmp -s $bak/master.passwd.bak /etc/master.passwd; then :; else
echo "$host passwd diffs:"
diff $bak/master.passwd.bak /etc/master.passwd |\
sed 's/^\([<>] [^:]*\):[^:]*:/\1:(password):/'
mv $bak/master.passwd.bak $bak/master.passwd.bak2
cp -p /etc/master.passwd $bak/master.passwd.bak
fi
if [ ! -f $bak/group.bak ] ; then
echo "no $bak/group.bak"
cp -p /etc/group $bak/group.bak
fi
if cmp -s $bak/group.bak /etc/group; then :; else
echo "$host group diffs:"
diff $bak/group.bak /etc/group
mv $bak/group.bak $bak/group.bak2
cp -p /etc/group $bak/group.bak
fi
if [ ! -f $bak/aliases.bak ] ; then
echo "no $bak/aliases.bak"
cp -p /etc/aliases $bak/aliases.bak
fi
if cmp -s $bak/aliases.bak /etc/aliases; then :; else
echo "$host aliases diffs:"
diff $bak/aliases.bak /etc/aliases
mv $bak/aliases.bak $bak/aliases.bak2
cp -p /etc/aliases $bak/aliases.bak
fi
if [ -f /etc/Distfile ]; then
if cmp -s $bak/Distfile.bak /etc/Distfile; then :; else
mv $bak/Distfile.bak $bak/Distfile.bak2
cp /etc/Distfile $bak/Distfile.bak
fi
fi
# `calendar -a' needs to die. Why? Because it's a bad idea, particular
# with networked home directories, but also in general. If you want the
# output of `calendar' mailed to you, set up a cron job to do it,
# or run it from your ~/.profile or ~/.login.
#
# echo ""
# echo "Running calendar:"
# calendar -a
if [ -d /var/spool/uucp -a -f /etc/uuclean.daily ]; then
echo ""
echo "Cleaning up UUCP:"
echo /etc/uuclean.daily | su daemon
fi
echo ""
echo ""
echo "Checking subsystem status:"
echo ""
echo "disks:"
df -k -t local
echo ""
dump W
echo ""
echo ""
echo "mail:"
mailq
if [ -d /var/spool/uucp ]; then
echo ""
echo "uucp:"
uustat -a
fi
echo ""
echo "network:"
netstat -i
echo ""
if [ -d /var/rwho ] ; then
ruptime
fi
echo ""
if [ -f /etc/Distfile ]; then
echo "Running rdist:"
rdist -f /etc/Distfile
fi
if [ -f /etc/daily.local ]; then
echo "Running daily.local:"
sh /etc/daily.local
fi
sh /etc/security 2>&1 | sendmail root