10Sstevel@tonic-gate#!/bin/sh -- 20Sstevel@tonic-gate# 30Sstevel@tonic-gate# CDDL HEADER START 40Sstevel@tonic-gate# 50Sstevel@tonic-gate# The contents of this file are subject to the terms of the 6*2443Sjc144527# Common Development and Distribution License (the "License"). 7*2443Sjc144527# You may not use this file except in compliance with the License. 80Sstevel@tonic-gate# 90Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 100Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 110Sstevel@tonic-gate# See the License for the specific language governing permissions 120Sstevel@tonic-gate# and limitations under the License. 130Sstevel@tonic-gate# 140Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 150Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 160Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 170Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 180Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 190Sstevel@tonic-gate# 200Sstevel@tonic-gate# CDDL HEADER END 210Sstevel@tonic-gate# 220Sstevel@tonic-gate 230Sstevel@tonic-gate# Check :include: aliases (in files configured in sendmail.cf) and .forward 240Sstevel@tonic-gate# files to make sure the files and their parent directory paths all have 250Sstevel@tonic-gate# proper permissions. And check the master alias file(s) too. 260Sstevel@tonic-gate# 27*2443Sjc144527# See http://www.sendmail.org/vendor/sun/migration.html#Security for details. 280Sstevel@tonic-gate# 29*2443Sjc144527# Copyright 2006 Sun Microsystems, Inc. All rights reserved. 30*2443Sjc144527# Use is subject to license terms. 310Sstevel@tonic-gate# 320Sstevel@tonic-gate# %W% (Sun) %G% 330Sstevel@tonic-gate# ident "%Z%%M% %I% %E% SMI" 340Sstevel@tonic-gate 350Sstevel@tonic-gatePATH=/bin 360Sstevel@tonic-gate 370Sstevel@tonic-gate# Check the group- and world-writable bits on the given file. 380Sstevel@tonic-gate 390Sstevel@tonic-gateanalyze() { 400Sstevel@tonic-gate case "`ls -Lldn $1`" in 410Sstevel@tonic-gate ?????w??w?*) 420Sstevel@tonic-gate echo $2: $1 is group and world writable 430Sstevel@tonic-gate bogus_dirs=true ;; 440Sstevel@tonic-gate ????????w?*) 450Sstevel@tonic-gate echo $2: $1 is world writable 460Sstevel@tonic-gate bogus_dirs=true ;; 470Sstevel@tonic-gate ?????w????*) 480Sstevel@tonic-gate echo $2: $1 is group writable 490Sstevel@tonic-gate bogus_dirs=true ;; 500Sstevel@tonic-gate esac 510Sstevel@tonic-gate} 520Sstevel@tonic-gate 530Sstevel@tonic-gate# Break down the given file name into its components, and call analyze with 540Sstevel@tonic-gate# each of them. E.g., an argument of /usr/local/aliases/foo.list would call 550Sstevel@tonic-gate# analyze in turn with arguments: 560Sstevel@tonic-gate# * /usr/local/aliases/foo.list 570Sstevel@tonic-gate# * /usr/local/aliases 580Sstevel@tonic-gate# * /usr/local 590Sstevel@tonic-gate# * /usr 600Sstevel@tonic-gate 610Sstevel@tonic-gatebreak_down() { 620Sstevel@tonic-gate for j in `echo $1 | \ 630Sstevel@tonic-gate awk '{ 640Sstevel@tonic-gate n = split($0, parts, "/"); 650Sstevel@tonic-gate for (i = n; i >= 2; i--){ 660Sstevel@tonic-gate string = ""; 670Sstevel@tonic-gate for (j = 2; j <= i; j++){ 680Sstevel@tonic-gate string = sprintf("%s/%s", string, parts[j]); 690Sstevel@tonic-gate } 700Sstevel@tonic-gate print string 710Sstevel@tonic-gate } 720Sstevel@tonic-gate }'` "/" 730Sstevel@tonic-gate do 740Sstevel@tonic-gate analyze $j $1 750Sstevel@tonic-gate done 760Sstevel@tonic-gate} 770Sstevel@tonic-gate 780Sstevel@tonic-gateconfig=/etc/mail/sendmail.cf 790Sstevel@tonic-gatebogus_dirs=false 800Sstevel@tonic-gate 810Sstevel@tonic-gateafl1=`grep "^OA" $config | sed 's/^OA//' | sed 's/,/ /g' | sed 's/.*://'` 820Sstevel@tonic-gateafl2=`grep "^O AliasFile=" $config | sed 's/^O AliasFile=//' | \ 830Sstevel@tonic-gate sed 's/,/ /g' | sed 's/.*://'` 840Sstevel@tonic-gate 850Sstevel@tonic-gate# These should be OK themselves, but other packages may have screwed up the 860Sstevel@tonic-gate# permissions on /etc or /etc/mail . And best to check in case non-standard 870Sstevel@tonic-gate# alias paths are used. 880Sstevel@tonic-gate 890Sstevel@tonic-gatebreak_down $afl1 $afl2 900Sstevel@tonic-gate 910Sstevel@tonic-gate# Find all valid :include: files used in alias files configured in sendmail.cf 920Sstevel@tonic-gate 930Sstevel@tonic-gatefor i in `sed 's/^[#].*$//' $afl1 $afl2 | \ 940Sstevel@tonic-gate grep :include: | \ 950Sstevel@tonic-gate sed 's/.*:include://' | \ 960Sstevel@tonic-gate sed 's/,.*$//'` 970Sstevel@tonic-gatedo 980Sstevel@tonic-gate break_down $i 990Sstevel@tonic-gatedone 1000Sstevel@tonic-gate 1010Sstevel@tonic-gate# Check .forward files as well. If the argument "ALL" is given, do it for 1020Sstevel@tonic-gate# everyone. If no argument to the script is given, just do it for the current 1030Sstevel@tonic-gate# user. O/w, do it for all arguments. 1040Sstevel@tonic-gate 1050Sstevel@tonic-gateif [ $# -eq 0 ] ; then 106*2443Sjc144527 arg=`id | nawk -F'(' '{n = split($2,id,")"); print id[1]}'` 1070Sstevel@tonic-gateelif [ $1 = "ALL" ] ; then 1080Sstevel@tonic-gate arg="" 1090Sstevel@tonic-gateelse 1100Sstevel@tonic-gate arg="$*" 1110Sstevel@tonic-gatefi 1120Sstevel@tonic-gate 113*2443Sjc144527for i in `getent passwd $arg | nawk -F: '{print $6}'` 1140Sstevel@tonic-gatedo 1150Sstevel@tonic-gate if [ -f $i/.forward ] ; then 1160Sstevel@tonic-gate break_down $i/.forward 1170Sstevel@tonic-gate fi 1180Sstevel@tonic-gatedone 1190Sstevel@tonic-gate 1200Sstevel@tonic-gate$bogus_dirs || echo "No unsafe directories found." 121