1*0Sstevel@tonic-gate#!/bin/sh -- 2*0Sstevel@tonic-gate# 3*0Sstevel@tonic-gate# CDDL HEADER START 4*0Sstevel@tonic-gate# 5*0Sstevel@tonic-gate# The contents of this file are subject to the terms of the 6*0Sstevel@tonic-gate# Common Development and Distribution License, Version 1.0 only 7*0Sstevel@tonic-gate# (the "License"). You may not use this file except in compliance 8*0Sstevel@tonic-gate# with the License. 9*0Sstevel@tonic-gate# 10*0Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 11*0Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 12*0Sstevel@tonic-gate# See the License for the specific language governing permissions 13*0Sstevel@tonic-gate# and limitations under the License. 14*0Sstevel@tonic-gate# 15*0Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 16*0Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 17*0Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 18*0Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 19*0Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 20*0Sstevel@tonic-gate# 21*0Sstevel@tonic-gate# CDDL HEADER END 22*0Sstevel@tonic-gate# 23*0Sstevel@tonic-gate 24*0Sstevel@tonic-gate# Check :include: aliases (in files configured in sendmail.cf) and .forward 25*0Sstevel@tonic-gate# files to make sure the files and their parent directory paths all have 26*0Sstevel@tonic-gate# proper permissions. And check the master alias file(s) too. 27*0Sstevel@tonic-gate# 28*0Sstevel@tonic-gate# See http://www.sendmail.org/sun-specific/migration.html#Security for details. 29*0Sstevel@tonic-gate# 30*0Sstevel@tonic-gate# Copyright (c) 1998-2000 by Sun Microsystems, Inc. 31*0Sstevel@tonic-gate# All Rights Reserved. 32*0Sstevel@tonic-gate# 33*0Sstevel@tonic-gate# %W% (Sun) %G% 34*0Sstevel@tonic-gate# ident "%Z%%M% %I% %E% SMI" 35*0Sstevel@tonic-gate 36*0Sstevel@tonic-gatePATH=/bin 37*0Sstevel@tonic-gate 38*0Sstevel@tonic-gate# Check the group- and world-writable bits on the given file. 39*0Sstevel@tonic-gate 40*0Sstevel@tonic-gateanalyze() { 41*0Sstevel@tonic-gate case "`ls -Lldn $1`" in 42*0Sstevel@tonic-gate ?????w??w?*) 43*0Sstevel@tonic-gate echo $2: $1 is group and world writable 44*0Sstevel@tonic-gate bogus_dirs=true ;; 45*0Sstevel@tonic-gate ????????w?*) 46*0Sstevel@tonic-gate echo $2: $1 is world writable 47*0Sstevel@tonic-gate bogus_dirs=true ;; 48*0Sstevel@tonic-gate ?????w????*) 49*0Sstevel@tonic-gate echo $2: $1 is group writable 50*0Sstevel@tonic-gate bogus_dirs=true ;; 51*0Sstevel@tonic-gate esac 52*0Sstevel@tonic-gate} 53*0Sstevel@tonic-gate 54*0Sstevel@tonic-gate# Break down the given file name into its components, and call analyze with 55*0Sstevel@tonic-gate# each of them. E.g., an argument of /usr/local/aliases/foo.list would call 56*0Sstevel@tonic-gate# analyze in turn with arguments: 57*0Sstevel@tonic-gate# * /usr/local/aliases/foo.list 58*0Sstevel@tonic-gate# * /usr/local/aliases 59*0Sstevel@tonic-gate# * /usr/local 60*0Sstevel@tonic-gate# * /usr 61*0Sstevel@tonic-gate 62*0Sstevel@tonic-gatebreak_down() { 63*0Sstevel@tonic-gate for j in `echo $1 | \ 64*0Sstevel@tonic-gate awk '{ 65*0Sstevel@tonic-gate n = split($0, parts, "/"); 66*0Sstevel@tonic-gate for (i = n; i >= 2; i--){ 67*0Sstevel@tonic-gate string = ""; 68*0Sstevel@tonic-gate for (j = 2; j <= i; j++){ 69*0Sstevel@tonic-gate string = sprintf("%s/%s", string, parts[j]); 70*0Sstevel@tonic-gate } 71*0Sstevel@tonic-gate print string 72*0Sstevel@tonic-gate } 73*0Sstevel@tonic-gate }'` "/" 74*0Sstevel@tonic-gate do 75*0Sstevel@tonic-gate analyze $j $1 76*0Sstevel@tonic-gate done 77*0Sstevel@tonic-gate} 78*0Sstevel@tonic-gate 79*0Sstevel@tonic-gateconfig=/etc/mail/sendmail.cf 80*0Sstevel@tonic-gatebogus_dirs=false 81*0Sstevel@tonic-gate 82*0Sstevel@tonic-gateafl1=`grep "^OA" $config | sed 's/^OA//' | sed 's/,/ /g' | sed 's/.*://'` 83*0Sstevel@tonic-gateafl2=`grep "^O AliasFile=" $config | sed 's/^O AliasFile=//' | \ 84*0Sstevel@tonic-gate sed 's/,/ /g' | sed 's/.*://'` 85*0Sstevel@tonic-gate 86*0Sstevel@tonic-gate# These should be OK themselves, but other packages may have screwed up the 87*0Sstevel@tonic-gate# permissions on /etc or /etc/mail . And best to check in case non-standard 88*0Sstevel@tonic-gate# alias paths are used. 89*0Sstevel@tonic-gate 90*0Sstevel@tonic-gatebreak_down $afl1 $afl2 91*0Sstevel@tonic-gate 92*0Sstevel@tonic-gate# Find all valid :include: files used in alias files configured in sendmail.cf 93*0Sstevel@tonic-gate 94*0Sstevel@tonic-gatefor i in `sed 's/^[#].*$//' $afl1 $afl2 | \ 95*0Sstevel@tonic-gate grep :include: | \ 96*0Sstevel@tonic-gate sed 's/.*:include://' | \ 97*0Sstevel@tonic-gate sed 's/,.*$//'` 98*0Sstevel@tonic-gatedo 99*0Sstevel@tonic-gate break_down $i 100*0Sstevel@tonic-gatedone 101*0Sstevel@tonic-gate 102*0Sstevel@tonic-gate# Check .forward files as well. If the argument "ALL" is given, do it for 103*0Sstevel@tonic-gate# everyone. If no argument to the script is given, just do it for the current 104*0Sstevel@tonic-gate# user. O/w, do it for all arguments. 105*0Sstevel@tonic-gate 106*0Sstevel@tonic-gateif [ $# -eq 0 ] ; then 107*0Sstevel@tonic-gate arg=`who am i | awk '{print $1}'` 108*0Sstevel@tonic-gateelif [ $1 = "ALL" ] ; then 109*0Sstevel@tonic-gate arg="" 110*0Sstevel@tonic-gateelse 111*0Sstevel@tonic-gate arg="$*" 112*0Sstevel@tonic-gatefi 113*0Sstevel@tonic-gate 114*0Sstevel@tonic-gatefor i in `getent passwd $arg | nawk '{FS=":";print $6}'` 115*0Sstevel@tonic-gatedo 116*0Sstevel@tonic-gate if [ -f $i/.forward ] ; then 117*0Sstevel@tonic-gate break_down $i/.forward 118*0Sstevel@tonic-gate fi 119*0Sstevel@tonic-gatedone 120*0Sstevel@tonic-gate 121*0Sstevel@tonic-gate$bogus_dirs || echo "No unsafe directories found." 122