1#!/bin/sh -- 2# 3# CDDL HEADER START 4# 5# The contents of this file are subject to the terms of the 6# Common Development and Distribution License (the "License"). 7# You may not use this file except in compliance with the License. 8# 9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10# or http://www.opensolaris.org/os/licensing. 11# See the License for the specific language governing permissions 12# and limitations under the License. 13# 14# When distributing Covered Code, include this CDDL HEADER in each 15# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16# If applicable, add the following below this CDDL HEADER, with the 17# fields enclosed by brackets "[]" replaced with your own identifying 18# information: Portions Copyright [yyyy] [name of copyright owner] 19# 20# CDDL HEADER END 21# 22 23# Check :include: aliases (in files configured in sendmail.cf) and .forward 24# files to make sure the files and their parent directory paths all have 25# proper permissions. And check the master alias file(s) too. 26# 27# See http://www.sendmail.org/vendor/sun/migration.html#Security for details. 28# 29# Copyright 2006 Sun Microsystems, Inc. All rights reserved. 30# Use is subject to license terms. 31# 32# %W% (Sun) %G% 33# ident "%Z%%M% %I% %E% SMI" 34 35PATH=/bin 36 37# Check the group- and world-writable bits on the given file. 38 39analyze() { 40 case "`ls -Lldn $1`" in 41 ?????w??w?*) 42 echo $2: $1 is group and world writable 43 bogus_dirs=true ;; 44 ????????w?*) 45 echo $2: $1 is world writable 46 bogus_dirs=true ;; 47 ?????w????*) 48 echo $2: $1 is group writable 49 bogus_dirs=true ;; 50 esac 51} 52 53# Break down the given file name into its components, and call analyze with 54# each of them. E.g., an argument of /usr/local/aliases/foo.list would call 55# analyze in turn with arguments: 56# * /usr/local/aliases/foo.list 57# * /usr/local/aliases 58# * /usr/local 59# * /usr 60 61break_down() { 62 for j in `echo $1 | \ 63 awk '{ 64 n = split($0, parts, "/"); 65 for (i = n; i >= 2; i--){ 66 string = ""; 67 for (j = 2; j <= i; j++){ 68 string = sprintf("%s/%s", string, parts[j]); 69 } 70 print string 71 } 72 }'` "/" 73 do 74 analyze $j $1 75 done 76} 77 78config=/etc/mail/sendmail.cf 79bogus_dirs=false 80 81afl1=`grep "^OA" $config | sed 's/^OA//' | sed 's/,/ /g' | sed 's/.*://'` 82afl2=`grep "^O AliasFile=" $config | sed 's/^O AliasFile=//' | \ 83 sed 's/,/ /g' | sed 's/.*://'` 84 85# These should be OK themselves, but other packages may have screwed up the 86# permissions on /etc or /etc/mail . And best to check in case non-standard 87# alias paths are used. 88 89break_down $afl1 $afl2 90 91# Find all valid :include: files used in alias files configured in sendmail.cf 92 93for i in `sed 's/^[#].*$//' $afl1 $afl2 | \ 94 grep :include: | \ 95 sed 's/.*:include://' | \ 96 sed 's/,.*$//'` 97do 98 break_down $i 99done 100 101# Check .forward files as well. If the argument "ALL" is given, do it for 102# everyone. If no argument to the script is given, just do it for the current 103# user. O/w, do it for all arguments. 104 105if [ $# -eq 0 ] ; then 106 arg=`id | nawk -F'(' '{n = split($2,id,")"); print id[1]}'` 107elif [ $1 = "ALL" ] ; then 108 arg="" 109else 110 arg="$*" 111fi 112 113for i in `getent passwd $arg | nawk -F: '{print $6}'` 114do 115 if [ -f $i/.forward ] ; then 116 break_down $i/.forward 117 fi 118done 119 120$bogus_dirs || echo "No unsafe directories found." 121