1#!/bin/sh -- 2# 3# CDDL HEADER START 4# 5# The contents of this file are subject to the terms of the 6# Common Development and Distribution License, Version 1.0 only 7# (the "License"). You may not use this file except in compliance 8# with the License. 9# 10# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 11# or http://www.opensolaris.org/os/licensing. 12# See the License for the specific language governing permissions 13# and limitations under the License. 14# 15# When distributing Covered Code, include this CDDL HEADER in each 16# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 17# If applicable, add the following below this CDDL HEADER, with the 18# fields enclosed by brackets "[]" replaced with your own identifying 19# information: Portions Copyright [yyyy] [name of copyright owner] 20# 21# CDDL HEADER END 22# 23 24# Check :include: aliases (in files configured in sendmail.cf) and .forward 25# files to make sure the files and their parent directory paths all have 26# proper permissions. And check the master alias file(s) too. 27# 28# See http://www.sendmail.org/sun-specific/migration.html#Security for details. 29# 30# Copyright (c) 1998-2000 by Sun Microsystems, Inc. 31# All Rights Reserved. 32# 33# %W% (Sun) %G% 34# ident "%Z%%M% %I% %E% SMI" 35 36PATH=/bin 37 38# Check the group- and world-writable bits on the given file. 39 40analyze() { 41 case "`ls -Lldn $1`" in 42 ?????w??w?*) 43 echo $2: $1 is group and world writable 44 bogus_dirs=true ;; 45 ????????w?*) 46 echo $2: $1 is world writable 47 bogus_dirs=true ;; 48 ?????w????*) 49 echo $2: $1 is group writable 50 bogus_dirs=true ;; 51 esac 52} 53 54# Break down the given file name into its components, and call analyze with 55# each of them. E.g., an argument of /usr/local/aliases/foo.list would call 56# analyze in turn with arguments: 57# * /usr/local/aliases/foo.list 58# * /usr/local/aliases 59# * /usr/local 60# * /usr 61 62break_down() { 63 for j in `echo $1 | \ 64 awk '{ 65 n = split($0, parts, "/"); 66 for (i = n; i >= 2; i--){ 67 string = ""; 68 for (j = 2; j <= i; j++){ 69 string = sprintf("%s/%s", string, parts[j]); 70 } 71 print string 72 } 73 }'` "/" 74 do 75 analyze $j $1 76 done 77} 78 79config=/etc/mail/sendmail.cf 80bogus_dirs=false 81 82afl1=`grep "^OA" $config | sed 's/^OA//' | sed 's/,/ /g' | sed 's/.*://'` 83afl2=`grep "^O AliasFile=" $config | sed 's/^O AliasFile=//' | \ 84 sed 's/,/ /g' | sed 's/.*://'` 85 86# These should be OK themselves, but other packages may have screwed up the 87# permissions on /etc or /etc/mail . And best to check in case non-standard 88# alias paths are used. 89 90break_down $afl1 $afl2 91 92# Find all valid :include: files used in alias files configured in sendmail.cf 93 94for i in `sed 's/^[#].*$//' $afl1 $afl2 | \ 95 grep :include: | \ 96 sed 's/.*:include://' | \ 97 sed 's/,.*$//'` 98do 99 break_down $i 100done 101 102# Check .forward files as well. If the argument "ALL" is given, do it for 103# everyone. If no argument to the script is given, just do it for the current 104# user. O/w, do it for all arguments. 105 106if [ $# -eq 0 ] ; then 107 arg=`who am i | awk '{print $1}'` 108elif [ $1 = "ALL" ] ; then 109 arg="" 110else 111 arg="$*" 112fi 113 114for i in `getent passwd $arg | nawk '{FS=":";print $6}'` 115do 116 if [ -f $i/.forward ] ; then 117 break_down $i/.forward 118 fi 119done 120 121$bogus_dirs || echo "No unsafe directories found." 122