xref: /titanic_52/usr/src/cmd/sendmail/cf/sh/check-permissions.sh (revision fd845fc0cb4fbc8e85f974e2e4eaacca1cc26e81)
1#!/bin/sh --
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License, Version 1.0 only
7# (the "License").  You may not use this file except in compliance
8# with the License.
9#
10# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
11# or http://www.opensolaris.org/os/licensing.
12# See the License for the specific language governing permissions
13# and limitations under the License.
14#
15# When distributing Covered Code, include this CDDL HEADER in each
16# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
17# If applicable, add the following below this CDDL HEADER, with the
18# fields enclosed by brackets "[]" replaced with your own identifying
19# information: Portions Copyright [yyyy] [name of copyright owner]
20#
21# CDDL HEADER END
22#
23
24# Check :include: aliases (in files configured in sendmail.cf) and .forward
25# files to make sure the files and their parent directory paths all have
26# proper permissions.  And check the master alias file(s) too.
27#
28# See http://www.sendmail.org/sun-specific/migration.html#Security for details.
29#
30# Copyright (c) 1998-2000 by Sun Microsystems, Inc.
31# All Rights Reserved.
32#
33# %W% (Sun) %G%
34# ident	"%Z%%M%	%I%	%E% SMI"
35
36PATH=/bin
37
38# Check the group- and world-writable bits on the given file.
39
40analyze() {
41	case "`ls -Lldn $1`" in
42		?????w??w?*)
43			echo $2: $1 is group and world writable
44			bogus_dirs=true ;;
45		????????w?*)
46			echo $2: $1 is world writable
47			bogus_dirs=true ;;
48		?????w????*)
49			echo $2: $1 is group writable
50			bogus_dirs=true ;;
51	esac
52}
53
54# Break down the given file name into its components, and call analyze with
55# each of them.  E.g., an argument of /usr/local/aliases/foo.list would call
56# analyze in turn with arguments:
57# * /usr/local/aliases/foo.list
58# * /usr/local/aliases
59# * /usr/local
60# * /usr
61
62break_down() {
63	for j in `echo $1 | \
64		awk '{
65			n = split($0, parts, "/");
66			for (i = n; i >= 2; i--){
67				string = "";
68				for (j = 2; j <= i; j++){
69					string = sprintf("%s/%s", string, parts[j]);
70				}
71				print string
72			}
73		}'` "/"
74	do
75		analyze $j $1
76	done
77}
78
79config=/etc/mail/sendmail.cf
80bogus_dirs=false
81
82afl1=`grep "^OA" $config | sed 's/^OA//' | sed 's/,/ /g' | sed 's/.*://'`
83afl2=`grep "^O AliasFile=" $config | sed 's/^O AliasFile=//' | \
84    sed 's/,/ /g' | sed 's/.*://'`
85
86# These should be OK themselves, but other packages may have screwed up the
87# permissions on /etc or /etc/mail .  And best to check in case non-standard
88# alias paths are used.
89
90break_down $afl1 $afl2
91
92# Find all valid :include: files used in alias files configured in sendmail.cf
93
94for i in `sed 's/^[#].*$//' $afl1 $afl2 | \
95	grep :include: | \
96	sed 's/.*:include://' | \
97	sed 's/,.*$//'`
98do
99	break_down $i
100done
101
102# Check .forward files as well.  If the argument "ALL" is given, do it for
103# everyone.  If no argument to the script is given, just do it for the current
104# user.  O/w, do it for all arguments.
105
106if [ $# -eq 0 ] ; then
107	arg=`who am i | awk '{print $1}'`
108elif [ $1 = "ALL" ] ; then
109	arg=""
110else
111	arg="$*"
112fi
113
114for i in `getent passwd $arg | nawk '{FS=":";print $6}'`
115do
116	if [ -f $i/.forward ] ; then
117		break_down $i/.forward
118	fi
119done
120
121$bogus_dirs || echo "No unsafe directories found."
122