usrgrp.sh revision 7c478bd95313f5f23a4c958a745db2134aa03244
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License, Version 1.0 only
# (the "License"). You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
# Copyright 1990, 1991 Sun Microsystems, Inc. All Rights Reserved.
#
#
#ident "%Z%%M% %I% %E% SMI"
# This script performs checking on password and group files and
# reports anything that can be a problem in terms of integrity
# and security.
########## FUNCTIONS ##########
archive()
{
if [ $? -ne 0 ]
then
echo
echo "Warning! Could not archive $etc_passwd to $passwd_arch."
return 1
fi
if [ $? -ne 0 ]
then
echo
echo "Warning! Could not archive $etc_group to $group_arch."
return 1
fi
if [ $? -ne 0 ]
then
echo
echo "Warning! Could not archive $etc_shadow to $shadow_arch."
return 1
fi
return 0
}
# check duplicate user id's in password file;
# report them unless allowed by UID_ALIASES file.
# usage: check_dup_id passwd_file
{
nouidalias=false
then
nouidalias=true
elif [ ! -s $UID_ALIASES ]
then
nouidalias=true
fi
do
then
then
echo
else
for (i=2; i<=NF; i++) { \
if ($i==uname) { \
print uname; \
break; \
} \
} \
}' uid=$uid uname=$uname $UID_ALIASES`
then
echo
fi
fi
fi
}
# Check on the password file passed in.
# -f flag: fix where possible.
# Usage: do_passwd [-f] passwd_file
{
if [ "$1" = "-f" ]
then
should_fix=true
passwd_file=$2
else
should_fix=false
passwd_file=$1
fi
echo
echo "Checking $passwd_file ..."
# check duplicate user names
then
echo
echo "Warning! Duplicate user name(s) found in $passwd_file:"
echo "\t$result"
fi
# check duplicate user ids
# other format checks
$AWK -f ${ASETDIR}/tasks/pwchk.awk $passwd_file
# check nobody entry
then
echo
echo "Bad entry for user nobody in $passwd_file\c"
then
$AWK -F: '{ \
if ($1=="nobody" && ($3=="-2" || $4=="-2")) { \
printf("%s:*:66534:66534:disable:", $1); \
printf("/disable:/disable\n") \
} else { \
print $0; \
} \
}' $passwd_file > $passwdbuf
then
echo
echo "Entry repaired."
else
echo
echo "Repair attempted but failed."
fi
fi
fi
# Check ypclient line (+...)
then
# if this is an NIS server, check passwd file for ypclient line.
then
then
echo
echo "Warning! This machine is an NIS server; it should\c"
echo " not have the client line (+...) in $passwd_file."
then
if [ "${ASETSECLEVEL}" = "med" -o \
"${ASETSECLEVEL}" = "high" ]
then
if [ "$?" = "0" ]
then
echo
echo "Client line(s) deleted."
else
echo
echo "Deletion attempted but failed."
fi
fi
fi
fi
fi
fi
} # end do_passwd()
do_group()
# Check on the group file passed in.
# -f flag: fix where possible.
# Usage: do_group [-f] group_file
{
if [ "$1" = "-f" ]
then
should_fix=true
group_file=$2
else
should_fix=false
group_file=$1
fi
echo
echo "Checking $group_file ..."
# check duplicate group names
if test "$result"
then
echo
echo "Warning! Duplicate group names(s) found in $group_file:"
echo "\t$result"
fi
# check duplicate group ids
if test "$result"
then
echo
echo "Warning! Duplicate group id(s) found in $group_file:"
echo "\t$result"
fi
# other format checks
$AWK -f ${ASETDIR}/tasks/gpchk.awk $group_file
# check nogroup entry
then
echo
echo "Bad entry for group nogroup in $group_file\c"
echo " - has value -2 for gid"
then
$AWK -F: '{ \
if ($1=="nogroup" && $3=="-2") { \
printf("%s:*:66534:\n", $1); \
} else { \
print $0; \
} \
}' $group_file > $groupbuf
then
echo
echo "Entry repaired."
else
echo
echo "Repair attempted but failed."
fi
fi
fi
# Check ypclient line (+...)
then
# if this is an NIS server, check group file for ypclient line.
then
then
echo
echo "Warning! This machine is an NIS server; it should\c"
echo " not have the client line (+...) in $group_file."
then
if test "${ASETSECLEVEL}" = "med" -o \
"${ASETSECLEVEL}" = "high"
then
if test "$?" = "0"
then
echo
echo "Client line(s) deleted."
else
echo
echo "Deletion attempted but failed."
fi
fi
fi
fi
fi
fi
} # end do_group()
########## MAIN ##########
then
echo
echo "Permission denied. Task skipped."
exit
fi
if [ "$DOWNGRADE" = "true" ]
then
else
# Archive the password and group file so we can restore if necessary
if [ $? -ne 0 ]
then
echo
echo "Cannot archive password and group files. Task skipped."
exit
fi
fi
echo
echo "*** Begin User And Group Checking ***"
if [ "${YPCHECK:-true}" = "true" ]
then
if [ -s $yp_passwdbuf ]
then
fi
fi
echo
echo "Checking $etc_shadow ..."
# check passwd shadow file
$RM -f $passwdbuf
$RM -f $yp_passwdbuf
echo
echo "... end user check."
if [ "${YPCHECK:-true}" = "true" ]
then
if [ -s $yp_groupbuf ]
then
fi
fi
echo
echo "... end group check."
$RM -f $yp_groupbuf
echo
echo "*** End User And Group Checking ***"