#!/bin/sh - # # Description: FreeBSD comes with the following script that is run # weekly as part of its periodic weekly security scripts. # However, their version of the script does NOT ignore # .zfs/snapshot directories. On a system with limited # resources, this can lead to a "kmem_map too small" # kernel panic when this script runs. Somehow, ZFS # kernel memory usage explodes when performing recursive # find operations on .zfs snapshot locations. This # is the modified version of that script, which excludes # searching in .zfs snapshot directories. # Usage: Replace the FreeBSD version of the script with this one: # /etc/periodic/security/100.chksetuid # # Copyright (c) 2001 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD: src/etc/periodic/security/100.chksetuid,v 1.8.14.1 2008/01/29 00:22:33 dougb Exp $ # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi . /etc/periodic/security/security.functions rc=0 case "$daily_status_security_chksetuid_enable" in [Yy][Ee][Ss]) echo "" echo 'Checking setuid files and devices:' # XXX Note that there is the possibility of overrunning the args to ls MP=`mount -t ufs,zfs | egrep -v " no(suid|exec)" | awk '{ print $3 }' | sort` if [ -n "${MP}" ] then set ${MP} while [ $# -ge 1 ]; do mount=$1 shift dotzfs=`echo "$mount" | grep "\.zfs"` [ -n "$dotzfs" ] && continue; find $mount -xdev -type f \ \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ \( -perm -u+s -or -perm -g+s \) -print0 done | xargs -0 -n 20 ls -liTd | sed 's/^ *//' | sort -k 11 | check_diff setuid - "${host} setuid diffs:" rc=$? fi;; *) rc=0;; esac exit $rc