From 9fea9e12a68ec04c537c24625c8dcc20c15b0d87 Mon Sep 17 00:00:00 2001 From: "Alan J. Pippin" Date: Sun, 20 Apr 2008 08:10:27 -0600 Subject: [PATCH] Added new script modified from the FreeBSD release to avoid kernel panics. --- 100.chksetuid | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100755 100.chksetuid diff --git a/100.chksetuid b/100.chksetuid new file mode 100755 index 0000000..06151cf --- /dev/null +++ b/100.chksetuid @@ -0,0 +1,77 @@ +#!/bin/sh - +# +# Description: FreeBSD comes with the following script that is run +# weekly as part of its periodic weekly security scripts. +# However, their version of the script does NOT ignore +# .zfs/snapshot directories. On a system with limited +# resources, this can lead to a "kmem_map too small" +# kernel panic when this script runs. Somehow, ZFS +# kernel memory usage explodes when performing recursive +# find operations on .zfs snapshot locations. This +# is the modified version of that script, which excludes +# searching in .zfs snapshot directories. +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD: src/etc/periodic/security/100.chksetuid,v 1.8.14.1 2008/01/29 00:22:33 dougb Exp $ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +rc=0 + +case "$daily_status_security_chksetuid_enable" in + [Yy][Ee][Ss]) + echo "" + echo 'Checking setuid files and devices:' + # XXX Note that there is the possibility of overrunning the args to ls + MP=`mount -t ufs,zfs | egrep -v " no(suid|exec)" | awk '{ print $3 }' | sort` + if [ -n "${MP}" ] + then + set ${MP} + while [ $# -ge 1 ]; do + mount=$1 + shift + dotzfs=`echo "$mount" | grep "\.zfs"` + [ -n "$dotzfs" ] && continue; + find $mount -xdev -type f \ + \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ + \( -perm -u+s -or -perm -g+s \) -print0 + done | xargs -0 -n 20 ls -liTd | sed 's/^ *//' | sort -k 11 | + check_diff setuid - "${host} setuid diffs:" + rc=$? + fi;; + *) rc=0;; +esac + +exit $rc -- 2.34.1