![[BACK]](/icons/back.gif){kind=icon}
Return to daily CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / etc|
Return to daily CVS log | Up to [local] / src / etc |
| File: [local] / src / etc / daily (download)
Revision 1.88, Fri Apr 29 13:05:33 2016 UTC (8 years, 1 month ago) by schwarze
Delete invocation of mailq(1) that was present for historical reasons. On a real mailserver, it's too noisy and may be a privacy concern. On a machine that's not a mailserver, it's pointless. Besides, Theo points out that running subsystems that potentially parse untrusted user data daily, at a predictable time, as root is not a very good idea in the first place. Suggested by millert@; gilles@ matthieu@ deraadt@ sthen@ agree |
#
# $OpenBSD: daily,v 1.88 2016/04/29 13:05:33 schwarze Exp $
# From: @(#)daily 8.2 (Berkeley) 1/25/94
#
# For local additions, create the file /etc/daily.local.
# To get section headers, use the function next_part in daily.local.
#
umask 022
PARTOUT=/var/log/daily.part
MAINOUT=/var/log/daily.out
install -o 0 -g 0 -m 600 /dev/null $PARTOUT
install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
start_part() {
TITLE=$1
exec > $PARTOUT 2>&1
}
end_part() {
exec >> $MAINOUT 2>&1
test -s $PARTOUT || return
echo ""
echo "$TITLE"
cat $PARTOUT
}
next_part() {
end_part
start_part "$1"
}
run_script() {
f=/etc/$1
test -e $f || return
if [ `stat -f '%Sp%u' $f | cut -b1,6,9,11-` != '---0' ]; then
echo "$f has insecure permissions, skipping:"
ls -l $f
return
fi
. $f
}
start_part "Running daily.local:"
run_script "daily.local"
next_part "Removing scratch and junk files:"
if [ -d /tmp -a ! -L /tmp ]; then
cd /tmp && {
find -x . \
\( -path './ssh-*' -o -path ./.X11-unix -o -path ./.ICE-unix \
-o -path './tmux-*' \) \
-prune -o -type f -atime +7 -execdir rm -f -- {} \; 2>/dev/null
find -x . -type d -mtime +1 ! -path ./vi.recover ! -path ./.X11-unix \
! -path ./.ICE-unix ! -name . \
-execdir rmdir -- {} \; >/dev/null 2>&1; }
fi
# Additional junk directory cleanup would go like this:
#if [ -d /scratch -a ! -L /scratch ]; then
# cd /scratch && {
# find . ! -name . -atime +1 -execdir rm -f -- {} \;
# find . ! -name . -type d -mtime +1 -execdir rmdir -- {} \; \
# >/dev/null 2>&1; }
#fi
next_part "Purging accounting records:"
if [ -f /var/account/acct ]; then
mv -f /var/account/acct.2 /var/account/acct.3
mv -f /var/account/acct.1 /var/account/acct.2
mv -f /var/account/acct.0 /var/account/acct.1
cp -f /var/account/acct /var/account/acct.0
sa -sq
fi
# If ROOTBACKUP is set to 1 in the environment, and
# if filesystem named /altroot is type ffs and mounted "xx",
# use it as a backup root filesystem to be updated daily.
next_part "Backing up root filesystem:"
while [ "X$ROOTBACKUP" = X1 ]; do
rootbak=`awk '$1 !~ /^#/ && $2 == "/altroot" && $3 == "ffs" && \
$4 ~ /xx/ { print $1 }' < /etc/fstab`
if [ -z "$rootbak" ]; then
echo "No xx ffs /altroot device found in the fstab(5)."
break
fi
rootbak=${rootbak#/dev/}
bakdisk=${rootbak%%?(.)[a-p]}
sysctl -n hw.disknames | grep -Fqw $bakdisk || break
bakpart=${rootbak##$bakdisk?(.)}
OLDIFS=$IFS
IFS=,
for d in `sysctl -n hw.disknames`; do
# If the provided disk name is a duid, substitute the device.
if [ X$bakdisk = X${d#*:} ]; then
bakdisk=${d%:*}
rootbak=$bakdisk$bakpart
fi
done
IFS=$OLDIFS
baksize=`disklabel $bakdisk 2>/dev/null | \
awk -v "part=$bakpart:" '$1 == part { print $2 }'`
rootdev=`mount | awk '$3 == "/" && $1 ~ /^\/dev\// && $5 == "ffs" \
{ print substr($1, 6) }'`
if [ -z "$rootdev" ]; then
echo "The root filesystem is not local or not ffs."
break
fi
if [ X$rootdev = X$rootbak ]; then
echo "The device $rootdev holds both root and /altroot."
break
fi
rootdisk=${rootdev%[a-p]}
rootpart=${rootdev#$rootdisk}
rootsize=`disklabel $rootdisk 2>/dev/null | \
awk -v "part=$rootpart:" '$1 == part { print $2 }'`
if [ $rootsize -gt $baksize ]; then
echo "Root ($rootsize) is larger than /altroot ($baksize)."
break
fi
next_part "Backing up root=/dev/r$rootdev to /dev/r$rootbak:"
sync
dd if=/dev/r$rootdev of=/dev/r$rootbak bs=16b seek=1 skip=1 \
conv=noerror
fsck -y /dev/r$rootbak
break
done
next_part "Services that should be running but aren't:"
rcctl ls failed
next_part "Checking subsystem status:"
if [ "X$VERBOSESTATUS" != X0 ]; then
echo ""
echo "disks:"
df -ikl
echo ""
dump W
else
dump w | grep -vB1 ^Dump
fi
next_part "network:"
if [ "X$VERBOSESTATUS" != X0 ]; then
netstat -ivn
fi
next_part "Running calendar in the background:"
if [ "X$CALENDAR" != X0 -a \
\( -d /var/yp/`domainname` -o ! -d /var/yp/binding \) ]; then
calendar -a &
fi
# If CHECKFILESYSTEMS is set to 1 in the environment, run fsck
# with the no-write flag.
next_part "Checking filesystems:"
[ "X$CHECKFILESYSTEMS" = X1 ] && {
fsck -n | grep -v '^\*\* Phase'
}
next_part "Running rdist:"
if [ -f /etc/Distfile ]; then
if [ -d /var/log/rdist ]; then
rdist -f /etc/Distfile 2>&1 | tee /var/log/rdist/`date +%F`
else
rdist -f /etc/Distfile
fi
fi
end_part
[ -s $MAINOUT ] && {
sysctl -n kern.version
uptime
cat $MAINOUT
} 2>&1 | mail -s "`hostname` daily output" root
MAINOUT=/var/log/security.out
install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
start_part "Running security(8):"
export SUIDSKIP
/usr/libexec/security
end_part
rm -f $PARTOUT
[ -s $MAINOUT ] && mail -s "`hostname` daily insecurity output" root < $MAINOUT