#!/usr/bin/env perl
#
# Percy - Personal account security check
#
# This script checks each user's account....
#
#
#
#
# Eric Myers <myers@umich.edu>   02 November 1999	
# Department of Physics, University of Michigan, Ann Arbor, MI USA
# @(#) $Id: Percy,v 1.4 2004/04/03 15:41:54 myers Exp myers $
########################################################################
# Limit PATH for safety:

$ENV{"PATH"} = "/usr/local/adm /usr/local/bin /bin /usr/bin /usr/etc ";

##
# Loop over users in /etc/passwd

while (  ($name,$passwd,$uid,$gid,
	  $quota,$comment,$gcos,$homedir,$shell,$expire) = getpwent() ) {

  &Debug("$name is UID $uid \twith home directory $homedir\n");

  $Message = "";
  $Locked = "";

  if ( $passwd eq "" ) { 
    $Message .= "   1.0) No password for this user!\n"; }
  if ( $passwd eq "*" ) {
    $Locked = "     $name has a LOCKED password!\n"; 
    next;  ## Ignore locked users
  }
  if ( $uid == 0 && $name ne "root" ) {
    $Message .= "   2.0) Non-'root' user with UID 0!\n"; }

##
# home directory

  if ( ! -d $homedir ) { 
    $Message .= "   3.0) Home directory $homedir does not exist.\n"; }

##
# .netrc file

  $filename = "$homedir/.netrc";
  if ( -e $filename ) {
    $Message .= "   4.0) .netrc file exists.\n";

    ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,
     $atime,$mtime,$ctime,$blksize,$blocks) = stat(_);

    if ( -f $filename ) {
      if ( $mode&0040 ) {
	$Message .= "   4.1) .netrc is group readable.\n"; }
      if ( $mode&0020 ) {
	$Message .= "   4.2) .netrc is group writeable.\n"; }
      if ( $mode&0004 ) {
	$Message .= "   4.3) .netrc is world readable!\n"; }
      if ( $mode&0002 ) {
	$Message .= "   4.4) .netrc is world writeable!\n"; }
    }
    else {
      $Message .= "   4.9) .netrc is not a regular file.\n";}
  }

##
# .rhosts file

  $filename = "$homedir/.rhosts";
  if ( -e $filename ) {
    ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,
     $atime,$mtime,$ctime,$blksize,$blocks) = stat(_);

    if ( -l $filename ) {
      $Message .= "   5.1) .rhosts is a symbolic link!\n"; 
    }

    if ( -f $filename ) {
      if ( $mode&0020 ) {
	$Message .= "   5.2) .rhosts is group writeable.\n"; }
      if ( $mode&0002 ) {
	$Message .= "   5.3) .rhosts is world writeable!\n"; }
    }
    else {
      $Message .= "   5.9) .rhosts is not a regular file.\n";}
  }

##
# .shosts file

  $filename = "$homedir/.shosts";
  if ( -e $filename ) {
    $Message .= "   6.0) .shosts file exists.\n"; }

##
# .ssh directory and contents


##
# .pgp directory and contents






#####################################
# Output report for anything of note for this user

  if ( $Message ) {
    print "$name ($gcos)\n   UID:$uid  GID:$gid  home:$homedir  shell:$shell\n";
    if ( $Locked ) {print "$Locked";}
    print "$Message\n";
  }
}



##################
# Debug messages:

sub Debug {
    local($msg) = @_ ;
    print DEBUG "% $msg\n";
}