comparison: security.d/chk_rootdotfiles
security.d/chk_rootdotfiles
- changeset 0
- 8ba6a0e2d2ca
- child 14
- 59e07bba67cc
equal
deleted
inserted
replaced
| -1:000000000000 | 0:8ba6a0e2d2ca |
|---|---|
| 1 #!/bin/bash | |
| 2 # | |
| 3 # $Id$ | |
| 4 # | |
| 5 ############################################################################# | |
| 6 # Copyright (C) 2005 | |
| 7 # | |
| 8 # Michiel Broek <mbse@mbse.dds.nl> | |
| 9 # Beekmansbos 10 | |
| 10 # 1971 BV IJmuiden | |
| 11 # the Netherlands | |
| 12 # | |
| 13 # This file is part of SlackSecCheckSripts. | |
| 14 # | |
| 15 # This package is free software; you can redistribute it and/or modify it | |
| 16 # under the terms of the GNU General Public License as published by the | |
| 17 # Free Software Foundation; either version 2, or (at your option) any | |
| 18 # later version. | |
| 19 # | |
| 20 # SlackSecCheckSripts is distributed in the hope that it will be useful, but | |
| 21 # WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 22 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
| 23 # General Public License for more details. | |
| 24 # | |
| 25 # You should have received a copy of the GNU General Public License | |
| 26 # along with MBSE BBS; see the file COPYING. If not, write to the Free | |
| 27 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. | |
| 28 ############################################################################# | |
| 29 | |
| 30 | |
| 31 PATH=/sbin:/usr/sbin:/bin:/usr/bin | |
| 32 | |
| 33 umask 077 | |
| 34 TZ=UTC; export TZ | |
| 35 LANG=C; export LANG | |
| 36 | |
| 37 SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1 | |
| 38 | |
| 39 trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE | |
| 40 | |
| 41 if ! cd "$SECUREDIR"; then | |
| 42 echo "Can not cd to $SECUREDIR". | |
| 43 exit 1 | |
| 44 fi | |
| 45 | |
| 46 TMP1=secure1.$$ | |
| 47 OUTPUT=secure2.$$ | |
| 48 | |
| 49 | |
| 50 # Check for root paths, umask values in startup files. | |
| 51 # The check for the root paths is problematical -- it's likely to fail | |
| 52 # in other environments. Once the shells have been modified to warn | |
| 53 # of '.' in the path, the path tests should go away. | |
| 54 # | |
| 55 rhome=~root | |
| 56 umaskset=no | |
| 57 | |
| 58 if [ -x /bin/tcsh ]; then | |
| 59 list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login `/bin/ls /etc/profile.d/*.csh`" | |
| 60 | |
| 61 for i in $list ; do | |
| 62 if [ -f $i ] ; then | |
| 63 if egrep '^[^#]*(umask)' $i > /dev/null ; | |
| 64 then | |
| 65 umaskset=yes | |
| 66 fi | |
| 67 # Double check the umask value itself; ensure that | |
| 68 # both the group and other write bits are set. | |
| 69 # | |
| 70 egrep '^[^#]*(umask)' $i | | |
| 71 awk '{ | |
| 72 if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) { | |
| 73 print "\tRoot umask is group writeable" | |
| 74 } | |
| 75 if ($2 ~ /[^2367]$/) { | |
| 76 print "\tRoot umask is other writeable" | |
| 77 } | |
| 78 }' | sort -u | |
| 79 SAVE_PATH=$PATH | |
| 80 unset PATH | |
| 81 /bin/csh -f -s << end-of-csh > /dev/null 2>&1 | |
| 82 source $i | |
| 83 /bin/ls -ldgT \$path > $TMP1 | |
| 84 end-of-csh | |
| 85 export PATH=$SAVE_PATH | |
| 86 if [ -f $TMP1 ]; then | |
| 87 awk '{ | |
| 88 if ($10 ~ /^\.$/) { | |
| 89 print "\tThe root path includes ."; | |
| 90 next; | |
| 91 } | |
| 92 } | |
| 93 $1 ~ /^d....w/ \ | |
| 94 { print "\tRoot path directory " $10 " is group writeable." } \ | |
| 95 $1 ~ /^d.......w/ \ | |
| 96 { print "\tRoot path directory " $10 " is other writeable." }' \ | |
| 97 < $TMP1 | |
| 98 fi | |
| 99 fi | |
| 100 done > $OUTPUT | |
| 101 | |
| 102 if [ $umaskset = "no" -o -s $OUTPUT ] ; then | |
| 103 printf "\nChecking root csh paths, umask values:\n$list\n\n" | |
| 104 if [ -s $OUTPUT ]; then | |
| 105 cat $OUTPUT | |
| 106 fi | |
| 107 if [ $umaskset = "no" ] ; then | |
| 108 printf "\tRoot csh startup files do not set the umask.\n" | |
| 109 fi | |
| 110 fi | |
| 111 fi | |
| 112 | |
| 113 umaskset=no | |
| 114 list="/etc/profile ${rhome}/.profile `/bin/ls /etc/profile.d/*.sh`" | |
| 115 for i in $list; do | |
| 116 if [ -f $i ] ; then | |
| 117 if egrep '^[^#]*(umask)' $i > /dev/null ; then | |
| 118 umaskset=yes | |
| 119 fi | |
| 120 egrep '^[^#]*(umask)' $i | | |
| 121 awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \ | |
| 122 { print "\tRoot umask is group writeable" } \ | |
| 123 $2 ~ /[^2367]$/ \ | |
| 124 { print "\tRoot umask is other writeable" }' | |
| 125 SAVE_PATH=$PATH | |
| 126 unset PATH | |
| 127 /bin/sh << end-of-sh > /dev/null 2>&1 | |
| 128 . $i | |
| 129 list=\`echo \$PATH | /usr/bin/sed -e \ | |
| 130 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\` | |
| 131 /bin/ls -ldgT \$list > $TMP1 | |
| 132 end-of-sh | |
| 133 export PATH=$SAVE_PATH | |
| 134 awk '{ | |
| 135 if ($10 ~ /^\.$/) { | |
| 136 print "\tThe root path includes ."; | |
| 137 next; | |
| 138 } | |
| 139 } | |
| 140 $1 ~ /^d....w/ \ | |
| 141 { print "\tRoot path directory " $10 " is group writeable." } \ | |
| 142 $1 ~ /^d.......w/ \ | |
| 143 { print "\tRoot path directory " $10 " is other writeable." }' \ | |
| 144 < $TMP1 | |
| 145 fi | |
| 146 done > $OUTPUT | |
| 147 | |
| 148 if [ $umaskset = "no" -o -s $OUTPUT ] ; then | |
| 149 printf "\nChecking root sh paths, umask values:\n$list\n" | |
| 150 if [ -s $OUTPUT ]; then | |
| 151 cat $OUTPUT | |
| 152 fi | |
| 153 if [ $umaskset = "no" ] ; then | |
| 154 printf "\tRoot sh startup files do not set the umask.\n" | |
| 155 fi | |
| 156 fi | |
| 157 |
