|
1 #!/bin/bash |
|
2 # |
|
3 # $Id$ |
|
4 # |
|
5 ############################################################################# |
|
6 # Copyright (C) 2005 |
|
7 # |
|
8 # Michiel Broek <mbse@mbse.dds.nl> |
|
9 # Beekmansbos 10 |
|
10 # 1971 BV IJmuiden |
|
11 # the Netherlands |
|
12 # |
|
13 # This file is part of SlackSecCheckSripts. |
|
14 # |
|
15 # This package is free software; you can redistribute it and/or modify it |
|
16 # under the terms of the GNU General Public License as published by the |
|
17 # Free Software Foundation; either version 2, or (at your option) any |
|
18 # later version. |
|
19 # |
|
20 # SlackSecCheckSripts is distributed in the hope that it will be useful, but |
|
21 # WITHOUT ANY WARRANTY; without even the implied warranty of |
|
22 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
|
23 # General Public License for more details. |
|
24 # |
|
25 # You should have received a copy of the GNU General Public License |
|
26 # along with MBSE BBS; see the file COPYING. If not, write to the Free |
|
27 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
|
28 ############################################################################# |
|
29 |
|
30 |
|
31 PATH=/sbin:/usr/sbin:/bin:/usr/bin |
|
32 |
|
33 umask 077 |
|
34 TZ=UTC; export TZ |
|
35 LANG=C; export LANG |
|
36 |
|
37 SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1 |
|
38 |
|
39 trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE |
|
40 |
|
41 if ! cd "$SECUREDIR"; then |
|
42 echo "Can not cd to $SECUREDIR". |
|
43 exit 1 |
|
44 fi |
|
45 |
|
46 TMP1=secure1.$$ |
|
47 OUTPUT=secure2.$$ |
|
48 |
|
49 |
|
50 # Check for root paths, umask values in startup files. |
|
51 # The check for the root paths is problematical -- it's likely to fail |
|
52 # in other environments. Once the shells have been modified to warn |
|
53 # of '.' in the path, the path tests should go away. |
|
54 # |
|
55 rhome=~root |
|
56 umaskset=no |
|
57 |
|
58 if [ -x /bin/tcsh ]; then |
|
59 list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login `/bin/ls /etc/profile.d/*.csh`" |
|
60 |
|
61 for i in $list ; do |
|
62 if [ -f $i ] ; then |
|
63 if egrep '^[^#]*(umask)' $i > /dev/null ; |
|
64 then |
|
65 umaskset=yes |
|
66 fi |
|
67 # Double check the umask value itself; ensure that |
|
68 # both the group and other write bits are set. |
|
69 # |
|
70 egrep '^[^#]*(umask)' $i | |
|
71 awk '{ |
|
72 if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) { |
|
73 print "\tRoot umask is group writeable" |
|
74 } |
|
75 if ($2 ~ /[^2367]$/) { |
|
76 print "\tRoot umask is other writeable" |
|
77 } |
|
78 }' | sort -u |
|
79 SAVE_PATH=$PATH |
|
80 unset PATH |
|
81 /bin/csh -f -s << end-of-csh > /dev/null 2>&1 |
|
82 source $i |
|
83 /bin/ls -ldgT \$path > $TMP1 |
|
84 end-of-csh |
|
85 export PATH=$SAVE_PATH |
|
86 if [ -f $TMP1 ]; then |
|
87 awk '{ |
|
88 if ($10 ~ /^\.$/) { |
|
89 print "\tThe root path includes ."; |
|
90 next; |
|
91 } |
|
92 } |
|
93 $1 ~ /^d....w/ \ |
|
94 { print "\tRoot path directory " $10 " is group writeable." } \ |
|
95 $1 ~ /^d.......w/ \ |
|
96 { print "\tRoot path directory " $10 " is other writeable." }' \ |
|
97 < $TMP1 |
|
98 fi |
|
99 fi |
|
100 done > $OUTPUT |
|
101 |
|
102 if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
|
103 printf "\nChecking root csh paths, umask values:\n$list\n\n" |
|
104 if [ -s $OUTPUT ]; then |
|
105 cat $OUTPUT |
|
106 fi |
|
107 if [ $umaskset = "no" ] ; then |
|
108 printf "\tRoot csh startup files do not set the umask.\n" |
|
109 fi |
|
110 fi |
|
111 fi |
|
112 |
|
113 umaskset=no |
|
114 list="/etc/profile ${rhome}/.profile `/bin/ls /etc/profile.d/*.sh`" |
|
115 for i in $list; do |
|
116 if [ -f $i ] ; then |
|
117 if egrep '^[^#]*(umask)' $i > /dev/null ; then |
|
118 umaskset=yes |
|
119 fi |
|
120 egrep '^[^#]*(umask)' $i | |
|
121 awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \ |
|
122 { print "\tRoot umask is group writeable" } \ |
|
123 $2 ~ /[^2367]$/ \ |
|
124 { print "\tRoot umask is other writeable" }' |
|
125 SAVE_PATH=$PATH |
|
126 unset PATH |
|
127 /bin/sh << end-of-sh > /dev/null 2>&1 |
|
128 . $i |
|
129 list=\`echo \$PATH | /usr/bin/sed -e \ |
|
130 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\` |
|
131 /bin/ls -ldgT \$list > $TMP1 |
|
132 end-of-sh |
|
133 export PATH=$SAVE_PATH |
|
134 awk '{ |
|
135 if ($10 ~ /^\.$/) { |
|
136 print "\tThe root path includes ."; |
|
137 next; |
|
138 } |
|
139 } |
|
140 $1 ~ /^d....w/ \ |
|
141 { print "\tRoot path directory " $10 " is group writeable." } \ |
|
142 $1 ~ /^d.......w/ \ |
|
143 { print "\tRoot path directory " $10 " is other writeable." }' \ |
|
144 < $TMP1 |
|
145 fi |
|
146 done > $OUTPUT |
|
147 |
|
148 if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
|
149 printf "\nChecking root sh paths, umask values:\n$list\n" |
|
150 if [ -s $OUTPUT ]; then |
|
151 cat $OUTPUT |
|
152 fi |
|
153 if [ $umaskset = "no" ] ; then |
|
154 printf "\tRoot sh startup files do not set the umask.\n" |
|
155 fi |
|
156 fi |
|
157 |