security.d/chk_rootdotfiles

changeset 0
8ba6a0e2d2ca
child 14
59e07bba67cc
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security.d/chk_rootdotfiles	Sat Mar 31 13:32:06 2007 +0200
@@ -0,0 +1,157 @@
+#!/bin/bash
+#
+# $Id$
+#
+#############################################################################
+# Copyright (C) 2005
+#   
+# Michiel Broek               <mbse@mbse.dds.nl>
+# Beekmansbos 10
+# 1971 BV IJmuiden
+# the Netherlands
+#
+# This file is part of SlackSecCheckSripts.
+#
+# This package is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2, or (at your option) any
+# later version.
+#
+# SlackSecCheckSripts is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with MBSE BBS; see the file COPYING.  If not, write to the Free
+# Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
+#############################################################################
+
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+
+umask 077
+TZ=UTC; export TZ
+LANG=C; export LANG
+
+SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1
+
+trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE
+
+if ! cd "$SECUREDIR"; then
+    echo "Can not cd to $SECUREDIR".
+    exit 1
+fi
+
+TMP1=secure1.$$
+OUTPUT=secure2.$$
+
+
+# Check for root paths, umask values in startup files.
+# The check for the root paths is problematical -- it's likely to fail
+# in other environments.  Once the shells have been modified to warn
+# of '.' in the path, the path tests should go away.
+#
+rhome=~root
+umaskset=no
+
+if [ -x /bin/tcsh ]; then
+    list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login `/bin/ls /etc/profile.d/*.csh`"
+
+    for i in $list ; do
+	if [ -f $i ] ; then
+	    if egrep '^[^#]*(umask)' $i > /dev/null ;
+	    then
+		umaskset=yes
+	    fi
+	    # Double check the umask value itself; ensure that
+	    # both the group and other write bits are set.
+	    #
+	    egrep '^[^#]*(umask)' $i |
+		awk '{
+		    if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) {
+			print "\tRoot umask is group writeable"
+		    }
+		    if ($2 ~ /[^2367]$/) {
+			print "\tRoot umask is other writeable"
+		    }
+		}' | sort -u
+	    SAVE_PATH=$PATH
+	    unset PATH
+	    /bin/csh -f -s << end-of-csh > /dev/null 2>&1
+	    source $i
+	    /bin/ls -ldgT \$path > $TMP1
+end-of-csh
+	    export PATH=$SAVE_PATH
+	    if [ -f $TMP1 ]; then
+		awk '{
+		    if ($10 ~ /^\.$/) {
+			print "\tThe root path includes .";
+			next;
+		    }
+		}
+		$1 ~ /^d....w/ \
+		    { print "\tRoot path directory " $10 " is group writeable." } \
+		$1 ~ /^d.......w/ \
+		    { print "\tRoot path directory " $10 " is other writeable." }' \
+		< $TMP1
+	    fi
+	fi
+    done > $OUTPUT
+
+    if [ $umaskset = "no" -o -s $OUTPUT ] ; then
+	printf "\nChecking root csh paths, umask values:\n$list\n\n"
+	if [ -s $OUTPUT ]; then
+	    cat $OUTPUT
+	fi
+	if [ $umaskset = "no" ] ; then
+	    printf "\tRoot csh startup files do not set the umask.\n"
+	fi
+    fi
+fi
+
+umaskset=no
+list="/etc/profile ${rhome}/.profile `/bin/ls /etc/profile.d/*.sh`"
+for i in $list; do
+    if [ -f $i ] ; then
+	if egrep '^[^#]*(umask)' $i > /dev/null ; then
+	    umaskset=yes
+	fi
+	egrep '^[^#]*(umask)' $i |
+	    awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \
+		{ print "\tRoot umask is group writeable" } \
+		$2 ~ /[^2367]$/ \
+		{ print "\tRoot umask is other writeable" }'
+	SAVE_PATH=$PATH
+	unset PATH
+	/bin/sh << end-of-sh > /dev/null 2>&1
+	. $i
+	list=\`echo \$PATH | /usr/bin/sed -e \
+	's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\`
+	/bin/ls -ldgT \$list > $TMP1
+end-of-sh
+	export PATH=$SAVE_PATH
+	awk '{
+	    if ($10 ~ /^\.$/) {
+		print "\tThe root path includes .";
+		next;
+	    }
+	}
+	$1 ~ /^d....w/ \
+	    { print "\tRoot path directory " $10 " is group writeable." } \
+	$1 ~ /^d.......w/ \
+	    { print "\tRoot path directory " $10 " is other writeable." }' \
+	< $TMP1
+    fi
+done > $OUTPUT
+
+if [ $umaskset = "no" -o -s $OUTPUT ] ; then
+    printf "\nChecking root sh paths, umask values:\n$list\n"
+    if [ -s $OUTPUT ]; then
+	cat $OUTPUT
+    fi
+    if [ $umaskset = "no" ] ; then
+	printf "\tRoot sh startup files do not set the umask.\n"
+    fi
+fi
+

mercurial