security.d/chk_rootdotfiles@2c0dacb26b14
security.d/chk_rootdotfiles
Mon, 20 Jan 2014 12:48:38 +0100
- author
- Michiel Broek <mbroek@mbse.eu>
- date
- Mon, 20 Jan 2014 12:48:38 +0100
- changeset 19
- 2c0dacb26b14
- parent 17
- 65656789da08
- permissions
- -rw-r--r--
Fixed error message when there was nothing to report.
#!/bin/bash # ############################################################################# # Copyright (C) 2005-2013 # # Michiel Broek <mbse at mbse.eu> # # This file is part of SlackSecCheckScripts. # # This package is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2, or (at your option) any # later version. # # SlackSecCheckScripts is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with MBSE BBS; see the file COPYING. If not, write to the Free # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. ############################################################################# PATH=/sbin:/usr/sbin:/bin:/usr/bin umask 077 TZ=UTC; export TZ LANG=C; export LANG SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1 trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE if ! cd "$SECUREDIR"; then echo "Can not cd to $SECUREDIR". exit 1 fi TMP1=secure1.$$ OUTPUT=secure2.$$ # Check for root paths, umask values in startup files. # The check for the root paths is problematical -- it's likely to fail # in other environments. Once the shells have been modified to warn # of '.' in the path, the path tests should go away. # rhome=~root umaskset=no if [ -x /bin/tcsh ]; then list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login `/bin/ls /etc/profile.d/*.csh`" for i in $list ; do if [ -f $i ] ; then if egrep '^[^#]*(umask)' $i > /dev/null ; then umaskset=yes fi # Double check the umask value itself; ensure that # both the group and other write bits are set. # egrep '^[^#]*(umask)' $i | awk '{ if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) { print "\tRoot umask is group writeable" } if ($2 ~ /[^2367]$/) { print "\tRoot umask is other writeable" } }' | sort -u SAVE_PATH=$PATH unset PATH /bin/csh -f -s << end-of-csh > /dev/null 2>&1 source $i /bin/ls -ldgT \$path > $TMP1 end-of-csh export PATH=$SAVE_PATH if [ -f $TMP1 ]; then awk '{ if ($10 ~ /^\.$/) { print "\tThe root path includes ."; next; } } $1 ~ /^d....w/ \ { print "\tRoot path directory " $10 " is group writeable." } \ $1 ~ /^d.......w/ \ { print "\tRoot path directory " $10 " is other writeable." }' \ < $TMP1 fi fi done > $OUTPUT if [ $umaskset = "no" -o -s $OUTPUT ] ; then printf "\nChecking root csh paths, umask values:\n$list\n\n" if [ -s $OUTPUT ]; then cat $OUTPUT fi if [ $umaskset = "no" ] ; then printf "\tRoot csh startup files do not set the umask.\n" fi fi fi umaskset=no list="/etc/profile ${rhome}/.profile `/bin/ls /etc/profile.d/*.sh`" for i in $list; do if [ -f $i ] ; then if egrep '^[^#]*(umask)' $i > /dev/null ; then umaskset=yes fi egrep '^[^#]*(umask)' $i | awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \ { print "\tRoot umask is group writeable" } \ $2 ~ /[^2367]$/ \ { print "\tRoot umask is other writeable" }' SAVE_PATH=$PATH unset PATH /bin/sh << end-of-sh > /dev/null 2>&1 . $i list=\`echo \$PATH | /usr/bin/sed -e \ 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\` /bin/ls -ldgT \$list > $TMP1 end-of-sh export PATH=$SAVE_PATH awk '{ if ($10 ~ /^\.$/) { print "\tThe root path includes ."; next; } } $1 ~ /^d....w/ \ { print "\tRoot path directory " $10 " is group writeable." } \ $1 ~ /^d.......w/ \ { print "\tRoot path directory " $10 " is other writeable." }' \ < $TMP1 fi done > $OUTPUT if [ $umaskset = "no" -o -s $OUTPUT ] ; then printf "\nChecking root sh paths, umask values:\n$list\n" if [ -s $OUTPUT ]; then cat $OUTPUT fi if [ $umaskset = "no" ] ; then printf "\tRoot sh startup files do not set the umask.\n" fi fi
