diff -r 000000000000 -r 8ba6a0e2d2ca security.d/chk_rootdotfiles --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/security.d/chk_rootdotfiles Sat Mar 31 13:32:06 2007 +0200 @@ -0,0 +1,157 @@ +#!/bin/bash +# +# $Id$ +# +############################################################################# +# Copyright (C) 2005 +# +# Michiel Broek +# Beekmansbos 10 +# 1971 BV IJmuiden +# the Netherlands +# +# This file is part of SlackSecCheckSripts. +# +# This package is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2, or (at your option) any +# later version. +# +# SlackSecCheckSripts is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with MBSE BBS; see the file COPYING. If not, write to the Free +# Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. +############################################################################# + + +PATH=/sbin:/usr/sbin:/bin:/usr/bin + +umask 077 +TZ=UTC; export TZ +LANG=C; export LANG + +SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1 + +trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE + +if ! cd "$SECUREDIR"; then + echo "Can not cd to $SECUREDIR". + exit 1 +fi + +TMP1=secure1.$$ +OUTPUT=secure2.$$ + + +# Check for root paths, umask values in startup files. +# The check for the root paths is problematical -- it's likely to fail +# in other environments. Once the shells have been modified to warn +# of '.' in the path, the path tests should go away. +# +rhome=~root +umaskset=no + +if [ -x /bin/tcsh ]; then + list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login `/bin/ls /etc/profile.d/*.csh`" + + for i in $list ; do + if [ -f $i ] ; then + if egrep '^[^#]*(umask)' $i > /dev/null ; + then + umaskset=yes + fi + # Double check the umask value itself; ensure that + # both the group and other write bits are set. + # + egrep '^[^#]*(umask)' $i | + awk '{ + if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) { + print "\tRoot umask is group writeable" + } + if ($2 ~ /[^2367]$/) { + print "\tRoot umask is other writeable" + } + }' | sort -u + SAVE_PATH=$PATH + unset PATH + /bin/csh -f -s << end-of-csh > /dev/null 2>&1 + source $i + /bin/ls -ldgT \$path > $TMP1 +end-of-csh + export PATH=$SAVE_PATH + if [ -f $TMP1 ]; then + awk '{ + if ($10 ~ /^\.$/) { + print "\tThe root path includes ."; + next; + } + } + $1 ~ /^d....w/ \ + { print "\tRoot path directory " $10 " is group writeable." } \ + $1 ~ /^d.......w/ \ + { print "\tRoot path directory " $10 " is other writeable." }' \ + < $TMP1 + fi + fi + done > $OUTPUT + + if [ $umaskset = "no" -o -s $OUTPUT ] ; then + printf "\nChecking root csh paths, umask values:\n$list\n\n" + if [ -s $OUTPUT ]; then + cat $OUTPUT + fi + if [ $umaskset = "no" ] ; then + printf "\tRoot csh startup files do not set the umask.\n" + fi + fi +fi + +umaskset=no +list="/etc/profile ${rhome}/.profile `/bin/ls /etc/profile.d/*.sh`" +for i in $list; do + if [ -f $i ] ; then + if egrep '^[^#]*(umask)' $i > /dev/null ; then + umaskset=yes + fi + egrep '^[^#]*(umask)' $i | + awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \ + { print "\tRoot umask is group writeable" } \ + $2 ~ /[^2367]$/ \ + { print "\tRoot umask is other writeable" }' + SAVE_PATH=$PATH + unset PATH + /bin/sh << end-of-sh > /dev/null 2>&1 + . $i + list=\`echo \$PATH | /usr/bin/sed -e \ + 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\` + /bin/ls -ldgT \$list > $TMP1 +end-of-sh + export PATH=$SAVE_PATH + awk '{ + if ($10 ~ /^\.$/) { + print "\tThe root path includes ."; + next; + } + } + $1 ~ /^d....w/ \ + { print "\tRoot path directory " $10 " is group writeable." } \ + $1 ~ /^d.......w/ \ + { print "\tRoot path directory " $10 " is other writeable." }' \ + < $TMP1 + fi +done > $OUTPUT + +if [ $umaskset = "no" -o -s $OUTPUT ] ; then + printf "\nChecking root sh paths, umask values:\n$list\n" + if [ -s $OUTPUT ]; then + cat $OUTPUT + fi + if [ $umaskset = "no" ] ; then + printf "\tRoot sh startup files do not set the umask.\n" + fi +fi +