diff -r 000000000000 -r fe3130d22800 security.d/chk_homedirs --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/security.d/chk_homedirs Wed Jan 14 21:12:35 2009 +0100 @@ -0,0 +1,114 @@ +#!/bin/bash +# +# $Id$ +# +############################################################################# +# Copyright (C) 2005 +# +# Michiel Broek +# Beekmansbos 10 +# 1971 BV IJmuiden +# the Netherlands +# +# This file is part of SlackSecCheckSripts. +# +# This package is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2, or (at your option) any +# later version. +# +# SlackSecCheckSripts is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with MBSE BBS; see the file COPYING. If not, write to the Free +# Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. +############################################################################# + + +PATH=/sbin:/usr/sbin:/bin:/usr/bin + +umask 077 +TZ=UTC; export TZ +MP=/etc/passwd +LANG=C; export LANG + +SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1 + +trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE + +if ! cd "$SECUREDIR"; then + echo "Can not cd to $SECUREDIR". + exit 1 +fi + +MPBYPATH=secure1.$$ +OUTPUT=secure2.$$ + + +# These are used several times. +# +awk -F: '{ print $1 " " $6 }' $MP | sort -k2 > $MPBYPATH + + +# Check home directories. Directories should not be owned by someone else +# or writeable. +# +while read uid homedir; do + if [ -d ${homedir}/ ] ; then + file=`/bin/ls -ld ${homedir}` + printf -- "$uid $file\n" + fi +done < $MPBYPATH | +awk '$1 != $4 && $4 != "root" { printf "\tuser %s home directory is owned by %s.\n", $1, $4 } + $2 ~ /^.....w/ { printf "\tuser %s home directory %s is group writeable.\n", $1, $10 } + $2 ~ /^........w/ { printf "\tuser %s home directory %s is other writeable.\n", $1, $10 }' \ +> $OUTPUT +if [ -s $OUTPUT ] ; then + printf "\nChecking home directories.\n" + cat $OUTPUT +fi + +# Files that should not be owned by someone else or readable. +list=".Xauthority .netrc .ssh/id_dsa .ssh/id_rsa .ssh/identity" +while read uid homedir; do + for f in $list ; do + file=${homedir}/${f} + if [ -f $file ] ; then + printf -- "$uid $f `/bin/ls -ld $file`\n" + fi + done +done < $MPBYPATH | +awk '$1 != $5 && $5 != "root" { printf "\tuser %s %s file is owned by %s.\n", $1, $2, $5 } + $3 ~ /^....r/ { printf "\tuser %s %s file is group readable.\n", $1, $2 } + $3 ~ /^.......r/ { printf "\tuser %s %s file is other readable.\n", $1, $2 } + $3 ~ /^.....w/ { printf "\tuser %s %s file is group writeable.\n", $1, $2 } + $3 ~ /^........w/ { printf "\tuser %s %s file is other writeable.\n", $1, $2 }' \ + > $OUTPUT +# Files that should not be owned by someone else or writeable. +list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \ + .cshrc .emacs .exrc .forward .history .klogin .login .logout \ + .profile .qmail .rc_history .rhosts .shosts ssh .tcshrc .twmrc \ + .xinitrc .xsession .ssh/authorized_keys .ssh/authorized_keys2 \ + .ssh/config .ssh/id_dsa.pub .ssh/id_rsa.pub .ssh/identity.pub \ + .ssh/known_hosts .ssh/known_hosts2" +while read uid homedir; do + for f in $list ; do + file=${homedir}/${f} + if [ -f $file ] ; then + printf -- "$uid $f `/bin/ls -ld $file`\n" + fi + done +done < $MPBYPATH | +awk '$1 != $5 && $5 != "root" { printf "\tuser %s %s file is owned by %s.\n", $1, $2, $5 } + $3 ~ /^.....w/ { printf "\tuser %s %s file is group writeable.\n", $1, $2 } + $3 ~ /^........w/ { printf "\tuser %s %s file is other writeable.\n", $1, $2 }' \ + >> $OUTPUT +if [ -s $OUTPUT ] ; then + printf "\nChecking dot files.\n" + cat $OUTPUT +fi + +