aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYoann Vandoorselaere <yoann@mandriva.com>2000-03-07 14:39:50 +0000
committerYoann Vandoorselaere <yoann@mandriva.com>2000-03-07 14:39:50 +0000
commite67d4c05d0d218ede7f02ffc9b86dc2c95f75d1d (patch)
treea1a7aba20fbdc0d4c436defab7422f3b9af2c9f1
parenteb9a7036548dd6d78e386d6a3d16035496a07326 (diff)
downloadmsec-e67d4c05d0d218ede7f02ffc9b86dc2c95f75d1d.tar
msec-e67d4c05d0d218ede7f02ffc9b86dc2c95f75d1d.tar.gz
msec-e67d4c05d0d218ede7f02ffc9b86dc2c95f75d1d.tar.bz2
msec-e67d4c05d0d218ede7f02ffc9b86dc2c95f75d1d.tar.xz
msec-e67d4c05d0d218ede7f02ffc9b86dc2c95f75d1d.zip
*** empty log message ***
-rw-r--r--ChangeLog16
-rwxr-xr-xcron-sh/security_check.sh29
-rw-r--r--init-sh/perm.42
-rw-r--r--init-sh/perm.52
4 files changed, 34 insertions, 15 deletions
diff --git a/ChangeLog b/ChangeLog
index f700035..3e47681 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,19 @@
+2000-03-07 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+ * Included patch from Stefan Siegel which fix these item :
+ * Files that should not be owned by someone else or readable:
+ -> added ".gnupg/secring.gpg" as Mandrake uses GNUPG as default
+
+ * Files that should not be owned by someone else or writeable:
+ -> replaced "-" by "." in awk-script beause ".ssh" is a directory
+
+ * Check home directories. Directories should not be owned by=20
+ someone else or writeable:
+ -> replaced "-" by "d" in awk-script beause "~" is a directory
+ -> replaced username-check by uid-check (avoids false output=20
+ by usernames > 8 char, e.g. "fetchmail" !=3D "fetchmai" )
+ -> removed "~lp" and "~mail" from group-check as their homedirs
+ are group writeable
+
2000-02-17 Yoann Vandoorselaere <yoann@mandrakesoft.com>
* level 4 - 5 /var/log in mode 711 for daemon spawned as non root user.
* /etc/printcap is 644 in mode 4 & 5
diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh
index 0c0948a..a5ad71c 100755
--- a/cron-sh/security_check.sh
+++ b/cron-sh/security_check.sh
@@ -55,7 +55,8 @@ fi
if [[ ${CHECK_PERMS} == yes ]]; then
# Files that should not be owned by someone else or readable.
-list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed"
+list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \
+.pgp/secring.pgp .ssh/identity .ssh/random_seed"
awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd |
while read username uid homedir; do
for f in ${list} ; do
@@ -95,9 +96,9 @@ while read username uid homedir; do
done
done | awk '$1 != $6 && $6 != "0" \
{ print "\t\t- " $3 " : file is owned by uid " $6 "." }
- $4 ~ /^-....w/ \
+ $4 ~ /^.....w/ \
{ print "\t\t- " $3 " : file is group writeable." }
- $4 ~ /^-.......w/ \
+ $4 ~ /^........w/ \
{ print "\t\t- " $3 " : file is other writeable." }' > ${TMP}
if [[ -s ${TMP} ]]; then
@@ -106,18 +107,20 @@ if [[ -s ${TMP} ]]; then
fi
### Check home directories. Directories should not be owned by someone else or writeable.
-awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
-while read uid homedir; do
+awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | \
+while read username uid homedir; do
if [[ -d ${homedir} ]] ; then
- file=`ls -ldg ${homedir}`
- printf "$uid $file\n"
+ realuid=`ls -ldgn ${homedir}| awk '{ print $3 }'`
+ realuser=`ls -ldg ${homedir}| awk '{ print $3 }'`
+ permissions=`ls -ldg ${homedir}| awk '{ print $1 }'`
+ printf "${permissions} ${username} (${uid}) ${realuser} (${realuid})\n"
fi
-done | awk '$1 != $4 && $4 != "root" \
- { print "user=" $1 " : home directory is owned by " $4 "." }
- $2 ~ /^-....w/ \
- { print "user=" $1 " : home directory is group writeable." }
- $2 ~ /^-.......w/ \
- { print "user=" $1 " : home directory is other writeable." }' > ${TMP}
+done | awk '$3 != $5 && $5 != "(0)" \
+ { print "user=" $2 $3 " : home directory is owned by " $4 $5 "." }
+ $1 ~ /^d....w/ && $2 != "lp" && $2 != "mail" \
+ { print "user=" $2 $3" : home directory is group writeable." }
+ $1 ~ /^d.......w/ \
+ { print "user=" $2 $3" : home directory is other writeable." }' > ${TMP}
if [[ -s $TMP ]] ; then
printf "\nSecurity Warning: these home directory should not be owned by someone else or writeable :\n" >> ${SECURITY}
diff --git a/init-sh/perm.4 b/init-sh/perm.4
index c6e97ad..ef31596 100644
--- a/init-sh/perm.4
+++ b/init-sh/perm.4
@@ -32,7 +32,7 @@
/etc/lilo.conf root.adm 600
/etc/modules.conf root.adm 640
/etc/motd root.adm 644
-/etc/printcap root.adm 644
+/etc/printcap root.lp 640
/etc/profile root.root 644
/etc/rc.d/ root.adm 640
/etc/securetty root.adm 640
diff --git a/init-sh/perm.5 b/init-sh/perm.5
index 2df089e..a4d5755 100644
--- a/init-sh/perm.5
+++ b/init-sh/perm.5
@@ -32,7 +32,7 @@
/etc/lilo.conf root.root 600
/etc/modules.conf root.root 600
/etc/motd root.root 644
-/etc/printcap root.root 644
+/etc/printcap root.lp 640
/etc/profile root.root 644
/etc/rc.d/ root.root 600
/etc/securetty root.root 600