aboutsummaryrefslogtreecommitdiffstats
path: root/cron-sh/security_check.sh
diff options
context:
space:
mode:
authorYoann Vandoorselaere <yoann@mandriva.com>2000-03-07 14:39:50 +0000
committerYoann Vandoorselaere <yoann@mandriva.com>2000-03-07 14:39:50 +0000
commite67d4c05d0d218ede7f02ffc9b86dc2c95f75d1d (patch)
treea1a7aba20fbdc0d4c436defab7422f3b9af2c9f1 /cron-sh/security_check.sh
parenteb9a7036548dd6d78e386d6a3d16035496a07326 (diff)
downloadmsec-e67d4c05d0d218ede7f02ffc9b86dc2c95f75d1d.tar
msec-e67d4c05d0d218ede7f02ffc9b86dc2c95f75d1d.tar.gz
msec-e67d4c05d0d218ede7f02ffc9b86dc2c95f75d1d.tar.bz2
msec-e67d4c05d0d218ede7f02ffc9b86dc2c95f75d1d.tar.xz
msec-e67d4c05d0d218ede7f02ffc9b86dc2c95f75d1d.zip
*** empty log message ***
Diffstat (limited to 'cron-sh/security_check.sh')
-rwxr-xr-xcron-sh/security_check.sh29
1 files changed, 16 insertions, 13 deletions
diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh
index 0c0948a..a5ad71c 100755
--- a/cron-sh/security_check.sh
+++ b/cron-sh/security_check.sh
@@ -55,7 +55,8 @@ fi
if [[ ${CHECK_PERMS} == yes ]]; then
# Files that should not be owned by someone else or readable.
-list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed"
+list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \
+.pgp/secring.pgp .ssh/identity .ssh/random_seed"
awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd |
while read username uid homedir; do
for f in ${list} ; do
@@ -95,9 +96,9 @@ while read username uid homedir; do
done
done | awk '$1 != $6 && $6 != "0" \
{ print "\t\t- " $3 " : file is owned by uid " $6 "." }
- $4 ~ /^-....w/ \
+ $4 ~ /^.....w/ \
{ print "\t\t- " $3 " : file is group writeable." }
- $4 ~ /^-.......w/ \
+ $4 ~ /^........w/ \
{ print "\t\t- " $3 " : file is other writeable." }' > ${TMP}
if [[ -s ${TMP} ]]; then
@@ -106,18 +107,20 @@ if [[ -s ${TMP} ]]; then
fi
### Check home directories. Directories should not be owned by someone else or writeable.
-awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
-while read uid homedir; do
+awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | \
+while read username uid homedir; do
if [[ -d ${homedir} ]] ; then
- file=`ls -ldg ${homedir}`
- printf "$uid $file\n"
+ realuid=`ls -ldgn ${homedir}| awk '{ print $3 }'`
+ realuser=`ls -ldg ${homedir}| awk '{ print $3 }'`
+ permissions=`ls -ldg ${homedir}| awk '{ print $1 }'`
+ printf "${permissions} ${username} (${uid}) ${realuser} (${realuid})\n"
fi
-done | awk '$1 != $4 && $4 != "root" \
- { print "user=" $1 " : home directory is owned by " $4 "." }
- $2 ~ /^-....w/ \
- { print "user=" $1 " : home directory is group writeable." }
- $2 ~ /^-.......w/ \
- { print "user=" $1 " : home directory is other writeable." }' > ${TMP}
+done | awk '$3 != $5 && $5 != "(0)" \
+ { print "user=" $2 $3 " : home directory is owned by " $4 $5 "." }
+ $1 ~ /^d....w/ && $2 != "lp" && $2 != "mail" \
+ { print "user=" $2 $3" : home directory is group writeable." }
+ $1 ~ /^d.......w/ \
+ { print "user=" $2 $3" : home directory is other writeable." }' > ${TMP}
if [[ -s $TMP ]] ; then
printf "\nSecurity Warning: these home directory should not be owned by someone else or writeable :\n" >> ${SECURITY}