aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ChangeLog4
-rwxr-xr-xcron-sh/security.sh45
-rw-r--r--src/msec_find/find.c69
3 files changed, 66 insertions, 52 deletions
diff --git a/ChangeLog b/ChangeLog
index 1186eef..cab6bba 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2000-03-19 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+ * security.sh : added patch from Thomas Poindessous.
+ * find.c : many modification :)
+
2000-03-16 Yoann Vandoorselaere <yoann@mandrakesoft.com>
* security.sh : export *_TODAY variable to be used by msec_find.
* find.c : removed a debuging printf.
diff --git a/cron-sh/security.sh b/cron-sh/security.sh
index b949028..b6636b5 100755
--- a/cron-sh/security.sh
+++ b/cron-sh/security.sh
@@ -76,21 +76,36 @@ netstat -pvlA inet 2> /dev/null > ${OPEN_PORT_TODAY};
# Hard disk related file check; the less priority the better...
nice --adjustment=+19 /usr/bin/msec_find ${DIR}
-sort < ${SUID_ROOT_TODAY} > ${SUID_ROOT_TODAY}.tmp
-sort < ${SUID_GROUP_TODAY} > ${SUID_GROUP_TODAY}.tmp
-sort < ${WRITEABLE_TODAY} > ${WRITEABLE_TODAY}.tmp
-sort < ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_TODAY}.tmp
-sort < ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_TODAY}.tmp
-
-mv -f ${SUID_ROOT_TODAY}.tmp ${SUID_ROOT_TODAY}
-mv -f ${SUID_GROUP_TODAY}.tmp ${SUID_GROUP_TODAY}
-mv -f ${WRITEABLE_TODAY}.tmp ${WRITEABLE_TODAY}
-mv -f ${UNOWNED_USER_TODAY}.tmp ${UNOWNED_USER_TODAY}
-mv -f ${UNOWNED_GROUP_TODAY}.tmp ${UNOWNED_GROUP_TODAY}
-
-while read line; do
- md5sum ${line}
-done < ${SUID_ROOT_TODAY} > ${SUID_MD5_TODAY}
+if [[ -f ${SUID_ROOT_TODAY} ]]; then
+ sort < ${SUID_ROOT_TODAY} > ${SUID_ROOT_TODAY}.tmp
+ mv -f ${SUID_ROOT_TODAY}.tmp ${SUID_ROOT_TODAY}
+fi
+
+if [[ -f ${SUID_GROUP_TODAY} ]]; then
+ sort < ${SUID_GROUP_TODAY} > ${SUID_GROUP_TODAY}.tmp
+ mv -f ${SUID_GROUP_TODAY}.tmp ${SUID_GROUP_TODAY}
+fi
+
+if [[ -f ${WRITEABLE_TODAY} ]]; then
+ sort < ${WRITEABLE_TODAY} > ${WRITEABLE_TODAY}.tmp
+ mv -f ${WRITEABLE_TODAY}.tmp ${WRITEABLE_TODAY}
+fi
+
+if [[ -f ${UNOWNED_USER_TODAY} ]]; then
+ sort < ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_TODAY}.tmp
+ mv -f ${UNOWNED_USER_TODAY}.tmp ${UNOWNED_USER_TODAY}
+fi
+
+if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then
+ sort < ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_TODAY}.tmp
+ mv -f ${UNOWNED_GROUP_TODAY}.tmp ${UNOWNED_GROUP_TODAY}
+fi
+
+if [[ -f ${SUID_ROOT_TODAY} ]]; then
+ while read line; do
+ md5sum ${line}
+ done < ${SUID_ROOT_TODAY} > ${SUID_MD5_TODAY}
+fi
### Functions ###
diff --git a/src/msec_find/find.c b/src/msec_find/find.c
index 18c4261..c60de21 100644
--- a/src/msec_find/find.c
+++ b/src/msec_find/find.c
@@ -9,16 +9,16 @@
/*
* TODO
- * +++ hash tables or btree to stock already searched uid/gid for speed
- * Pb: since linux-2.3.4x, uid & gid are 32 bits wide ... => BTREE?
- * static char **uid_hash, **gid_hash;
+ * +++ hash tables or btree to stock already searched uid/gid for speed
+ * Pb: since linux-2.3.4x, uid & gid are 32 bits wide ... => BTREE?
+ * static char **uid_hash, **gid_hash;
*
- * +++ check for open & I/O error on log files ...
- * +++ Yoann scripts should avoid /dev if devfs is mounted (either by testing
- * if /dev is mounted by devfs or if [ -f /dev/.devfsd ] => see with
- * Yoann
- * --- disable 'cannot stat ...' warning (???) => better log them SECURITY_LOG
- * --- disable write test on links => OK
+ * +++ check for open & I/O error on log files ...
+ * +++ Yoann scripts should avoid /dev if devfs is mounted (either by testing
+ * if /dev is mounted by devfs or if [ -f /dev/.devfsd ] => see with
+ * Yoann
+ * --- disable 'cannot stat ...' warning (???) => better log them SECURITY_LOG
+ * --- disable write test on links => OK
*/
/*
@@ -31,7 +31,6 @@
* - Do not use getenv to get the root directory.
* - Use argv instead of a DIR variable to get directory to scan.
* - Free directory after use when allocated for appending a '/'.
- * - We do not need __USE_XOPEN_EXTENDED definition.
*/
#include <stdlib.h>
@@ -67,41 +66,27 @@ static FILE *writeable_fd;
static int traverse(const char *file, const struct stat *sb, int flag, struct FTW *s)
{
- struct passwd *u_nss_data;
- struct group *g_nss_data;
-
+ struct passwd *u_nss_data;
+ struct group *g_nss_data;
+
+ /*
+ * handle bogus glibc ftw
+ * else we won't print only one '/' in front of file names
+ */
if (strncmp(file, "//", 2) == 0 )
- /*
- * handle bogus glibc ftw
- * else we won't print only one '/' in front of file names
- */
file++;
- if (strncmp("/proc", file, 5) == 0)
- return 0;
- if (strncmp("/dev", file, 4) == 0)
+ /*
+ * Don't walk throught /dev & /proc
+ */
+ if ( (strncmp("/proc", file, 5) == 0) || (strncmp("/dev", file, 4) == 0) )
return 0;
switch (flag) {
- /*
- * Here is a difference with security-check.sh:
- * we don't check for regular files only for Set-UID et Set-GID but
- * to directories too. Idem for world writable directories ...
- */
-
- case FTW_F:
/*
- * Regular file
- *
- * printf("%s\n", file);
+ * Regular file handling.
*/
-
- /*
- * Is writeable check.
- */
- if (sb->st_mode & 0002)
- fprintf(writeable_fd, "%s\n", file);
-
+ case FTW_F:
/*
* Is suid root check.
*/
@@ -114,8 +99,18 @@ static int traverse(const char *file, const struct stat *sb, int flag, struct FT
if (sb->st_mode & S_ISGID)
fprintf(sgid_fd, "%s\n", file);
+ /*
+ * Their is no break statement here, it is normal.
+ * Directory handing.
+ */
case FTW_D:
/*
+ * Is world writeable check.
+ */
+ if (sb->st_mode & 0002)
+ fprintf(writeable_fd, "%s\n", file);
+
+ /*
* Unowned user check.
*/
u_nss_data = getpwuid(sb->st_uid);