diff options
-rw-r--r-- | ChangeLog | 16 | ||||
-rwxr-xr-x | cron-sh/security_check.sh | 29 | ||||
-rw-r--r-- | init-sh/perm.4 | 2 | ||||
-rw-r--r-- | init-sh/perm.5 | 2 |
4 files changed, 34 insertions, 15 deletions
@@ -1,3 +1,19 @@ +2000-03-07 Yoann Vandoorselaere <yoann@mandrakesoft.com> + * Included patch from Stefan Siegel which fix these item : + * Files that should not be owned by someone else or readable: + -> added ".gnupg/secring.gpg" as Mandrake uses GNUPG as default + + * Files that should not be owned by someone else or writeable: + -> replaced "-" by "." in awk-script beause ".ssh" is a directory + + * Check home directories. Directories should not be owned by=20 + someone else or writeable: + -> replaced "-" by "d" in awk-script beause "~" is a directory + -> replaced username-check by uid-check (avoids false output=20 + by usernames > 8 char, e.g. "fetchmail" !=3D "fetchmai" ) + -> removed "~lp" and "~mail" from group-check as their homedirs + are group writeable + 2000-02-17 Yoann Vandoorselaere <yoann@mandrakesoft.com> * level 4 - 5 /var/log in mode 711 for daemon spawned as non root user. * /etc/printcap is 644 in mode 4 & 5 diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh index 0c0948a..a5ad71c 100755 --- a/cron-sh/security_check.sh +++ b/cron-sh/security_check.sh @@ -55,7 +55,8 @@ fi if [[ ${CHECK_PERMS} == yes ]]; then # Files that should not be owned by someone else or readable. -list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed" +list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \ +.pgp/secring.pgp .ssh/identity .ssh/random_seed" awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | while read username uid homedir; do for f in ${list} ; do @@ -95,9 +96,9 @@ while read username uid homedir; do done done | awk '$1 != $6 && $6 != "0" \ { print "\t\t- " $3 " : file is owned by uid " $6 "." } - $4 ~ /^-....w/ \ + $4 ~ /^.....w/ \ { print "\t\t- " $3 " : file is group writeable." } - $4 ~ /^-.......w/ \ + $4 ~ /^........w/ \ { print "\t\t- " $3 " : file is other writeable." }' > ${TMP} if [[ -s ${TMP} ]]; then @@ -106,18 +107,20 @@ if [[ -s ${TMP} ]]; then fi ### Check home directories. Directories should not be owned by someone else or writeable. -awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ -while read uid homedir; do +awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | \ +while read username uid homedir; do if [[ -d ${homedir} ]] ; then - file=`ls -ldg ${homedir}` - printf "$uid $file\n" + realuid=`ls -ldgn ${homedir}| awk '{ print $3 }'` + realuser=`ls -ldg ${homedir}| awk '{ print $3 }'` + permissions=`ls -ldg ${homedir}| awk '{ print $1 }'` + printf "${permissions} ${username} (${uid}) ${realuser} (${realuid})\n" fi -done | awk '$1 != $4 && $4 != "root" \ - { print "user=" $1 " : home directory is owned by " $4 "." } - $2 ~ /^-....w/ \ - { print "user=" $1 " : home directory is group writeable." } - $2 ~ /^-.......w/ \ - { print "user=" $1 " : home directory is other writeable." }' > ${TMP} +done | awk '$3 != $5 && $5 != "(0)" \ + { print "user=" $2 $3 " : home directory is owned by " $4 $5 "." } + $1 ~ /^d....w/ && $2 != "lp" && $2 != "mail" \ + { print "user=" $2 $3" : home directory is group writeable." } + $1 ~ /^d.......w/ \ + { print "user=" $2 $3" : home directory is other writeable." }' > ${TMP} if [[ -s $TMP ]] ; then printf "\nSecurity Warning: these home directory should not be owned by someone else or writeable :\n" >> ${SECURITY} diff --git a/init-sh/perm.4 b/init-sh/perm.4 index c6e97ad..ef31596 100644 --- a/init-sh/perm.4 +++ b/init-sh/perm.4 @@ -32,7 +32,7 @@ /etc/lilo.conf root.adm 600 /etc/modules.conf root.adm 640 /etc/motd root.adm 644 -/etc/printcap root.adm 644 +/etc/printcap root.lp 640 /etc/profile root.root 644 /etc/rc.d/ root.adm 640 /etc/securetty root.adm 640 diff --git a/init-sh/perm.5 b/init-sh/perm.5 index 2df089e..a4d5755 100644 --- a/init-sh/perm.5 +++ b/init-sh/perm.5 @@ -32,7 +32,7 @@ /etc/lilo.conf root.root 600 /etc/modules.conf root.root 600 /etc/motd root.root 644 -/etc/printcap root.root 644 +/etc/printcap root.lp 640 /etc/profile root.root 644 /etc/rc.d/ root.root 600 /etc/securetty root.root 600 |