aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile2
-rw-r--r--TODO3
-rwxr-xr-xcron-sh/diff_check.sh2
-rwxr-xr-xcron-sh/security_check.sh4
-rw-r--r--init-sh/group.conf2
-rwxr-xr-xinit-sh/grpuser.sh30
-rwxr-xr-xinit-sh/level1.sh9
-rwxr-xr-xinit-sh/level2.sh7
-rw-r--r--init-sh/lib.sh126
-rw-r--r--msec.spec14
10 files changed, 124 insertions, 75 deletions
diff --git a/Makefile b/Makefile
index d242c50..ce48997 100644
--- a/Makefile
+++ b/Makefile
@@ -20,7 +20,6 @@ rpm_install: all
cp init-sh/file_perm.sh $(RPM_BUILD_ROOT)/etc/security/msec/init-sh
cp init-sh/perm.[0-5] $(RPM_BUILD_ROOT)/etc/security/msec/init-sh
cp init-sh/server.* $(RPM_BUILD_ROOT)/etc/security/msec/init-sh
- cp init-sh/group.conf $(RPM_BUILD_ROOT)/etc/security/msec/init-sh
cp init-sh/grpuser.sh $(RPM_BUILD_ROOT)/etc/security/msec/init-sh
cp init-sh/custom.sh $(RPM_BUILD_ROOT)/etc/security/msec/init-sh
cp cron-sh/*.sh $(RPM_BUILD_ROOT)/etc/security/msec/cron-sh
@@ -45,7 +44,6 @@ install:
(cp init-sh/init.sh /etc/security/msec/init.sh);
(cp init-sh/lib.sh /etc/security/msec/init-sh);
(cp init-sh/grpuser.sh /etc/security/msec/init-sh);
- (cp init-sh/group.conf /etc/security/msec/init-sh);
(cp init-sh/file_perm.sh /etc/security/msec/init-sh);
(cp init-sh/*.[0-5] /etc/security/msec/init-sh/)
(cp init-sh/custom.sh /etc/security/msec/init-sh);
diff --git a/TODO b/TODO
deleted file mode 100644
index 1545b64..0000000
--- a/TODO
+++ /dev/null
@@ -1,3 +0,0 @@
-- Fix xhost
-- sysrq
-- export SECURE_LEVEL globally
diff --git a/cron-sh/diff_check.sh b/cron-sh/diff_check.sh
index 62d52e8..6c22184 100755
--- a/cron-sh/diff_check.sh
+++ b/cron-sh/diff_check.sh
@@ -43,7 +43,7 @@ UNOWNED_YESTERDAY="/var/log/security/unowned.yesterday"
UNOWNED_DIFF="/var/log/security/unowned.diff"
SECURITY_LOG="/var/log/security.log"
-TMP="/tmp/secure.tmp"
+TMP=`mktemp /tmp/secure.XXXXXX`
if [[ ! -d /var/log/security ]]; then
mkdir /var/log/security
diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh
index 800b0c0..6f73f72 100755
--- a/cron-sh/security_check.sh
+++ b/cron-sh/security_check.sh
@@ -15,9 +15,9 @@ if [[ ${CHECK_SECURITY} != yes ]]; then
exit 0
fi
-SECURITY="/tmp/secure.log"
+SECURITY=`mktemp /tmp/secure.log`
SECURITY_LOG="/var/log/security.log"
-TMP="/tmp/secure.tmp"
+TMP=`mktemp /tmp/secure.tmp`
if [[ ! -d /var/log/security ]]; then
mkdir /var/log/security
diff --git a/init-sh/group.conf b/init-sh/group.conf
deleted file mode 100644
index bdbca9d..0000000
--- a/init-sh/group.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-audio
-urpmi
diff --git a/init-sh/grpuser.sh b/init-sh/grpuser.sh
index d2f2daf..85c303b 100755
--- a/init-sh/grpuser.sh
+++ b/init-sh/grpuser.sh
@@ -20,22 +20,19 @@ Usage() {
}
ModifyFile() {
- cp /etc/${file} /tmp/${file}.old
+ tmpfile=`mktemp /tmp/grpuser.XXXXXX`
+ cp /etc/${file} ${tmpfile}
- head -$((group_line_number - 1)) /tmp/${file}.old > /etc/${file}
+ head -$((group_line_number - 1)) ${tmpfile} > /etc/${file}
echo "${new_group_line}" >> /etc/${file}
- tail +$((group_line_number + 1)) /tmp/${file}.old >> /etc/${file}
-
- new_group_line=""
+ tail +$((group_line_number + 1)) ${tmpfile} >> /etc/${file}
- rm -f /tmp/${file}.old
+ rm -f ${tmpfile}
}
RemoveUserFromGroup() {
new_group_line=${group}`echo ${group_users} |
sed -e s/,${user_name}$//g -e s/${user_name},//g -e s/${user_name}$//g`
-
- echo ${new_group_line}
}
AppendUserToGroup() {
@@ -87,27 +84,28 @@ RefreshAdd() {
exit 1;
fi
- cat /etc/security/msec/group.conf | while read group_name; do
+ cat /etc/security/msec/group.conf | grep -v "^$" | while read group_name; do
IsGroupExisting;
if [[ $? != 0 ]]; then
echo "Group \"${group_name}\" doesn't exist. skiping it."
else
- cat /etc/security/msec/user.conf | while read user_name; do
+ cat /etc/security/msec/user.conf | grep -v "^$" | while read user_name; do
IsUserExisting;
if [[ $? != 0 ]]; then
# user doesn't exist
echo "Can't add user \"${user_name}\" to group \"${group_name}\" user doesn't exist. skiping."
IsUserAlreadyInGroup;
if [[ $? == 0 ]]; then
- echo "User doesn't exist but is in a group... delete user from this group."
+ #User doesn't exist but is in a group... delete user from this group.
+ IsGroupExisting;
RemoveUserFromGroup;
ModifyFile;
fi
else
echo "Adding user \"${user_name}\" to group \"${group_name}\"."
- #AppendUserToGroup;
- #ModifyFile;
- usermod -G ${group_name} ${user_name}
+ IsGroupExisting;
+ AppendUserToGroup;
+ ModifyFile;
fi
done
fi
@@ -115,12 +113,12 @@ RefreshAdd() {
}
RefreshDel() {
- cat /etc/security/msec/group.conf | while read group_name; do
+ cat /etc/security/msec/group.conf | grep -v "^$" | while read group_name; do
IsGroupExisting;
if [[ $? != 0 ]]; then
echo "Group \"${group_name}\" doesn't exist. skiping it."
else
- cat /etc/security/msec/user.conf | while read user_name; do
+ cat /etc/security/msec/user.conf | grep -v "^$" | while read user_name; do
IsGroupExisting; # We need some variable at each turn.
IsUserAlreadyInGroup;
if [[ $? == 0 ]]; then
diff --git a/init-sh/level1.sh b/init-sh/level1.sh
index 342752d..a7ce877 100755
--- a/init-sh/level1.sh
+++ b/init-sh/level1.sh
@@ -72,14 +72,13 @@ AddRules "export PATH SECURE_LEVEL" /etc/profile
# Xserver
echo "Allowing users to connect X server from localhost :"
-AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession
-AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc
-
-###
+AddBegRules /etc/X11/xdm/Xsession "/usr/X11R6/bin/xhost + localhost"
+AddBegRules /etc/X11/xinit/xinitrc "/usr/X11R6/bin/xhost + localhost"
# Group
+echo "Adding system users to specific groups :"
/etc/security/msec/init-sh/grpuser.sh --refresh
-
+echo -e "done.\n"
diff --git a/init-sh/level2.sh b/init-sh/level2.sh
index bfadce8..1760873 100755
--- a/init-sh/level2.sh
+++ b/init-sh/level2.sh
@@ -71,10 +71,11 @@ AddRules "export PATH SECURE_LEVEL" /etc/profile
# Xserver
echo "Allowing users to connect X server from localhost :"
-AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession quiet
-AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc
+AddBegRules /etc/X11/xdm/Xsession "/usr/X11R6/bin/xhost + localhost"
+AddBegRules /etc/X11/xinit/xinitrc "/usr/X11R6/bin/xhost + localhost"
# group
+echo "Adding system users to specifics groups :"
/etc/security/msec/init-sh/grpuser.sh --refresh
-
+echo -e "done.\n"
diff --git a/init-sh/lib.sh b/init-sh/lib.sh
index 891ebf1..c7d0efd 100644
--- a/init-sh/lib.sh
+++ b/init-sh/lib.sh
@@ -9,7 +9,6 @@ if [[ ${UID} != 0 ]]; then
exit 1
fi
-
COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too."
WaitAnswer() {
@@ -38,37 +37,40 @@ AddRules() {
echo -e "${COMMENT}" >> ${file};
echo -e "${string}" >> ${file};
fi
+
if [[ -z ${3} ]]; then
echo -e "done.\n"
fi
}
AddBegRules() {
- string=$1
- file=$2
- quiet=$3
- ctrl=0
+ echo "Modifying config in ${2}..."
+
+/usr/bin/perl -e '
+ my $m;
- if [[ -z ${string} ]]; then
- return;
- fi
+ $file = shift or die;
+ $temp = `mktemp /tmp/secure.XXXXXX`;
- if [[ -z ${quiet} ]]; then
- echo "Modifying config in ${file}..."
- fi
+ chomp $temp;
- cp -f ${file} /tmp/secure.tmp
+ open FH, $file;
+ open FW, ">$temp";
- if ! grep -Eqx "^${string}" /tmp/secure.tmp; then
- echo -e "${COMMENT}" > ${file};
- echo -e "${string}" >> ${file};
- fi
+ while (<FH>) {
+ if (!/^\#/ && !/^$/ && !$m) {
+ print FW $ENV{"COMMENT"};
+ print FW "@ARGV\n\n"; $m++;
+ }
+ print FW;
+ }
+ close FH;
+ close FW;
- cat /tmp/secure.tmp >> ${file}
+ `mv -f $temp $file`;
+' $@
- if [[ -z ${3} ]]; then
- echo -e "done.\n"
- fi
+ echo -e "done.\n"
}
@@ -77,11 +79,14 @@ CleanRules() {
ctrl=0
if [[ ! -f ${file} ]]; then
+ echo "${file} do not exist... can not clean."
return;
fi
echo -en "\t- Cleaning msec appended line in ${file} : "
- cp -f ${file} /tmp/secure.tmp
+
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp ${file} ${tmpfile}
while read line; do
if [[ ${ctrl} == 1 ]]; then
@@ -94,11 +99,11 @@ CleanRules() {
fi
if [[ ${ctrl} == 0 ]]; then
- echo "${line}" > ${file}
+ echo "${line}"
fi
- done < /tmp/secure.tmp
+ done < ${tmpfile} > ${file}
- rm -f /tmp/secure.tmp
+ rm -f ${tmpfile}
echo "done."
}
@@ -112,16 +117,18 @@ CommentUserRules() {
echo -en "\t- Cleaning user appended line in ${file} : "
- cp -f ${file} /tmp/secure.tmp
-
- while read line; do
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp -f ${file} ${tmpfile}
+
+ while read line; do
if ! echo "${line}" | grep -qE "^#"; then
- echo "# ${line}" > ${file}
+ echo "# ${line}"
fi
- done < /tmp/secure.tmp
+ done < ${tmpfile} > ${file}
- rm -f /tmp/secure.tmp
- echo "done."
+ rm -f ${tmpfile}
+
+ echo "done."
}
Syslog() {
@@ -132,7 +139,7 @@ Syslog() {
Ttylog() {
if [[ ${TTY_WARN} == yes ]]; then
- w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do
+ w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do
echo -e ${1} > /dev/$i
done
fi
@@ -156,14 +163,16 @@ LiloUpdate() {
fi
if [[ ! -z "${password}" ]]; then
- cp -f /etc/lilo.conf /tmp/secure.tmp
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+
+ cp -f /etc/lilo.conf ${tmpfile}
while read line; do
if ! echo "${line}" | grep -q "password"; then
echo "${line}" > /etc/lilo.conf
fi
- done < /tmp/secure.tmp
+ done < ${tmpfile}
- rm -f /tmp/secure.tmp
+ rm -f ${tmpfile}
clear
AddRules "password=$password" /etc/lilo.conf
fi
@@ -172,11 +181,6 @@ LiloUpdate() {
# If we are currently installing our
# system with DrakX, we don't ask anything to the user...
# Instead, DrakX do it and give us a file with some variable.
-if [[ -f /tmp/secure.DrakX ]]; then
- . /tmp/secure.DrakX
- AddRules "${DRAKX_USERS}" /etc/security/msec/security.conf
-fi
-
if [[ -f /etc/security/msec/security.conf ]]; then
. /etc/security/msec/security.conf
fi
@@ -197,7 +201,6 @@ CleanRules /etc/profile
CleanRules /etc/lilo.conf
CleanRules /etc/rc.d/rc.firewall
CleanRules /etc/crontab
-CleanRules /etc/security/msec/security.users
CleanRules /etc/X11/xdm/Xsession
CleanRules /etc/X11/xinit/xinitrc
@@ -213,6 +216,47 @@ groupadd xgrp >& /dev/null
usermod -G xgrp xfs
/etc/security/msec/init-sh/grpuser.sh --clean
+echo
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/msec.spec b/msec.spec
index 28ad31e..5b40df0 100644
--- a/msec.spec
+++ b/msec.spec
@@ -35,6 +35,20 @@ rm -rf $RPM_BUILD_ROOT
/usr/bin/promisc_check
%changelog
+* Thu Dec 16 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+- Indentation problem should be fixed.
+- All debug finished, changing secure.tmp to a mktemp
+ allocated tmpfile for symlink security.
+- grpuser.sh take only one opt ( --refresh ),
+ take group name from /etc/security/msec/group.conf
+ and add user from /etc/security/msec/user.conf if secure level > 2
+- level0.sh fixed inittab entry
+- fix a typo
+- As requested, direct shell access for level 0
+- Fixed a little problem with the DRAKX_USERS variable
+- removed chattr +a because of the problem it can cause to
+ other system automated system task.
+
* Mon Dec 13 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- diff_check.sh : fix a typo.