diff options
-rw-r--r-- | Makefile | 2 | ||||
-rw-r--r-- | TODO | 3 | ||||
-rwxr-xr-x | cron-sh/diff_check.sh | 2 | ||||
-rwxr-xr-x | cron-sh/security_check.sh | 4 | ||||
-rw-r--r-- | init-sh/group.conf | 2 | ||||
-rwxr-xr-x | init-sh/grpuser.sh | 30 | ||||
-rwxr-xr-x | init-sh/level1.sh | 9 | ||||
-rwxr-xr-x | init-sh/level2.sh | 7 | ||||
-rw-r--r-- | init-sh/lib.sh | 126 | ||||
-rw-r--r-- | msec.spec | 14 |
10 files changed, 124 insertions, 75 deletions
@@ -20,7 +20,6 @@ rpm_install: all cp init-sh/file_perm.sh $(RPM_BUILD_ROOT)/etc/security/msec/init-sh cp init-sh/perm.[0-5] $(RPM_BUILD_ROOT)/etc/security/msec/init-sh cp init-sh/server.* $(RPM_BUILD_ROOT)/etc/security/msec/init-sh - cp init-sh/group.conf $(RPM_BUILD_ROOT)/etc/security/msec/init-sh cp init-sh/grpuser.sh $(RPM_BUILD_ROOT)/etc/security/msec/init-sh cp init-sh/custom.sh $(RPM_BUILD_ROOT)/etc/security/msec/init-sh cp cron-sh/*.sh $(RPM_BUILD_ROOT)/etc/security/msec/cron-sh @@ -45,7 +44,6 @@ install: (cp init-sh/init.sh /etc/security/msec/init.sh); (cp init-sh/lib.sh /etc/security/msec/init-sh); (cp init-sh/grpuser.sh /etc/security/msec/init-sh); - (cp init-sh/group.conf /etc/security/msec/init-sh); (cp init-sh/file_perm.sh /etc/security/msec/init-sh); (cp init-sh/*.[0-5] /etc/security/msec/init-sh/) (cp init-sh/custom.sh /etc/security/msec/init-sh); @@ -1,3 +0,0 @@ -- Fix xhost -- sysrq -- export SECURE_LEVEL globally diff --git a/cron-sh/diff_check.sh b/cron-sh/diff_check.sh index 62d52e8..6c22184 100755 --- a/cron-sh/diff_check.sh +++ b/cron-sh/diff_check.sh @@ -43,7 +43,7 @@ UNOWNED_YESTERDAY="/var/log/security/unowned.yesterday" UNOWNED_DIFF="/var/log/security/unowned.diff" SECURITY_LOG="/var/log/security.log" -TMP="/tmp/secure.tmp" +TMP=`mktemp /tmp/secure.XXXXXX` if [[ ! -d /var/log/security ]]; then mkdir /var/log/security diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh index 800b0c0..6f73f72 100755 --- a/cron-sh/security_check.sh +++ b/cron-sh/security_check.sh @@ -15,9 +15,9 @@ if [[ ${CHECK_SECURITY} != yes ]]; then exit 0 fi -SECURITY="/tmp/secure.log" +SECURITY=`mktemp /tmp/secure.log` SECURITY_LOG="/var/log/security.log" -TMP="/tmp/secure.tmp" +TMP=`mktemp /tmp/secure.tmp` if [[ ! -d /var/log/security ]]; then mkdir /var/log/security diff --git a/init-sh/group.conf b/init-sh/group.conf deleted file mode 100644 index bdbca9d..0000000 --- a/init-sh/group.conf +++ /dev/null @@ -1,2 +0,0 @@ -audio -urpmi diff --git a/init-sh/grpuser.sh b/init-sh/grpuser.sh index d2f2daf..85c303b 100755 --- a/init-sh/grpuser.sh +++ b/init-sh/grpuser.sh @@ -20,22 +20,19 @@ Usage() { } ModifyFile() { - cp /etc/${file} /tmp/${file}.old + tmpfile=`mktemp /tmp/grpuser.XXXXXX` + cp /etc/${file} ${tmpfile} - head -$((group_line_number - 1)) /tmp/${file}.old > /etc/${file} + head -$((group_line_number - 1)) ${tmpfile} > /etc/${file} echo "${new_group_line}" >> /etc/${file} - tail +$((group_line_number + 1)) /tmp/${file}.old >> /etc/${file} - - new_group_line="" + tail +$((group_line_number + 1)) ${tmpfile} >> /etc/${file} - rm -f /tmp/${file}.old + rm -f ${tmpfile} } RemoveUserFromGroup() { new_group_line=${group}`echo ${group_users} | sed -e s/,${user_name}$//g -e s/${user_name},//g -e s/${user_name}$//g` - - echo ${new_group_line} } AppendUserToGroup() { @@ -87,27 +84,28 @@ RefreshAdd() { exit 1; fi - cat /etc/security/msec/group.conf | while read group_name; do + cat /etc/security/msec/group.conf | grep -v "^$" | while read group_name; do IsGroupExisting; if [[ $? != 0 ]]; then echo "Group \"${group_name}\" doesn't exist. skiping it." else - cat /etc/security/msec/user.conf | while read user_name; do + cat /etc/security/msec/user.conf | grep -v "^$" | while read user_name; do IsUserExisting; if [[ $? != 0 ]]; then # user doesn't exist echo "Can't add user \"${user_name}\" to group \"${group_name}\" user doesn't exist. skiping." IsUserAlreadyInGroup; if [[ $? == 0 ]]; then - echo "User doesn't exist but is in a group... delete user from this group." + #User doesn't exist but is in a group... delete user from this group. + IsGroupExisting; RemoveUserFromGroup; ModifyFile; fi else echo "Adding user \"${user_name}\" to group \"${group_name}\"." - #AppendUserToGroup; - #ModifyFile; - usermod -G ${group_name} ${user_name} + IsGroupExisting; + AppendUserToGroup; + ModifyFile; fi done fi @@ -115,12 +113,12 @@ RefreshAdd() { } RefreshDel() { - cat /etc/security/msec/group.conf | while read group_name; do + cat /etc/security/msec/group.conf | grep -v "^$" | while read group_name; do IsGroupExisting; if [[ $? != 0 ]]; then echo "Group \"${group_name}\" doesn't exist. skiping it." else - cat /etc/security/msec/user.conf | while read user_name; do + cat /etc/security/msec/user.conf | grep -v "^$" | while read user_name; do IsGroupExisting; # We need some variable at each turn. IsUserAlreadyInGroup; if [[ $? == 0 ]]; then diff --git a/init-sh/level1.sh b/init-sh/level1.sh index 342752d..a7ce877 100755 --- a/init-sh/level1.sh +++ b/init-sh/level1.sh @@ -72,14 +72,13 @@ AddRules "export PATH SECURE_LEVEL" /etc/profile # Xserver echo "Allowing users to connect X server from localhost :" -AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession -AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc - -### +AddBegRules /etc/X11/xdm/Xsession "/usr/X11R6/bin/xhost + localhost" +AddBegRules /etc/X11/xinit/xinitrc "/usr/X11R6/bin/xhost + localhost" # Group +echo "Adding system users to specific groups :" /etc/security/msec/init-sh/grpuser.sh --refresh - +echo -e "done.\n" diff --git a/init-sh/level2.sh b/init-sh/level2.sh index bfadce8..1760873 100755 --- a/init-sh/level2.sh +++ b/init-sh/level2.sh @@ -71,10 +71,11 @@ AddRules "export PATH SECURE_LEVEL" /etc/profile # Xserver echo "Allowing users to connect X server from localhost :" -AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession quiet -AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc +AddBegRules /etc/X11/xdm/Xsession "/usr/X11R6/bin/xhost + localhost" +AddBegRules /etc/X11/xinit/xinitrc "/usr/X11R6/bin/xhost + localhost" # group +echo "Adding system users to specifics groups :" /etc/security/msec/init-sh/grpuser.sh --refresh - +echo -e "done.\n" diff --git a/init-sh/lib.sh b/init-sh/lib.sh index 891ebf1..c7d0efd 100644 --- a/init-sh/lib.sh +++ b/init-sh/lib.sh @@ -9,7 +9,6 @@ if [[ ${UID} != 0 ]]; then exit 1 fi - COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too." WaitAnswer() { @@ -38,37 +37,40 @@ AddRules() { echo -e "${COMMENT}" >> ${file}; echo -e "${string}" >> ${file}; fi + if [[ -z ${3} ]]; then echo -e "done.\n" fi } AddBegRules() { - string=$1 - file=$2 - quiet=$3 - ctrl=0 + echo "Modifying config in ${2}..." + +/usr/bin/perl -e ' + my $m; - if [[ -z ${string} ]]; then - return; - fi + $file = shift or die; + $temp = `mktemp /tmp/secure.XXXXXX`; - if [[ -z ${quiet} ]]; then - echo "Modifying config in ${file}..." - fi + chomp $temp; - cp -f ${file} /tmp/secure.tmp + open FH, $file; + open FW, ">$temp"; - if ! grep -Eqx "^${string}" /tmp/secure.tmp; then - echo -e "${COMMENT}" > ${file}; - echo -e "${string}" >> ${file}; - fi + while (<FH>) { + if (!/^\#/ && !/^$/ && !$m) { + print FW $ENV{"COMMENT"}; + print FW "@ARGV\n\n"; $m++; + } + print FW; + } + close FH; + close FW; - cat /tmp/secure.tmp >> ${file} + `mv -f $temp $file`; +' $@ - if [[ -z ${3} ]]; then - echo -e "done.\n" - fi + echo -e "done.\n" } @@ -77,11 +79,14 @@ CleanRules() { ctrl=0 if [[ ! -f ${file} ]]; then + echo "${file} do not exist... can not clean." return; fi echo -en "\t- Cleaning msec appended line in ${file} : " - cp -f ${file} /tmp/secure.tmp + + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp ${file} ${tmpfile} while read line; do if [[ ${ctrl} == 1 ]]; then @@ -94,11 +99,11 @@ CleanRules() { fi if [[ ${ctrl} == 0 ]]; then - echo "${line}" > ${file} + echo "${line}" fi - done < /tmp/secure.tmp + done < ${tmpfile} > ${file} - rm -f /tmp/secure.tmp + rm -f ${tmpfile} echo "done." } @@ -112,16 +117,18 @@ CommentUserRules() { echo -en "\t- Cleaning user appended line in ${file} : " - cp -f ${file} /tmp/secure.tmp - - while read line; do + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp -f ${file} ${tmpfile} + + while read line; do if ! echo "${line}" | grep -qE "^#"; then - echo "# ${line}" > ${file} + echo "# ${line}" fi - done < /tmp/secure.tmp + done < ${tmpfile} > ${file} - rm -f /tmp/secure.tmp - echo "done." + rm -f ${tmpfile} + + echo "done." } Syslog() { @@ -132,7 +139,7 @@ Syslog() { Ttylog() { if [[ ${TTY_WARN} == yes ]]; then - w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do + w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do echo -e ${1} > /dev/$i done fi @@ -156,14 +163,16 @@ LiloUpdate() { fi if [[ ! -z "${password}" ]]; then - cp -f /etc/lilo.conf /tmp/secure.tmp + tmpfile=`mktemp /tmp/secure.XXXXXX` + + cp -f /etc/lilo.conf ${tmpfile} while read line; do if ! echo "${line}" | grep -q "password"; then echo "${line}" > /etc/lilo.conf fi - done < /tmp/secure.tmp + done < ${tmpfile} - rm -f /tmp/secure.tmp + rm -f ${tmpfile} clear AddRules "password=$password" /etc/lilo.conf fi @@ -172,11 +181,6 @@ LiloUpdate() { # If we are currently installing our # system with DrakX, we don't ask anything to the user... # Instead, DrakX do it and give us a file with some variable. -if [[ -f /tmp/secure.DrakX ]]; then - . /tmp/secure.DrakX - AddRules "${DRAKX_USERS}" /etc/security/msec/security.conf -fi - if [[ -f /etc/security/msec/security.conf ]]; then . /etc/security/msec/security.conf fi @@ -197,7 +201,6 @@ CleanRules /etc/profile CleanRules /etc/lilo.conf CleanRules /etc/rc.d/rc.firewall CleanRules /etc/crontab -CleanRules /etc/security/msec/security.users CleanRules /etc/X11/xdm/Xsession CleanRules /etc/X11/xinit/xinitrc @@ -213,6 +216,47 @@ groupadd xgrp >& /dev/null usermod -G xgrp xfs /etc/security/msec/init-sh/grpuser.sh --clean +echo + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -35,6 +35,20 @@ rm -rf $RPM_BUILD_ROOT /usr/bin/promisc_check %changelog +* Thu Dec 16 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com> +- Indentation problem should be fixed. +- All debug finished, changing secure.tmp to a mktemp + allocated tmpfile for symlink security. +- grpuser.sh take only one opt ( --refresh ), + take group name from /etc/security/msec/group.conf + and add user from /etc/security/msec/user.conf if secure level > 2 +- level0.sh fixed inittab entry +- fix a typo +- As requested, direct shell access for level 0 +- Fixed a little problem with the DRAKX_USERS variable +- removed chattr +a because of the problem it can cause to + other system automated system task. + * Mon Dec 13 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com> - diff_check.sh : fix a typo. |