diff options
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | Makefile | 8 | ||||
-rw-r--r-- | init-sh/group.conf | 2 | ||||
-rwxr-xr-x | init-sh/grpuser | 125 | ||||
-rwxr-xr-x | init-sh/grpuser.sh | 161 | ||||
-rw-r--r-- | init-sh/lib.sh | 20 |
6 files changed, 247 insertions, 72 deletions
@@ -1,4 +1,7 @@ 1999-15-10 Yoann Vandoorselaere <yoann@mandrakesoft.com> + * grpuser.sh take only one opt ( --refresh ), + take group name from /etc/security/msec/init-sh/group.conf + and add user from /etc/security/msec/init-sh/user.conf if secure level > 2 * level0.sh fixed inittab entry * fix a typo * As requested, direct shell access for level 0 @@ -1,4 +1,4 @@ -VERSION = 0.5 +VERSION = 0.7 all: promisc_check @@ -20,7 +20,8 @@ rpm_install: all cp init-sh/file_perm.sh $(RPM_BUILD_ROOT)/etc/security/msec/init-sh cp init-sh/perm.[0-5] $(RPM_BUILD_ROOT)/etc/security/msec/init-sh cp init-sh/server.* $(RPM_BUILD_ROOT)/etc/security/msec/init-sh - cp init-sh/grpuser $(RPM_BUILD_ROOT)/etc/security/msec/init-sh + cp init-sh/group.conf $(RPM_BUILD_ROOT)/etc/security/msec/init-sh + cp init-sh/grpuser.sh $(RPM_BUILD_ROOT)/etc/security/msec/init-sh cp init-sh/custom.sh $(RPM_BUILD_ROOT)/etc/security/msec/init-sh cp cron-sh/*.sh $(RPM_BUILD_ROOT)/etc/security/msec/cron-sh touch $(RPM_BUILD_ROOT)/etc/security/msec/security.conf @@ -43,7 +44,8 @@ install: (cp init-sh/level* /etc/security/msec/init-sh) (cp init-sh/init.sh /etc/security/msec/init.sh); (cp init-sh/lib.sh /etc/security/msec/init-sh); - (cp init-sh/grpuser /etc/security/msec/init-sh); + (cp init-sh/grpuser.sh /etc/security/msec/init-sh); + (cp init-sh/group.conf /etc/security/msec/init-sh); (cp init-sh/file_perm.sh /etc/security/msec/init-sh); (cp init-sh/*.[0-5] /etc/security/msec/init-sh/) (cp init-sh/custom.sh /etc/security/msec/init-sh); diff --git a/init-sh/group.conf b/init-sh/group.conf new file mode 100644 index 0000000..bdbca9d --- /dev/null +++ b/init-sh/group.conf @@ -0,0 +1,2 @@ +audio +urpmi diff --git a/init-sh/grpuser b/init-sh/grpuser index fb2ad25..6fa0e5d 100755 --- a/init-sh/grpuser +++ b/init-sh/grpuser @@ -13,12 +13,13 @@ user_name=$3 Usage() { echo "Usage :" - echo " --add [ groupname ] [ username ] ---> Add an user to a group." - echo " --del [ groupname ] [ username ] ---> Delete an user from a group." + echo " --refresh ---> Read group name in /etc/security/msec/group.conf" + echo " and add each user in /etc/security/msec/user.conf" + echo " in these groups ( if security level is <= 2 )" } ModifyFile() { - mv /etc/${file} /tmp/${file}.old + cp /etc/${file} /tmp/${file}.old head -$((group_line_number - 1)) /tmp/${file}.old > /etc/${file} echo "${new_group_line}" >> /etc/${file} @@ -42,10 +43,10 @@ AppendUserToGroup() { IsUserAlreadyInGroup() { if echo ${group_users} | grep -qw "${user_name}"; then - return 1 + return 0 fi - return 0 + return 1 } IsGroupExisting() { @@ -60,8 +61,9 @@ IsGroupExisting() { group_users=`echo ${tmp} | awk -F: '{print $5}'` group_line=`echo ${tmp} | awk -F: '{print $2":"$3":"$4":"$5}'` - [ -z "${tmp}" ] && return 0 - return 1 + [ -z "${tmp}" ] && return 1 + + return 0 } IsUserExisting() { @@ -73,68 +75,66 @@ IsUserExisting() { return 1; } -Add() { - IsGroupExisting; - if [[ $? == 0 ]]; then - echo "Sorry, group \"${group_name}\" does not exist." - echo "Please create it using the \"groupadd\" command." - exit 1 - fi - - IsUserExisting; - if [[ $? == 1 ]]; then - echo "Sorry, user \"${user_name}\" does not exist." - exit 1 - fi - - IsUserAlreadyInGroup; - if [[ $? == 1 ]]; then - echo "Sorry, user \"${user_name}\" is already in group \"${group_name}\"." - exit 1 +Refresh() { + if [[ ${SECURE_LEVEL} > 2 ]]; then + echo "You are in a secure level > 2, in this level you need to add group user by yourself." + echo "Use the command : usermod -G group_name user_name" + exit 1; fi - AppendUserToGroup; - ModifyFile; - - exit 0 -} - -Del() { - IsGroupExisting; - if [[ $? == 0 ]]; then - echo "Sorry, group \"${group_name}\" does not exist." - exit 1 - fi - - IsUserAlreadyInGroup; - if [[ $? == 0 ]]; then - echo "Sorry, user \"${user_name}\" is not in group \"${group_name}\"." - exit 1 - fi - - RemoveUserFromGroup; - ModifyFile; - - exit 0 + cat /etc/security/msec/group.conf | while read group_name; do + IsGroupExisting; + if [[ $? != 0 ]]; then + echo "Group \"${group_name}\" doesn't exist. skiping it." + else + cat /etc/security/msec/user.conf | while read user_name; do + IsUserExisting; + if [[ $? != 0 ]]; then + # user doesn't exist + echo "Can't add user \"${user_name}\" to group \"${group_name}\"." + echo "\"${user_name}\" doesn't exist. skiping." + IsUserAlreadyInGroup; + if [[ $? == 0 ]]; then + # user doesn't exist but is in a group... delete user from this group. + RemoveUserFromgroup; + ModifyFile; + fi + else + usermod -G ${group_name} ${user_name} + fi + done + fi + done } Perm() { + if [[ ${UID} != 0 ]]; then + echo "You need root access to use this tool." + echo "And this script shouldn't be used by users." + exit 1 + fi + if [[ ! -w /etc/${file} ]]; then - echo "You're not allowed to write to /etc/group..." - exit 1 + echo "You're not allowed to write to /etc/group..." + exit 1 + fi + + if [[ ! -f /etc/security/msec/group.conf ]]; then + echo "/etc/security/msec/group.conf doesn't exist..." + exit 1 + fi + + if [[ ! -f /etc/security/msec/user.conf ]]; then + echo "/etc/security/msec/user.conf doesn't exist..." + exit 1 fi } -if [[ $# == 3 ]]; then +if [[ $# == 1 ]]; then case $1 in - "--add") - Perm; - Add; - exit 0 - ;; - "--del") + "--refresh") Perm; - Del; + Refresh; exit 0 ;; esac @@ -150,3 +150,12 @@ fi + + + + + + + + + diff --git a/init-sh/grpuser.sh b/init-sh/grpuser.sh new file mode 100755 index 0000000..6fa0e5d --- /dev/null +++ b/init-sh/grpuser.sh @@ -0,0 +1,161 @@ +#!/bin/sh + +# +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# Thanks to Francis Galiegue. +# + +file="group" +group_line="" +new_group_line="" +group_name=$2 +user_name=$3 + +Usage() { + echo "Usage :" + echo " --refresh ---> Read group name in /etc/security/msec/group.conf" + echo " and add each user in /etc/security/msec/user.conf" + echo " in these groups ( if security level is <= 2 )" +} + +ModifyFile() { + cp /etc/${file} /tmp/${file}.old + + head -$((group_line_number - 1)) /tmp/${file}.old > /etc/${file} + echo "${new_group_line}" >> /etc/${file} + tail +$((group_line_number + 1)) /tmp/${file}.old >> /etc/${file} + + rm -f /tmp/${file}.old +} + +RemoveUserFromGroup() { + new_group_line=${group}`echo ${group_users} | + sed -e s/,${user_name}$//g -e s/${user_name},//g -e s/${user_name}$//g` +} + +AppendUserToGroup() { + if [[ -z ${group_users} ]]; then + new_group_line=${group_line}${user_name} + else + new_group_line=${group_line}",${user_name}" + fi +} + +IsUserAlreadyInGroup() { + if echo ${group_users} | grep -qw "${user_name}"; then + return 0 + fi + + return 1 +} + +IsGroupExisting() { + group_line="" + group_line_number="" + + # We get some group infos as well, will be used later + tmp=`grep -n "^${group_name}:" /etc/${file} | tr -d " "` + + group_line_number=`echo ${tmp} | awk -F: '{print $1}'` + group=`echo ${tmp} | awk -F: '{print $2":"$3":"$4":"}'` + group_users=`echo ${tmp} | awk -F: '{print $5}'` + group_line=`echo ${tmp} | awk -F: '{print $2":"$3":"$4":"$5}'` + + [ -z "${tmp}" ] && return 1 + + return 0 +} + +IsUserExisting() { + grep -qn "^${user_name}:" /etc/passwd + if [[ $? == 0 ]]; then + return 0; + fi + + return 1; +} + +Refresh() { + if [[ ${SECURE_LEVEL} > 2 ]]; then + echo "You are in a secure level > 2, in this level you need to add group user by yourself." + echo "Use the command : usermod -G group_name user_name" + exit 1; + fi + + cat /etc/security/msec/group.conf | while read group_name; do + IsGroupExisting; + if [[ $? != 0 ]]; then + echo "Group \"${group_name}\" doesn't exist. skiping it." + else + cat /etc/security/msec/user.conf | while read user_name; do + IsUserExisting; + if [[ $? != 0 ]]; then + # user doesn't exist + echo "Can't add user \"${user_name}\" to group \"${group_name}\"." + echo "\"${user_name}\" doesn't exist. skiping." + IsUserAlreadyInGroup; + if [[ $? == 0 ]]; then + # user doesn't exist but is in a group... delete user from this group. + RemoveUserFromgroup; + ModifyFile; + fi + else + usermod -G ${group_name} ${user_name} + fi + done + fi + done +} + +Perm() { + if [[ ${UID} != 0 ]]; then + echo "You need root access to use this tool." + echo "And this script shouldn't be used by users." + exit 1 + fi + + if [[ ! -w /etc/${file} ]]; then + echo "You're not allowed to write to /etc/group..." + exit 1 + fi + + if [[ ! -f /etc/security/msec/group.conf ]]; then + echo "/etc/security/msec/group.conf doesn't exist..." + exit 1 + fi + + if [[ ! -f /etc/security/msec/user.conf ]]; then + echo "/etc/security/msec/user.conf doesn't exist..." + exit 1 + fi +} + +if [[ $# == 1 ]]; then + case $1 in + "--refresh") + Perm; + Refresh; + exit 0 + ;; + esac + Usage; + exit 0 +else + Usage; +fi + + + + + + + + + + + + + + + + diff --git a/init-sh/lib.sh b/init-sh/lib.sh index e519ad8..124fc63 100644 --- a/init-sh/lib.sh +++ b/init-sh/lib.sh @@ -57,10 +57,10 @@ AddBegRules() { echo "Modifying config in ${file}..." fi - mv ${file} /tmp/secure.tmp + cp -f ${file} /tmp/secure.tmp if ! grep -Eqx "^${string}" /tmp/secure.tmp; then - echo -e "${COMMENT}" >> ${file}; + echo -e "${COMMENT}" > ${file}; echo -e "${string}" >> ${file}; fi @@ -81,8 +81,7 @@ CleanRules() { fi echo -en "\t- Cleaning msec appended line in ${file} : " - mv -f ${file} /tmp/secure.tmp - touch ${file} + cp -f ${file} /tmp/secure.tmp while read line; do if [[ ${ctrl} == 1 ]]; then @@ -95,7 +94,7 @@ CleanRules() { fi if [[ ${ctrl} == 0 ]]; then - echo "${line}" >> ${file} + echo "${line}" > ${file} fi done < /tmp/secure.tmp @@ -113,12 +112,11 @@ CommentUserRules() { echo -en "\t- Cleaning user appended line in ${file} : " - mv -f ${file} /tmp/secure.tmp - touch ${file} - + cp -f ${file} /tmp/secure.tmp + while read line; do if ! echo "${line}" | grep -qE "^#"; then - echo "# ${line}" >> ${file} + echo "# ${line}" > ${file} fi done < /tmp/secure.tmp @@ -158,10 +156,10 @@ LiloUpdate() { fi if [[ ! -z "${password}" ]]; then - mv /etc/lilo.conf /tmp/secure.tmp + cp -f /etc/lilo.conf /tmp/secure.tmp while read line; do if ! echo "${line}" | grep -q "password"; then - echo "${line}" >> /etc/lilo.conf + echo "${line}" > /etc/lilo.conf fi done < /tmp/secure.tmp |