Stefan Siegel <[EMAIL PROTECTED]> writes:
>
> Hello everybody,
>
> I found some errors in "security_check.sh". Here is my list of fixes=20
> and attached you can find a patch against "msec-0.9-14mdk" rpm
Hi Stefan,
cool too see that many people give many interest in msec,
however, please never ever frightened me like that with
a subject like that...
Cause it's not a "SECURITY BUGs"
>
> -----8<------------------------------------------------------>8------
> * Files that should not be owned by someone else or readable:
> -> added ".gnupg/secring.gpg" as Mandrake uses GNUPG as default
ok :)
It 's very difficult to include all important file :)
>
> * Files that should not be owned by someone else or writeable:
> -> replaced "-" by "." in awk-script beause ".ssh" is a directory
>
ok
> * Check home directories. Directories should not be owned by=20
> someone else or writeable:
> -> replaced "-" by "d" in awk-script beause "~" is a directory
ok
> -> replaced username-check by uid-check (avoids false output=20
> by usernames > 8 char, e.g. "fetchmail" !=3D "fetchmai" )
This one is cool,
however i first started to look at uid,
but this is a problem with novice users...
In the end i will probably do a UID check, and search the username
associated to the UID in question.
> -> removed "~lp" and "~mail" from group-check as their homedirs
> are group writeable
wrong completly depend on your configuration.
alph:~$ ls -l mail
-rw------- 1 yoann yoann 5057 Feb 11 12:40 mail
alph:~$
here is the code review :)
I will implement the majority of the things here on monday,
and do a new release.
However, be carefull that msec should got many architecture change in
a few time, so do not bother too much :)
>
> --=20
> Tsch=FCss und bis demn=E4chst,
>
> Stefan
> --------------128648DC0EAFC1CFC26A6F49
> Content-Type: text/plain; charset=us-ascii;
> name="security_check.sh.patch"
> Content-Disposition: inline;
> filename="security_check.sh.patch"
> Content-Transfer-Encoding: 7bit
>
> diff -uNr /etc/security/msec/cron-sh/security_check.sh.orig
>/etc/security/msec/cron-sh/security_check.sh
> --- /etc/security/msec/cron-sh/security_check.sh.orig Thu Jan 6 18:14:37 2000
> +++ /etc/security/msec/cron-sh/security_check.sh Fri Feb 25 20:30:16 2000
> @@ -55,7 +55,8 @@
>
> if [[ ${CHECK_PERMS} == yes ]]; then
> # Files that should not be owned by someone else or readable.
> -list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity
>.ssh/random_seed"
> +list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \
> +.pgp/secring.pgp .ssh/identity .ssh/random_seed"
> awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd |
> while read username uid homedir; do
> for f in ${list} ; do
> @@ -95,9 +96,9 @@
> done
> done | awk '$1 != $6 && $6 != "0" \
> { print "\t\t- " $3 " : file is owned by uid " $6 "." }
> - $4 ~ /^-....w/ \
> + $4 ~ /^.....w/ \
this one is ok.
> { print "\t\t- " $3 " : file is group writeable." }
> - $4 ~ /^-.......w/ \
> + $4 ~ /^........w/ \
> { print "\t\t- " $3 " : file is other writeable." }' > ${TMP}
this one is ok
>
> if [[ -s ${TMP} ]]; then
> @@ -106,18 +107,20 @@
> fi
>
> ### Check home directories. Directories should not be owned by someone else or
>writeable.
> -awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
> -while read uid homedir; do
> +awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | \
> +while read username uid homedir; do
> if [[ -d ${homedir} ]] ; then
> - file=`ls -ldg ${homedir}`
> - printf "$uid $file\n"
> + realuid=`ls -ldgn ${homedir}| awk '{ print $3 }'`
> + realuser=`ls -ldg ${homedir}| awk '{ print $3 }'`
> + permissions=`ls -ldg ${homedir}| awk '{ print $1 }'`
> + printf "${permissions} ${username} (${uid}) ${realuser}
>(${realuid})\n"
> fi
> -done | awk '$1 != $4 && $4 != "root" \
> - { print "user=" $1 " : home directory is owned by " $4 "." }
> - $2 ~ /^-....w/ \
> - { print "user=" $1 " : home directory is group writeable." }
> - $2 ~ /^-.......w/ \
> - { print "user=" $1 " : home directory is other writeable." }' > ${TMP}
> +done | awk '$3 != $5 && $5 != "(0)" \
> + { print "user=" $2 $3 " : home directory is owned by " $4 $5 "." }
> + $1 ~ /^d....w/ && $2 != "lp" && $2 != "mail" \
$2 != "lp" && $2 != "mail"
this one is wrong as i've said above..
> + { print "user=" $2 $3" : home directory is group writeable." }
> + $1 ~ /^d.......w/ \
> + { print "user=" $2 $3" : home directory is other writeable." }' > ${TMP}
>
> if [[ -s $TMP ]] ; then
> printf "\nSecurity Warning: these home directory should not be owned by
>someone else or writeable :\n" >> ${SECURITY}
>
> --------------128648DC0EAFC1CFC26A6F49--
>
--
-- Yoann http://prelude.sourceforge.net
It is well known that M$ product don't make a free() after a malloc(),
the unix community wish them good luck for their future developement.
