[EMAIL PROTECTED] wrote:
>
> Stefan Siegel <[EMAIL PROTECTED]> writes:
>
> >
> > Hello everybody,
> >
> > I found some errors in "security_check.sh". Here is my list of fixes=20
> > and attached you can find a patch against "msec-0.9-14mdk" rpm
>
> Hi Stefan,
> cool too see that many people give many interest in msec,
> however, please never ever frightened me like that with
> a subject like that...
>
> Cause it's not a "SECURITY BUGs"
OK, let's say a bug in a security-package ;-)
> >
> > -----8<------------------------------------------------------>8------
> > * Files that should not be owned by someone else or readable:
> > -> added ".gnupg/secring.gpg" as Mandrake uses GNUPG as default
> ok :)
> It 's very difficult to include all important file :)
that's right, but as Mandrake switched to GNUPG I thaught it would be
a good Idea ....
> [...]
> > -> replaced username-check by uid-check (avoids false output=20
> > by usernames > 8 char, e.g. "fetchmail" !=3D "fetchmai" )
> This one is cool,
> however i first started to look at uid,
> but this is a problem with novice users...
> In the end i will probably do a UID check, and search the username
> associated to the UID in question.
When You'll look at my patch you'll find uid and names be displayed ...
>
> > -> removed "~lp" and "~mail" from group-check as their homedirs
> > are group writeable
>
> wrong completly depend on your configuration.
> alph:~$ ls -l mail
> -rw------- 1 yoann yoann 5057 Feb 11 12:40 mail
> alph:~$
------8<---------->8-------
$ rpm -qlvp /mnt/cdrom/Mandrake/RPMS/filesystem-1.3.5-1mdk.noarch.rpm |
grep mail
drwxrwxr-x root mail 1024 Feb 6 1996 /var/spool/mail
$ rpm -qlvp /mnt/cdrom/Mandrake/RPMS/lpr-0.48-1mdk.i586.rpm | grep spool
drwxrwxr-x root daemon 4096 Jan 10 14:30 /var/spool/lpd
------8<---------->8-------
that's why I "removed" those two from being displayed ...
(Note: Your rpms from iso-2 ...)
> [...]
> However, be carefull that msec should got many architecture change in
> a few time, so do not bother too much :)
waiting to see what will come next ...
> > diff -uNr /etc/security/msec/cron-sh/security_check.sh.orig
>/etc/security/msec/cron-sh/security_check.sh
> > [...]
> > ### Check home directories. Directories should not be owned by someone else or
>writeable.
> > -awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
> > -while read uid homedir; do
> > +awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | \
> > +while read username uid homedir; do
> > if [[ -d ${homedir} ]] ; then
> > - file=`ls -ldg ${homedir}`
> > - printf "$uid $file\n"
> > + realuid=`ls -ldgn ${homedir}| awk '{ print $3 }'`
> > + realuser=`ls -ldg ${homedir}| awk '{ print $3 }'`
> > + permissions=`ls -ldg ${homedir}| awk '{ print $1 }'`
> > + printf "${permissions} ${username} (${uid}) ${realuser}
>(${realuid})\n"
> > fi
> > -done | awk '$1 != $4 && $4 != "root" \
> > - { print "user=" $1 " : home directory is owned by " $4 "." }
> > - $2 ~ /^-....w/ \
> > - { print "user=" $1 " : home directory is group writeable." }
> > - $2 ~ /^-.......w/ \
> > - { print "user=" $1 " : home directory is other writeable." }' > ${TMP}
> > +done | awk '$3 != $5 && $5 != "(0)" \
> > + { print "user=" $2 $3 " : home directory is owned by " $4 $5 "." }
> > + $1 ~ /^d....w/ && $2 != "lp" && $2 != "mail" \
>
> $2 != "lp" && $2 != "mail"
> this one is wrong as i've said above..
I explained my "removing" above ... BTW as you can see my output is:
user=test1(503) : home directory is owned by test2(504).
so you have uid and usernames displayed ...
--
Tsch�ss und bis demn�chst,
Stefan
