Hello everybody,
I found some errors in "security_check.sh". Here is my list of fixes
and attached you can find a patch against "msec-0.9-14mdk" rpm
-----8<------------------------------------------------------>8------
* Files that should not be owned by someone else or readable:
-> added ".gnupg/secring.gpg" as Mandrake uses GNUPG as default
* Files that should not be owned by someone else or writeable:
-> replaced "-" by "." in awk-script beause ".ssh" is a directory
* Check home directories. Directories should not be owned by
someone else or writeable:
-> replaced "-" by "d" in awk-script beause "~" is a directory
-> replaced username-check by uid-check (avoids false output
by usernames > 8 char, e.g. "fetchmail" != "fetchmai" )
-> removed "~lp" and "~mail" from group-check as their homedirs
are group writeable
-----8<------------------------------------------------------>8------
I think it's time to give MandrakeUpdate some work ;-)
--
Tschüss und bis demnächst,
Stefan
diff -uNr /etc/security/msec/cron-sh/security_check.sh.orig
/etc/security/msec/cron-sh/security_check.sh
--- /etc/security/msec/cron-sh/security_check.sh.orig Thu Jan 6 18:14:37 2000
+++ /etc/security/msec/cron-sh/security_check.sh Fri Feb 25 20:30:16 2000
@@ -55,7 +55,8 @@
if [[ ${CHECK_PERMS} == yes ]]; then
# Files that should not be owned by someone else or readable.
-list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity
.ssh/random_seed"
+list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \
+.pgp/secring.pgp .ssh/identity .ssh/random_seed"
awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd |
while read username uid homedir; do
for f in ${list} ; do
@@ -95,9 +96,9 @@
done
done | awk '$1 != $6 && $6 != "0" \
{ print "\t\t- " $3 " : file is owned by uid " $6 "." }
- $4 ~ /^-....w/ \
+ $4 ~ /^.....w/ \
{ print "\t\t- " $3 " : file is group writeable." }
- $4 ~ /^-.......w/ \
+ $4 ~ /^........w/ \
{ print "\t\t- " $3 " : file is other writeable." }' > ${TMP}
if [[ -s ${TMP} ]]; then
@@ -106,18 +107,20 @@
fi
### Check home directories. Directories should not be owned by someone else or
writeable.
-awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
-while read uid homedir; do
+awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | \
+while read username uid homedir; do
if [[ -d ${homedir} ]] ; then
- file=`ls -ldg ${homedir}`
- printf "$uid $file\n"
+ realuid=`ls -ldgn ${homedir}| awk '{ print $3 }'`
+ realuser=`ls -ldg ${homedir}| awk '{ print $3 }'`
+ permissions=`ls -ldg ${homedir}| awk '{ print $1 }'`
+ printf "${permissions} ${username} (${uid}) ${realuser}
+(${realuid})\n"
fi
-done | awk '$1 != $4 && $4 != "root" \
- { print "user=" $1 " : home directory is owned by " $4 "." }
- $2 ~ /^-....w/ \
- { print "user=" $1 " : home directory is group writeable." }
- $2 ~ /^-.......w/ \
- { print "user=" $1 " : home directory is other writeable." }' > ${TMP}
+done | awk '$3 != $5 && $5 != "(0)" \
+ { print "user=" $2 $3 " : home directory is owned by " $4 $5 "." }
+ $1 ~ /^d....w/ && $2 != "lp" && $2 != "mail" \
+ { print "user=" $2 $3" : home directory is group writeable." }
+ $1 ~ /^d.......w/ \
+ { print "user=" $2 $3" : home directory is other writeable." }' > ${TMP}
if [[ -s $TMP ]] ; then
printf "\nSecurity Warning: these home directory should not be owned by
someone else or writeable :\n" >> ${SECURITY}
