Hello everybody, I found some errors in "security_check.sh". Here is my list of fixes and attached you can find a patch against "msec-0.9-14mdk" rpm -----8<------------------------------------------------------>8------ * Files that should not be owned by someone else or readable: -> added ".gnupg/secring.gpg" as Mandrake uses GNUPG as default * Files that should not be owned by someone else or writeable: -> replaced "-" by "." in awk-script beause ".ssh" is a directory * Check home directories. Directories should not be owned by someone else or writeable: -> replaced "-" by "d" in awk-script beause "~" is a directory -> replaced username-check by uid-check (avoids false output by usernames > 8 char, e.g. "fetchmail" != "fetchmai" ) -> removed "~lp" and "~mail" from group-check as their homedirs are group writeable -----8<------------------------------------------------------>8------ I think it's time to give MandrakeUpdate some work ;-) -- Tschüss und bis demnächst, Stefan
diff -uNr /etc/security/msec/cron-sh/security_check.sh.orig /etc/security/msec/cron-sh/security_check.sh --- /etc/security/msec/cron-sh/security_check.sh.orig Thu Jan 6 18:14:37 2000 +++ /etc/security/msec/cron-sh/security_check.sh Fri Feb 25 20:30:16 2000 @@ -55,7 +55,8 @@ if [[ ${CHECK_PERMS} == yes ]]; then # Files that should not be owned by someone else or readable. -list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed" +list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \ +.pgp/secring.pgp .ssh/identity .ssh/random_seed" awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | while read username uid homedir; do for f in ${list} ; do @@ -95,9 +96,9 @@ done done | awk '$1 != $6 && $6 != "0" \ { print "\t\t- " $3 " : file is owned by uid " $6 "." } - $4 ~ /^-....w/ \ + $4 ~ /^.....w/ \ { print "\t\t- " $3 " : file is group writeable." } - $4 ~ /^-.......w/ \ + $4 ~ /^........w/ \ { print "\t\t- " $3 " : file is other writeable." }' > ${TMP} if [[ -s ${TMP} ]]; then @@ -106,18 +107,20 @@ fi ### Check home directories. Directories should not be owned by someone else or writeable. -awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ -while read uid homedir; do +awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | \ +while read username uid homedir; do if [[ -d ${homedir} ]] ; then - file=`ls -ldg ${homedir}` - printf "$uid $file\n" + realuid=`ls -ldgn ${homedir}| awk '{ print $3 }'` + realuser=`ls -ldg ${homedir}| awk '{ print $3 }'` + permissions=`ls -ldg ${homedir}| awk '{ print $1 }'` + printf "${permissions} ${username} (${uid}) ${realuser} +(${realuid})\n" fi -done | awk '$1 != $4 && $4 != "root" \ - { print "user=" $1 " : home directory is owned by " $4 "." } - $2 ~ /^-....w/ \ - { print "user=" $1 " : home directory is group writeable." } - $2 ~ /^-.......w/ \ - { print "user=" $1 " : home directory is other writeable." }' > ${TMP} +done | awk '$3 != $5 && $5 != "(0)" \ + { print "user=" $2 $3 " : home directory is owned by " $4 $5 "." } + $1 ~ /^d....w/ && $2 != "lp" && $2 != "mail" \ + { print "user=" $2 $3" : home directory is group writeable." } + $1 ~ /^d.......w/ \ + { print "user=" $2 $3" : home directory is other writeable." }' > ${TMP} if [[ -s $TMP ]] ; then printf "\nSecurity Warning: these home directory should not be owned by someone else or writeable :\n" >> ${SECURITY}