Stefan Siegel <[EMAIL PROTECTED]> writes: > [EMAIL PROTECTED] wrote: > > > > Stefan Siegel <[EMAIL PROTECTED]> writes: > > > > > > > > Hello everybody, > > > > > > I found some errors in "security_check.sh". Here is my list of fixes=20 > > > and attached you can find a patch against "msec-0.9-14mdk" rpm > > > > Hi Stefan, > > cool too see that many people give many interest in msec, > > however, please never ever frightened me like that with > > a subject like that... > > > > Cause it's not a "SECURITY BUGs" > OK, let's say a bug in a security-package ;-) A bug is an error, i don't see any error :) ( except maybe the two little regex patch ) :-) > > > > > > > -----8<------------------------------------------------------>8------ > > > * Files that should not be owned by someone else or readable: > > > -> added ".gnupg/secring.gpg" as Mandrake uses GNUPG as default > > ok :) > > It 's very difficult to include all important file :) > that's right, but as Mandrake switched to GNUPG I thaught it would be > a good Idea .... it is :) > > [...] > > > -> replaced username-check by uid-check (avoids false output=20 > > > by usernames > 8 char, e.g. "fetchmail" !=3D "fetchmai" ) > > This one is cool, > > however i first started to look at uid, > > but this is a problem with novice users... > > In the end i will probably do a UID check, and search the username > > associated to the UID in question. > When You'll look at my patch you'll find uid and names be displayed ... yop just seen it :) > > > > > > -> removed "~lp" and "~mail" from group-check as their homedirs > > > are group writeable > > > > wrong completly depend on your configuration. > > alph:~$ ls -l mail > > -rw------- 1 yoann yoann 5057 Feb 11 12:40 mail > > alph:~$ > ------8<---------->8------- > $ rpm -qlvp /mnt/cdrom/Mandrake/RPMS/filesystem-1.3.5-1mdk.noarch.rpm | > grep mail > drwxrwxr-x root mail 1024 Feb 6 1996 /var/spool/mail > $ rpm -qlvp /mnt/cdrom/Mandrake/RPMS/lpr-0.48-1mdk.i586.rpm | grep spool > drwxrwxr-x root daemon 4096 Jan 10 14:30 /var/spool/lpd > ------8<---------->8------- > that's why I "removed" those two from being displayed ... > (Note: Your rpms from iso-2 ...) what are u talking about , ~/mail or /var/spool/mail ? :) > > > [...] > > However, be carefull that msec should got many architecture change in > > a few time, so do not bother too much :) > waiting to see what will come next ... better architecture, also i'll maybe use cfengine. > > > > diff -uNr /etc/security/msec/cron-sh/security_check.sh.orig >/etc/security/msec/cron-sh/security_check.sh > > > [...] > > > ### Check home directories. Directories should not be owned by someone else or >writeable. > > > -awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ > > > -while read uid homedir; do > > > +awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | \ > > > +while read username uid homedir; do > > > if [[ -d ${homedir} ]] ; then > > > - file=`ls -ldg ${homedir}` > > > - printf "$uid $file\n" > > > + realuid=`ls -ldgn ${homedir}| awk '{ print $3 }'` > > > + realuser=`ls -ldg ${homedir}| awk '{ print $3 }'` > > > + permissions=`ls -ldg ${homedir}| awk '{ print $1 }'` > > > + printf "${permissions} ${username} (${uid}) ${realuser} >(${realuid})\n" > > > fi > > > -done | awk '$1 != $4 && $4 != "root" \ > > > - { print "user=" $1 " : home directory is owned by " $4 "." } > > > - $2 ~ /^-....w/ \ > > > - { print "user=" $1 " : home directory is group writeable." } > > > - $2 ~ /^-.......w/ \ > > > - { print "user=" $1 " : home directory is other writeable." }' > ${TMP} > > > +done | awk '$3 != $5 && $5 != "(0)" \ > > > + { print "user=" $2 $3 " : home directory is owned by " $4 $5 "." } > > > + $1 ~ /^d....w/ && $2 != "lp" && $2 != "mail" \ > > > > $2 != "lp" && $2 != "mail" > > this one is wrong as i've said above.. > I explained my "removing" above ... BTW as you can see my output is: > > user=test1(503) : home directory is owned by test2(504). > > so you have uid and usernames displayed ... yop, that's cool :) will be included :) -- -- Yoann http://prelude.sourceforge.net It is well known that M$ product don't make a free() after a malloc(), the unix community wish them good luck for their future developement.