Stefan Siegel <[EMAIL PROTECTED]> writes:
> [EMAIL PROTECTED] wrote:
> >
> > Stefan Siegel <[EMAIL PROTECTED]> writes:
> >
> > >
> > > Hello everybody,
> > >
> > > I found some errors in "security_check.sh". Here is my list of fixes=20
> > > and attached you can find a patch against "msec-0.9-14mdk" rpm
> >
> > Hi Stefan,
> > cool too see that many people give many interest in msec,
> > however, please never ever frightened me like that with
> > a subject like that...
> >
> > Cause it's not a "SECURITY BUGs"
> OK, let's say a bug in a security-package ;-)
A bug is an error,
i don't see any error :)
( except maybe the two little regex patch ) :-)
>
> > >
> > > -----8<------------------------------------------------------>8------
> > > * Files that should not be owned by someone else or readable:
> > > -> added ".gnupg/secring.gpg" as Mandrake uses GNUPG as default
> > ok :)
> > It 's very difficult to include all important file :)
> that's right, but as Mandrake switched to GNUPG I thaught it would be
> a good Idea ....
it is :)
> > [...]
> > > -> replaced username-check by uid-check (avoids false output=20
> > > by usernames > 8 char, e.g. "fetchmail" !=3D "fetchmai" )
> > This one is cool,
> > however i first started to look at uid,
> > but this is a problem with novice users...
> > In the end i will probably do a UID check, and search the username
> > associated to the UID in question.
> When You'll look at my patch you'll find uid and names be displayed ...
yop just seen it :)
>
> >
> > > -> removed "~lp" and "~mail" from group-check as their homedirs
> > > are group writeable
> >
> > wrong completly depend on your configuration.
> > alph:~$ ls -l mail
> > -rw------- 1 yoann yoann 5057 Feb 11 12:40 mail
> > alph:~$
> ------8<---------->8-------
> $ rpm -qlvp /mnt/cdrom/Mandrake/RPMS/filesystem-1.3.5-1mdk.noarch.rpm |
> grep mail
> drwxrwxr-x root mail 1024 Feb 6 1996 /var/spool/mail
> $ rpm -qlvp /mnt/cdrom/Mandrake/RPMS/lpr-0.48-1mdk.i586.rpm | grep spool
> drwxrwxr-x root daemon 4096 Jan 10 14:30 /var/spool/lpd
> ------8<---------->8-------
> that's why I "removed" those two from being displayed ...
> (Note: Your rpms from iso-2 ...)
what are u talking about , ~/mail or /var/spool/mail ?
:)
>
> > [...]
> > However, be carefull that msec should got many architecture change in
> > a few time, so do not bother too much :)
> waiting to see what will come next ...
better architecture,
also i'll maybe use cfengine.
>
> > > diff -uNr /etc/security/msec/cron-sh/security_check.sh.orig
>/etc/security/msec/cron-sh/security_check.sh
> > > [...]
> > > ### Check home directories. Directories should not be owned by someone else or
>writeable.
> > > -awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
> > > -while read uid homedir; do
> > > +awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | \
> > > +while read username uid homedir; do
> > > if [[ -d ${homedir} ]] ; then
> > > - file=`ls -ldg ${homedir}`
> > > - printf "$uid $file\n"
> > > + realuid=`ls -ldgn ${homedir}| awk '{ print $3 }'`
> > > + realuser=`ls -ldg ${homedir}| awk '{ print $3 }'`
> > > + permissions=`ls -ldg ${homedir}| awk '{ print $1 }'`
> > > + printf "${permissions} ${username} (${uid}) ${realuser}
>(${realuid})\n"
> > > fi
> > > -done | awk '$1 != $4 && $4 != "root" \
> > > - { print "user=" $1 " : home directory is owned by " $4 "." }
> > > - $2 ~ /^-....w/ \
> > > - { print "user=" $1 " : home directory is group writeable." }
> > > - $2 ~ /^-.......w/ \
> > > - { print "user=" $1 " : home directory is other writeable." }' > ${TMP}
> > > +done | awk '$3 != $5 && $5 != "(0)" \
> > > + { print "user=" $2 $3 " : home directory is owned by " $4 $5 "." }
> > > + $1 ~ /^d....w/ && $2 != "lp" && $2 != "mail" \
> >
> > $2 != "lp" && $2 != "mail"
> > this one is wrong as i've said above..
> I explained my "removing" above ... BTW as you can see my output is:
>
> user=test1(503) : home directory is owned by test2(504).
>
> so you have uid and usernames displayed ...
yop, that's cool :)
will be included :)
--
-- Yoann http://prelude.sourceforge.net
It is well known that M$ product don't make a free() after a malloc(),
the unix community wish them good luck for their future developement.
