Hi everyone.
I'm currently undergoing an audit compliance project
on our servers. One of the audit requirements is to
'flag' (then fix) and file shares that have 'everyone
- full control' for share level access and also have
'everyone - full control' for NTFS permissions.
I've knocked up the following code and I find that on
large file servers with lots of shares the script will
bomb out at the same share each time. I've put some
traps in the code so that it will start off at the
share it bombed at at (skipping all previous shares)
but then it continues on fine.
I'm also interested to know why the memory usage
increases imcrementally as I think I'm undef'ing all
hashes and arrays after they are no longer required.
Could it be something to do with one of the modules
I'm using not freeing resources properly?
If you give this script a command line argument of a
server it will scan the shares on that server.
I cna send the code as an attachment if that's better
for someone. Not sure if this mailing list will allow
attachments though.
Thanks in advance,
PJ
# # # # #
use Win32::Perms;
use Win32::Lanman;
use Win32::AdminMisc;
$node = "\\\\$ARGV[0]";
if (Win32::Lanman::NetShareEnum( $node, \@share_list
)) {
foreach $Share ( @share_list ) {
$dacl_entry = 0;
$share_ntfs_permissions = "";
my $sharename = $Share->{netname};
print "sharename is $sharename -\n";
unless ($sharename eq "" or $sharename =~
/^[A-Z]\$$/ or $sharename =~
/(^IPC\$|^ADMIN\$|^REPL\$)/i) {
# next if $shareName =~ /^[A-Z]\$$/; #
Skip C$ etc drive shares
# next if $shareName =~
/(^IPC\$|^ADMIN\$|^REPL\$)/i; # Skip Admin shares
$_ = undef for @List, $Perm;
my $Perm;
if ($Perm = new Win32::Perms(
"share:$node\\$sharename")) {
my @List;
$Perm->Dump( \@List );
foreach $Account ( @List ) {
my( @Permissions );
# print "$Account->{Entry}\n";
# next if( $Account->{Entry} ne "DACL" );
if ($Account->{Entry} eq "DACL") {
$dacl_entry = 1;
# print "Account:
$Account->{Domain}\\$Account->{Account}\n";
$_ = undef for
$perm_flag_standard_rights_all,
$perm_flag_file_read_ea, $perm_flag_file_write_ea,
$perm_flag_execute, $perm_flag_file_delete_child,
$perm_flag_file_read_attributes,
$perm_flag_file_write_attributes,
$perm_flag_read_control, $perm_flag_synchronize,
$share_permissions, $share_ntfs_permissions;
Win32::Perms::DecodeMask(
$Account->{Mask},
\@Permissions );
foreach $permissions_entry
(@Permissions) {
# print "permissions_entry is
$permissions_entry\n";
if ($permissions_entry eq
"STANDARD_RIGHTS_ALL") {
$perm_flag_standard_rights_all = 1;
} elsif ($permissions_entry eq
"FILE_READ_EA")
{
$perm_flag_file_read_ea = 1;
} elsif ($permissions_entry eq
"FILE_WRITE_EA")
{
$perm_flag_file_write_ea = 1;
} elsif ($permissions_entry eq
"FILE_EXECUTE")
{
$perm_flag_file_execute = 1;
} elsif ($permissions_entry eq
"FILE_DELETE_CHILD") {
$perm_flag_file_delete_child = 1;
} elsif ($permissions_entry eq
"FILE_READ_ATTRIBUTES") {
$perm_flag_file_read_attributes = 1;
} elsif ($permissions_entry eq
"FILE_WRITE_ATTRIBUTES") {
$perm_flag_file_write_attributes = 1;
} elsif ($permissions_entry eq
"READ_CONTROL")
{
$perm_flag_read_control = 1;
} elsif ($permissions_entry eq
"SYNCHRONIZE") {
$perm_flag_synchronize
= 1;
}
}
if ($perm_flag_standard_rights_all ==
1 and
$perm_flag_file_read_ea ==1 and
$perm_flag_file_write_ea == 1 and
$perm_flag_file_execute == 1 and
$perm_flag_file_delete_child == 1 and
$perm_flag_file_read_attributes == 1 and
$perm_flag_file_write_attributes == 1) {
$share_permissions = "F";
} elsif ($perm_flag_read_control == 1
and
$perm_flag_synchronize == 1 and
$perm_flag_file_read_ea == 1 and
$perm_flag_file_execute == 1 and
$perm_flag_file_read_attributes == 1) {
$share_permissions = "R";
} else {
$share_permissions = "S";
}
# print " Account:
$Account->{Domain}\\$Account->{Account}\n";
# print " share_permissions is
$share_permissions\n";
if ($share_permissions eq "F" and
("$Account->{Domain}\\$Account->{Account}" eq
"\\Everyone")) {
$share_path = $Share->{path};
($share_remote_driveletter,
$share_rest_of_path) = split(/\:/, $share_path);
$share_path = join("",
"$node\\",
$share_remote_driveletter, "\$", $share_rest_of_path);
# print "full path is
$share_path\n";
$share_ntfs_permissions =
get_filesystem_everyone_full_or_change_permissions("$share_path");
# print " share_ntfs_permissions
is
$share_ntfs_permissions\n";
}
}
}
if ($dacl_entry == 0) {
$share_path = $Share->{path};
($share_remote_driveletter,
$share_rest_of_path)
= split(/\:/, $share_path);
$share_path = join("", "$node\\",
$share_remote_driveletter, "\$", $share_rest_of_path);
# print "full path is $share_path\n";
$share_ntfs_permissions =
get_filesystem_everyone_full_or_change_permissions("$share_path");
# print " Account: \\Everyone\n";
# print " share_permissions is F\n";
# print " share_ntfs_permissions is
$share_ntfs_permissions\n";
}
if ($share_ntfs_permissions == 1) {
print "FLAG! - SECURITY RISK!!!\n";
# <STDIN>;
}
}
}
}
}
sub get_filesystem_everyone_full_or_change_permissions
{
my $filesystem_object = $_[0];
# print "filesystem_object is $filesystem_object\n";
my $everyone_read = 0;
my $everyone_full_or_change = "";
$_ = undef for %hash, %Volume, @ntfs_list, $Perm;
my %hash;
my %Volume;
my @path_split_dollars = split(/\$/,
$filesystem_object);
if (%Volume =
Win32::AdminMisc::GetVolumeInfo("$path_split_dollars[0]\$"))
{
$volume_format = $Volume{FileSystemName};
unless ($volume_format eq "FAT") {
# print "volume_format is $volume_format\n";
if (-r $filesystem_object) {
my $Perm;
if ($Perm = new Win32::Perms(
"file:$filesystem_object")) {
$Perm->Dump( \@ntfs_list );
foreach $Account ( @ntfs_list ) {
undef @Permissions;
my( @Permissions );
# print "$Account->{Entry}\n";
# next if( $Account->{Entry} ne "DACL" );
if
("$Account->{Domain}\\$Account->{Account}" eq
"\\Everyone") {
if ($Account->{Entry} eq
"DACL") {
$dacl_entry = 1;
# print "Account:
$Account->{Domain}\\$Account->{Account}\n";
$_ = undef for
$perm_flag_standard_rights_all,
$perm_flag_file_read_ea, $perm_flag_file_write_ea,
$perm_flag_execute, $perm_flag_file_delete_child,
$perm_flag_file_read_attributes,
$perm_flag_file_write_attributes, $share_permissions,
$share_ntfs_permissions;
Win32::Perms::DecodeMask( $Account->{Mask},
\@Permissions );
if ($share_match == 1)
{
map{ print "
$_\n"; } @Permissions;
}
foreach
$permissions_entry (@Permissions) {
# print
"permissions_entry is
$permissions_entry\n";
if
($permissions_entry eq
"STANDARD_RIGHTS_ALL") {
$perm_flag_standard_rights_all = 1;
} elsif
($permissions_entry eq
"FILE_READ_EA") {
$perm_flag_file_read_ea = 1;
} elsif
($permissions_entry eq
"FILE_WRITE_EA") {
$perm_flag_file_write_ea = 1;
} elsif
($permissions_entry eq
"FILE_EXECUTE") {
$perm_flag_file_execute = 1;
} elsif
($permissions_entry eq
"FILE_DELETE_CHILD") {
$perm_flag_file_delete_child = 1;
} elsif
($permissions_entry eq
"FILE_READ_ATTRIBUTES") {
$perm_flag_file_read_attributes = 1;
} elsif
($permissions_entry eq
"FILE_WRITE_ATTRIBUTES") {
$perm_flag_file_write_attributes = 1;
} elsif
($permissions_entry eq
"READ_CONTROL") {
$perm_flag_read_control = 1;
} elsif
($permissions_entry eq "SYNCHRONIZE")
{
$perm_flag_synchronize = 1;
} elsif
($permissions_entry eq "DELETE") {
$perm_flag_delete = 1;
} elsif
($permissions_entry eq
"GENERIC_EXECUTE") {
$perm_flag_generic_execute = 1;
} elsif
($permissions_entry eq
"GENERIC_READ") {
$perm_flag_generic_read = 1;
} elsif
($permissions_entry eq
"GENERIC_WRITE") {
$perm_flag_generic_write = 1;
} elsif
($permissions_entry eq "GENERIC_ALL")
{
$perm_flag_generic_all = 1;
}
}
if
(($perm_flag_standard_rights_all == 1 and
$perm_flag_file_read_ea ==1 and
$perm_flag_file_write_ea == 1 and
$perm_flag_file_execute == 1 and
$perm_flag_file_delete_child == 1 and
$perm_flag_file_read_attributes == 1 and
$perm_flag_file_write_attributes == 1) or
$perm_flag_generic_all == 1) {
$file_permissions = "F";
$everyone_full_or_change = 1;
} elsif
($perm_flag_delete == 1 and
$perm_flag_generic_execute == 1 and
$perm_flag_generic_write == 1 and
$perm_flag_generic_read == 1) {
$file_permissions = "C";
$everyone_full_or_change = 1;
} elsif
($perm_flag_read_control == 1 and
$perm_flag_synchronize == 1 and
$perm_flag_file_read_ea == 1 and
$perm_flag_file_execute == 1 and
$perm_flag_file_read_attributes == 1) {
$file_permissions = "R";
} else {
$file_permissions = "S";
}
# print
"file_permissions is $file_permissions
pausing ...\n";
# <STDIN>;
}
}
}
} else {
$everyone_full_or_change = "";
}
}
} else {
$everyone_full_or_change = 1;
}
}
return $everyone_full_or_change;
}
# # #
http://greetings.yahoo.com.au - Yahoo! Greetings
- Send your seasons greetings online this year!
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
