New function SafeFile

2019-07-12 13:05:43 +02:00 · 2019-07-12 13:05:43 +02:00 · 0f80fa07aa
parent 21f9a18e8b
commit 0f80fa07aa
1 changed files with 51 additions and 0 deletions
--- a/include/functions
+++ b/include/functions
@ -88,6 +88,7 @@
 #    ReportManual               Log manual actions to report file
 #    ReportSuggestion           Add a suggestion to report file
 #    ReportWarning              Add a warning and priority to report file
+#    SafeFile                   Security tests to perform on a file before using it
 #    SafePerms                  Check if a file has safe permissions
 #    SafeInput                  Test provided string to see if it contains unwanted characters
 #    SearchItem                 Search a string in a file
@ -2611,6 +2612,56 @@
    }


+    ################################################################################
+    # Name        : SafeFile()
+    # Description : Check if a file is safe to use
+    #
+    ################################################################################
+
+    SafeFile() {
+        unsafe=0
+        if [ $# -ne 1 ]; then
+            ExitFatal "No argument or too many arguments provided to SafeFile()"
+        else
+            FILE="$1"
+
+            # Generic checks
+            if [ -g "${FILE}" ]; then
+                LogText "Security alert: file has setgid attribute"
+                unsafe=1
+            # sticky bit
+            elif [ -k "${FILE}" ]; then
+                LogText "Security alert: file has sticky bit"
+                unsafe=1
+            # symbolic link
+            elif [ -L "${FILE}" ]; then
+                LogText "Security alert: file is a symbolic link"
+                unsafe=1
+            elif [ -f "${FILE}" ]; then
+                LogText "Security check: file is normal"
+            else
+                unsafe=1
+            fi
+
+            # Perform additional checks based on privilege level
+            if [ ${PRIVILEGED} -eq 0 ]; then
+                # File is not owned by active user, but still able to write
+                if [ ! -O "${FILE}" -a -w "${FILE}" ]; then
+                    unsafe=1
+                    LogText "Security alert: file is not owned by active user, but can write to it"
+                fi
+            fi
+
+            # Check file permissions
+            if ! SafePerms "${FILE}"; then
+                unsafe=1
+            fi
+
+        fi
+
+        return ${unsafe}
+    }
+

    ################################################################################
    # Name        : SafePerms()