From 6ea27b912c4c2e29d190799be4df8eff56b6fe24 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 2 May 2016 15:45:27 +0200 Subject: [PATCH] Add owner and group permissions check --- include/functions | 108 ++++++++++++++++++++++++++++------------------ 1 file changed, 65 insertions(+), 43 deletions(-) diff --git a/include/functions b/include/functions index 9c1c4e4b..e7e0e940 100644 --- a/include/functions +++ b/include/functions @@ -1815,55 +1815,77 @@ ################################################################################ # Name : SafePerms() + # Return : 0 (file OK) or break ################################################################################ SafePerms() { - PERMS_OK=0 - LogText "Checking permissions of $1" - if [ $# -eq 1 ]; then - IS_PARAMETERS_FILE=`echo $1 | grep "/parameters"` - # Check file permissions - if [ ! -f "$1" ]; then - LogText "Fatal error: file $1 does not exist. Quitting." - echo "Fatal error: file $1 does not exist" - ExitFatal - else - PERMS=`ls -l $1` - # Owner permissions - OWNER=`echo ${PERMS} | awk -F" " '{ print $3 }'` - OWNERID=`ls -n $1 | awk -F" " '{ print $3 }'` - if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then - if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then - echo "Fatal error: file $1 should be owned by user 'root' when running it as root (found: ${OWNER})." - ExitFatal - fi - else - LogText "Note: Owner permissions of file $1 to be expected similar as the UID executing the process" - fi - # Group permissions - GROUP=`echo ${PERMS} | awk -F" " '{ print $4 }'` - GROUPID=`ls -n $1 | awk -F" " '{ print $4 }'` - - if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then - if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then - echo "Fatal error: group owner of directory $1 should be owned by root user, wheel or similar (found: ${GROUP})." - ExitFatal - fi - else - LogText "Note: Group permissions of file $1 to be expected similar as the UID executing the process" - fi - # Other permissions - OTHER_PERMS=`echo ${PERMS} | cut -c8-10` - if [ ! "${OTHER_PERMS}" = "---" -a ! "${OTHER_PERMS}" = "r--" ]; then - echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied or read-only." + if [ ${WARN_ON_FILE_ISSUES} -eq 1 ]; then + PERMS_OK=0 + LogText "Checking permissions of $1" + if [ $# -eq 1 ]; then + IS_PARAMETERS_FILE=`echo $1 | grep "/parameters"` + # Check file permissions + if [ ! -f "$1" ]; then + LogText "Fatal error: file $1 does not exist. Quitting." + echo "Fatal error: file $1 does not exist" ExitFatal + else + PERMS=`ls -l $1` + # Owner permissions + OWNER=`echo ${PERMS} | awk -F" " '{ print $3 }'` + OWNERID=`ls -n $1 | awk -F" " '{ print $3 }'` + if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then + if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then + echo "Fatal error: file $1 should be owned by user 'root' when running it as root (found: ${OWNER})." + ExitFatal + fi + else + LogText "Note: Owner permissions of file $1 to be expected similar as the UID executing the process" + fi + # Group permissions + GROUP=`echo ${PERMS} | awk -F" " '{ print $4 }'` + GROUPID=`ls -n $1 | awk -F" " '{ print $4 }'` + + if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then + if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then + echo "Fatal error: group owner of directory $1 should be owned by root user, wheel or similar (found: ${GROUP})." + ExitFatal + fi + else + LogText "Note: Group permissions of file $1 to be expected similar as the UID executing the process" + fi + + # Owner permissions + OWNER_PERMS=`echo ${PERMS} | cut -c2-4` + if [ ! "${OWNER_PERMS}" = "rw-" -a ! "${OWNER_PERMS}" = "r--" ]; then + echo "Fatal error: permissions of file $1 are not strict enough. Access to 'owner' should be read-write, or read. Change with: chmod 600 $1" + ExitFatal + fi + + # Owner permissions + GROUP_PERMS=`echo ${PERMS} | cut -c5-7` + if [ ! "${GROUP_PERMS}" = "rw-" -a ! "${GROUP_PERMS}" = "r--" -a ! "${GROUP_PERMS}" = "---" ]; then + echo "Fatal error: permissions of file $1 are not strict enough. Access to 'group' should be read-write, read, or none. Change with: chmod 600 $1" + ExitFatal + fi + + # Other permissions + OTHER_PERMS=`echo ${PERMS} | cut -c8-10` + if [ ! "${OTHER_PERMS}" = "---" -a ! "${OTHER_PERMS}" = "r--" ]; then + echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied or read-only." + ExitFatal + fi + # Set PERMS_OK to 1 if no fatal errors occurred + PERMS_OK=1 + LogText "File permissions are OK" + return 0 fi - # Set PERMS_OK to 1 if no fatal errors occurred - PERMS_OK=1 - LogText "File permissions are OK" - fi + else + ReportException "SafePerms()" "Invalid number of arguments for function" + fi else - ReportException "SafePerms()" "Invalid number of arguments for function" + PERMS_OK=1 + return 0 fi }