tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-26 23:34:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add owner and group permissions check

Browse Source
This commit is contained in:
Michael Boelen 2016-05-02 15:45:27 +02:00
parent 4bc0225efd
commit 6ea27b912c
1 changed files with 65 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
include/functions
View File

@ -1815,55 +1815,77 @@
################################################################################ ################################################################################
# Name : SafePerms() # Name : SafePerms()
# Return : 0 (file OK) or break
################################################################################ ################################################################################
SafePerms() { SafePerms() {
PERMS_OK=0 if [ ${WARN_ON_FILE_ISSUES} -eq 1 ]; then
LogText "Checking permissions of $1" PERMS_OK=0
if [ $# -eq 1 ]; then LogText "Checking permissions of $1"
IS_PARAMETERS_FILE=`echo $1 | grep "/parameters"` if [ $# -eq 1 ]; then
# Check file permissions IS_PARAMETERS_FILE=`echo $1 | grep "/parameters"`
if [ ! -f "$1" ]; then # Check file permissions
LogText "Fatal error: file $1 does not exist. Quitting." if [ ! -f "$1" ]; then
echo "Fatal error: file $1 does not exist" LogText "Fatal error: file $1 does not exist. Quitting."
ExitFatal echo "Fatal error: file $1 does not exist"
else
PERMS=`ls -l $1`
# Owner permissions
OWNER=`echo ${PERMS} | awk -F" " '{ print $3 }'`
OWNERID=`ls -n $1 | awk -F" " '{ print $3 }'`
if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then
if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then
echo "Fatal error: file $1 should be owned by user 'root' when running it as root (found: ${OWNER})."
ExitFatal
fi
else
LogText "Note: Owner permissions of file $1 to be expected similar as the UID executing the process"
fi
# Group permissions
GROUP=`echo ${PERMS} | awk -F" " '{ print $4 }'`
GROUPID=`ls -n $1 | awk -F" " '{ print $4 }'`
if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then
if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then
echo "Fatal error: group owner of directory $1 should be owned by root user, wheel or similar (found: ${GROUP})."
ExitFatal
fi
else
LogText "Note: Group permissions of file $1 to be expected similar as the UID executing the process"
fi
# Other permissions
OTHER_PERMS=`echo ${PERMS} | cut -c8-10`
if [ ! "${OTHER_PERMS}" = "---" -a ! "${OTHER_PERMS}" = "r--" ]; then
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied or read-only."
ExitFatal ExitFatal
else
PERMS=`ls -l $1`
# Owner permissions
OWNER=`echo ${PERMS} | awk -F" " '{ print $3 }'`
OWNERID=`ls -n $1 | awk -F" " '{ print $3 }'`
if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then
if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then
echo "Fatal error: file $1 should be owned by user 'root' when running it as root (found: ${OWNER})."
ExitFatal
fi
else
LogText "Note: Owner permissions of file $1 to be expected similar as the UID executing the process"
fi
# Group permissions
GROUP=`echo ${PERMS} | awk -F" " '{ print $4 }'`
GROUPID=`ls -n $1 | awk -F" " '{ print $4 }'`
if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then
if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then
echo "Fatal error: group owner of directory $1 should be owned by root user, wheel or similar (found: ${GROUP})."
ExitFatal
fi
else
LogText "Note: Group permissions of file $1 to be expected similar as the UID executing the process"
fi
# Owner permissions
OWNER_PERMS=`echo ${PERMS} | cut -c2-4`
if [ ! "${OWNER_PERMS}" = "rw-" -a ! "${OWNER_PERMS}" = "r--" ]; then
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'owner' should be read-write, or read. Change with: chmod 600 $1"
ExitFatal
fi
# Owner permissions
GROUP_PERMS=`echo ${PERMS} | cut -c5-7`
if [ ! "${GROUP_PERMS}" = "rw-" -a ! "${GROUP_PERMS}" = "r--" -a ! "${GROUP_PERMS}" = "---" ]; then
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'group' should be read-write, read, or none. Change with: chmod 600 $1"
ExitFatal
fi
# Other permissions
OTHER_PERMS=`echo ${PERMS} | cut -c8-10`
if [ ! "${OTHER_PERMS}" = "---" -a ! "${OTHER_PERMS}" = "r--" ]; then
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied or read-only."
ExitFatal
fi
# Set PERMS_OK to 1 if no fatal errors occurred
PERMS_OK=1
LogText "File permissions are OK"
return 0
fi fi
# Set PERMS_OK to 1 if no fatal errors occurred else
PERMS_OK=1 ReportException "SafePerms()" "Invalid number of arguments for function"
LogText "File permissions are OK" fi
fi
else else
ReportException "SafePerms()" "Invalid number of arguments for function" PERMS_OK=1
return 0
fi fi
} }