mirror of https://github.com/CISOfy/lynis.git
Add owner and group permissions check
This commit is contained in:
Michael Boelen
parent
4bc0225efd
commit
6ea27b912c
|
|
@ -1815,55 +1815,77 @@
|
|||
|
||||
################################################################################
|
||||
# Name : SafePerms()
|
||||
# Return : 0 (file OK) or break
|
||||
################################################################################
|
||||
|
||||
SafePerms() {
|
||||
PERMS_OK=0
|
||||
LogText "Checking permissions of $1"
|
||||
if [ $# -eq 1 ]; then
|
||||
IS_PARAMETERS_FILE=`echo $1 | grep "/parameters"`
|
||||
# Check file permissions
|
||||
if [ ! -f "$1" ]; then
|
||||
LogText "Fatal error: file $1 does not exist. Quitting."
|
||||
echo "Fatal error: file $1 does not exist"
|
||||
ExitFatal
|
||||
else
|
||||
PERMS=`ls -l $1`
|
||||
# Owner permissions
|
||||
OWNER=`echo ${PERMS} | awk -F" " '{ print $3 }'`
|
||||
OWNERID=`ls -n $1 | awk -F" " '{ print $3 }'`
|
||||
if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then
|
||||
if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then
|
||||
echo "Fatal error: file $1 should be owned by user 'root' when running it as root (found: ${OWNER})."
|
||||
ExitFatal
|
||||
fi
|
||||
else
|
||||
LogText "Note: Owner permissions of file $1 to be expected similar as the UID executing the process"
|
||||
fi
|
||||
# Group permissions
|
||||
GROUP=`echo ${PERMS} | awk -F" " '{ print $4 }'`
|
||||
GROUPID=`ls -n $1 | awk -F" " '{ print $4 }'`
|
||||
|
||||
if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then
|
||||
if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then
|
||||
echo "Fatal error: group owner of directory $1 should be owned by root user, wheel or similar (found: ${GROUP})."
|
||||
ExitFatal
|
||||
fi
|
||||
else
|
||||
LogText "Note: Group permissions of file $1 to be expected similar as the UID executing the process"
|
||||
fi
|
||||
# Other permissions
|
||||
OTHER_PERMS=`echo ${PERMS} | cut -c8-10`
|
||||
if [ ! "${OTHER_PERMS}" = "---" -a ! "${OTHER_PERMS}" = "r--" ]; then
|
||||
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied or read-only."
|
||||
if [ ${WARN_ON_FILE_ISSUES} -eq 1 ]; then
|
||||
PERMS_OK=0
|
||||
LogText "Checking permissions of $1"
|
||||
if [ $# -eq 1 ]; then
|
||||
IS_PARAMETERS_FILE=`echo $1 | grep "/parameters"`
|
||||
# Check file permissions
|
||||
if [ ! -f "$1" ]; then
|
||||
LogText "Fatal error: file $1 does not exist. Quitting."
|
||||
echo "Fatal error: file $1 does not exist"
|
||||
ExitFatal
|
||||
else
|
||||
PERMS=`ls -l $1`
|
||||
# Owner permissions
|
||||
OWNER=`echo ${PERMS} | awk -F" " '{ print $3 }'`
|
||||
OWNERID=`ls -n $1 | awk -F" " '{ print $3 }'`
|
||||
if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then
|
||||
if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then
|
||||
echo "Fatal error: file $1 should be owned by user 'root' when running it as root (found: ${OWNER})."
|
||||
ExitFatal
|
||||
fi
|
||||
else
|
||||
LogText "Note: Owner permissions of file $1 to be expected similar as the UID executing the process"
|
||||
fi
|
||||
# Group permissions
|
||||
GROUP=`echo ${PERMS} | awk -F" " '{ print $4 }'`
|
||||
GROUPID=`ls -n $1 | awk -F" " '{ print $4 }'`
|
||||
|
||||
if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then
|
||||
if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then
|
||||
echo "Fatal error: group owner of directory $1 should be owned by root user, wheel or similar (found: ${GROUP})."
|
||||
ExitFatal
|
||||
fi
|
||||
else
|
||||
LogText "Note: Group permissions of file $1 to be expected similar as the UID executing the process"
|
||||
fi
|
||||
|
||||
# Owner permissions
|
||||
OWNER_PERMS=`echo ${PERMS} | cut -c2-4`
|
||||
if [ ! "${OWNER_PERMS}" = "rw-" -a ! "${OWNER_PERMS}" = "r--" ]; then
|
||||
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'owner' should be read-write, or read. Change with: chmod 600 $1"
|
||||
ExitFatal
|
||||
fi
|
||||
|
||||
# Owner permissions
|
||||
GROUP_PERMS=`echo ${PERMS} | cut -c5-7`
|
||||
if [ ! "${GROUP_PERMS}" = "rw-" -a ! "${GROUP_PERMS}" = "r--" -a ! "${GROUP_PERMS}" = "---" ]; then
|
||||
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'group' should be read-write, read, or none. Change with: chmod 600 $1"
|
||||
ExitFatal
|
||||
fi
|
||||
|
||||
# Other permissions
|
||||
OTHER_PERMS=`echo ${PERMS} | cut -c8-10`
|
||||
if [ ! "${OTHER_PERMS}" = "---" -a ! "${OTHER_PERMS}" = "r--" ]; then
|
||||
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied or read-only."
|
||||
ExitFatal
|
||||
fi
|
||||
# Set PERMS_OK to 1 if no fatal errors occurred
|
||||
PERMS_OK=1
|
||||
LogText "File permissions are OK"
|
||||
return 0
|
||||
fi
|
||||
# Set PERMS_OK to 1 if no fatal errors occurred
|
||||
PERMS_OK=1
|
||||
LogText "File permissions are OK"
|
||||
fi
|
||||
else
|
||||
ReportException "SafePerms()" "Invalid number of arguments for function"
|
||||
fi
|
||||
else
|
||||
ReportException "SafePerms()" "Invalid number of arguments for function"
|
||||
PERMS_OK=1
|
||||
return 0
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue