|
DataMuseum.dkPresents historical artifacts from the history of: DKUUG/EUUG Conference tapes |
This is an automatic "excavation" of a thematic subset of
See our Wiki for more about DKUUG/EUUG Conference tapes Excavated with: AutoArchaeologist - Free & Open Source Software. |
top - metrics - downloadIndex: T d
Length: 3443 (0xd73)
Types: TextFile
Names: »dev.chk«
└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
└─⟦3da311d67⟧ »./cops/1.04/cops_104.tar.Z«
└─⟦6a2577110⟧
└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
└─⟦6a2577110⟧ »./cops/1.04/cops_104.tar«
└─⟦this⟧ »cops_104/dev.chk«
:
#
# dev.chk [-g]
#
# This shell script checks the permissions of all devs listed in the
# file /etc/fstab (the "mount" command would be a preferable way of
# getting the file system name, but the syntax of the output is variable
# from machine to machine), and flags them if they are readable by using
# the "is_able" command. It also checks for unrestricted NFS
# mountings. By default, dev_check will flag devs only if world readable
# or writable. The -g option tells it to print out devs that are also
# group readable/writable.
# As an aside, the fact that NFS mounted dirs are world readable isn't
# a big deal, but they shouldn't be world writable. So do two checks here,
# instead of one.
#
# (p.s. /dev/?mem and some misc files used to be checked here, but they
# are now checked in is_able.chk)
#
# Two types of /etc/fstab formats I've seen so far:
#
# spec:file:type:freq:passno:name:options
# NFS are indicated by an "@"
#
# fsname dir type opts freq passno
# NFS are indicated by an ":"
#
# I check for the second; comment that code out (lines 83-84), and
# uncomment the other style (lines 79-80), if you have the first type.
#
AWK=/bin/awk
SED=/bin/sed
LS=/bin/ls
ECHO=/bin/echo
TEST=/bin/test
# locations of vital stuff...
mtab=/etc/fstab
exports=/etc/exports
group=no
if $TEST $# -gt 1 ; then
$ECHO "Usage: $0 [-g]"
exit 2
fi
if $TEST $# -eq 1 ; then
if $TEST "X$1" = "X-g" ; then
group=yes
else
$ECHO "Usage: $0 [-g]"
exit 2
fi
fi
# Testing filesystems and devices for improper read/write permissions...
# grab devices from "/etc/fstab"....
# Format of /etc/fstab:
#
# spec:file:type:freq:passno:name:options
# NFS mounted:
# uther@foobar.edu:/usr/spaf:ect....
#
# Or, the default means of checking:
#
# filesystem directory type options freq pass
# NFS mounted:
# uther:foobar.edu /usr/spaf....
#
# kill comments, then get the device/filesystem in question.
#
# First style:
# nfs_devs=`$SED 's/^#.*//' $mtab | $AWK -F: '/@/ {print $2}'`
# local_devs=`$SED -e 's/^#.*$//' -e 's/^.*@.*$//' $mtab|$AWK -F: {print $1}'`
# Default style:
nfs_devs=`$SED -e 's/^#.*$//' $mtab | $AWK '/:/ {print $1}'`
local_devs=`$SED -e 's/^#.*$//' -e 's/^.*:.*$//' $mtab | $AWK '{print $1}'`
all_devs=$nfs_devs" "$local_devs
# Alternate way; grab devices from "mount [-p]"....
# Format of output from mount (some machines use -p option, some
# don't. Check your local man page... you might have to add a "-F:" or
# something, depending on your output:
# crit_devs=`/etc/mount -p|$AWK 'index($1, "/")==1
# {print $1} \
# }'`
# On an IBM/AIX box, you can try something like:
# all_devs=`$GREP 'dev.*=' /etc/filesystems | $AWK '{print $NF}'`
#
# However, do check for single line entries in /etc/exports:
if $TEST -s $exports
then
$SED -e 's/^#.*$//' $exports | $AWK '!/access=/ {
print "Warning! NFS file system " $1 " exported with no restrictions!"}'
fi
#
# Have to get them in the format that "is_able" likes:
#
# filename {world|group} {writeable|readable|both}
#
# all things check world/group writability
for i in $all_devs
do
./is_able $i w w
if $TEST "$group" = "yes"
then
./is_able $i g w
fi
done
# For local devices, we want to make sure that no one can bypass
# security by reading straight from the device:
for i in $local_devs
do
./is_able $i w r
if $TEST "$group" = "yes"
then
./is_able $i g r
fi
done
# end of script