fix permission-hardener config parsing issue

2024-10-01 08:25:45 -04:00 · 2023-11-05 16:35:11 -05:00 · 2023-11-05 16:35:11 -05:00 · 65e3c14643
commit 65e3c14643
parent 40e536a9be
1 changed files with 17 additions and 8 deletions
--- a/usr/bin/permission-hardening
+++ b/usr/bin/permission-hardening
@ -160,7 +160,7 @@ add_nosuid_statoverride_entry() {
      local is_match_whitelisted
      is_match_whitelisted=""
      for matchwhite_list_entry in $match_white_list ; do
-         if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then
+         if echo "$file_name" | grep -q --fixed-strings "$matchwhite_list_entry" ; then
            is_match_whitelisted="true"
            ## Stop looping through the match_white_list.
            break
@ -170,7 +170,7 @@ add_nosuid_statoverride_entry() {
      local is_disable_whitelisted
      is_disable_whitelisted=""
      for disablematch_list_entry in $disable_white_list ; do
-         if echo "$file_name" | grep -q "$disablematch_list_entry" ; then
+         if echo "$file_name" | grep -q --fixed-strings "$disablematch_list_entry" ; then
            is_disable_whitelisted="true"
            ## Stop looping through the disablewhitelist.
            break
@ -273,6 +273,13 @@ set_file_perms() {
         exit "$exit_code"
      fi

+echo "line: '$line'"
+echo "fso: '$fso'"
+echo "mode_from_config: '$mode_from_config'"
+echo "owner_from_config: '$owner_from_config'"
+
+
+
      local fso_without_trailing_slash
      fso_without_trailing_slash="${fso%/}"

@ -318,12 +325,12 @@ set_file_perms() {
            continue
         fi

-         if ! echo "${passwd_file_contents}" | grep -q "^${owner_from_config}:" ; then
+         if ! echo "${passwd_file_contents}" | grep -q --fixed-strings "${owner_from_config}:" ; then
            echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2
            continue
         fi

-         if ! echo "${group_file_contents}" | grep -q "^${group_from_config}:" ; then
+         if ! echo "${group_file_contents}" | grep -q --fixed-strings "${group_from_config}:" ; then
            echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2
            continue
         fi
@ -386,7 +393,7 @@ set_file_perms() {
            true "There is an fso entry. Check if owner/group/mode match."
            local grep_line
            grep_line="$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash"
-            if echo "$dpkg_statoverride_list_output" | grep -q "$grep_line" ; then
+            if echo "$dpkg_statoverride_list_output" | grep -q --fixed-strings "$grep_line" ; then
               true "OK The owner/group/mode matches. No further action required."
            else
               true "The owner/group/mode do not match, therefore remove and re-add the entry to update it."
@ -448,7 +455,7 @@ set_file_perms() {
            continue
         fi
      else
-         if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config" ; then
+         if ! capsh --print | grep --fixed-strings "Bounding set" | grep -q "$capability_from_config" ; then
            echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2
            continue
         fi
@ -468,8 +475,10 @@ parse_config_folder() {
  # 'if getent passwd | grep -q '^root:'; ...' since 'grep' exits after the first match in
  # this case causing 'getent' to receive SIGPIPE, which then fails the pipeline since
  # 'set -o pipefail' is set for this script.
-  passwd_file_contents="$(getent passwd)"
-  group_file_contents="$(getent group)"
+  passwd_file_contents=$(getent passwd)
+  passwd_file_contents=$(echo "$passwd_file_contents")
+  group_file_contents=$(getent group)
+  group_file_contents=$(echo "$group_file_contents")

  shopt -s nullglob
  for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do