Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-05-10 22:34:56 -04:00
Code Issues Projects Releases Packages Wiki Activity
security-misc/usr/lib/security-misc/permission-hardening
Patrick Schleizer 39a41cc27b
refactoring
2019-12-20 02:14:45 -05:00

120 lines
3.3 KiB
Bash
Executable file
Raw Blame History

#!/bin/bash
## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
#set -x
exit_code=0
config_file="/etc/permission-hardening.conf"
shopt -s globstar
echo_wrapper() {
echo "run: $@"
}
add_statoverride_entry() {
if [ "${nosuid}" = "true" ]; then
echo "fso: $fso"
while read -r line; do
if ! read -r file_name existing_mode owner group; then
continue
fi
if test -u "${file_name}" || test -g "${file_name}"; then
echo "suid - file_name: '${file_name}' | existing_mode: '${existing_mode}' | existing_mode:1: '${existing_mode:1}'"
if dpkg-statoverride --list | grep -q "${file_name}"; then
if ! dpkg-statoverride --list | grep -q "${owner} ${group} ${existing_mode:1} ${file_name}"; then
echo_wrapper dpkg-statoverride --remove "${file_name}"
echo_wrapper dpkg-statoverride --add --update "${owner}" "${group}" "${existing_mode:1}" "${file_name}"
fi
else
echo_wrapper dpkg-statoverride --add --update "${owner}" "${group}" "${existing_mode:1}" "${file_name}"
fi
fi
done < <( stat -c "%n %a %U %G" "${fso%/}/"** )
else
echo_wrapper dpkg-statoverride --add --update "${owner}" "${group}" "${mode}" "${fso%/}"
fi
}
set_file_perms() {
while read -r line; do
if [ "$line" = "" ]; then
continue
fi
if [[ "$line" =~ ^# ]]; then
continue
fi
if [[ "$line" =~ [0-9a-zA-Z/] ]]; then
true OK
else
exit_code=200
echo "ERROR: cannot parse line with invalid character: ${line}" >&2
continue
fi
if ! read -r fso mode owner group capability <<< "${line}" ; then
exit_code=201
echo "ERROR: cannot parse line: ${line}" >&2
continue
fi
if ! [ -e "${fso}" ]; then
echo "INFO: fso '${fso}' does not exist!"
continue
fi
nosuid=""
if [ "${mode}" = "nosuid" ]; then
nosuid="true"
elif ! seq -w 000 4777 | grep -qw "${mode}"; then
echo "ERROR: Mode '${mode}' is invalid!" >&2
continue
fi
if ! getent passwd | grep -q "^${owner}:" && ! [ "${mode}" = "nosuid" ]; then
echo "ERROR: User '${owner}' does not exist!" >&2
continue
fi
if ! getent group | grep -q "^${group}:" && ! [ "${mode}" = "nosuid" ]; then
echo "ERROR: Group '${group}' does not exist!" >&2
continue
fi
## The permissions should not be reset during upgrades.
if dpkg-statoverride --list | grep -q "${fso%/}"; then
## If there is an entry for the fso, but the owner/group/mode do not
## match, we remove and re-add the entry to update it.
if ! dpkg-statoverride --list | grep -q "${owner} ${group} ${mode:1} ${fso%/}"; then
echo_wrapper dpkg-statoverride --remove "${fso}"
add_statoverride_entry
fi
else
add_statoverride_entry
fi
if ! [ "${capability}" = "" ]; then
if [ "${capability}" = "none" ]; then
echo_wrapper setcap -r "${fso}"
else
if ! capsh --print | grep "Bounding set" | grep -q "${capability}"; then
echo "ERROR: Capability '${capability}' does not exist!" >&2
continue
fi
echo_wrapper setcap "${capability}+ep" "${fso}"
fi
fi
done < "${config_file}"
}
set_file_perms
exit "$exit_code"
Reference in a new issue View git blame Copy permalink