Mageia Bugzilla – Attachment 3952 Details for
Bug 2808
Sectool not configured for Mageia
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
[patch]
bash_defs bash script - added file and msec security level support to bash_defs
bash_defs.sh (text/plain), 5.69 KB, created by
George Mitchell
on 2013-05-13 06:31:47 CEST
(
hide
)
Description:
bash_defs bash script - added file and msec security level support to bash_defs
Filename:
MIME Type:
Creator:
George Mitchell
Created:
2013-05-13 06:31:47 CEST
Size:
5.69 KB
patch
obsolete
># bash_defs.sh ># secTool support functions for bash > >shopt -s expand_aliases > >alias const='declare -xr' >alias int='declare -xi' >alias var='declare -x' >alias array='declare -xa' > >alias l_const='local -r' >alias l_int='local -i' >alias l_var='local' >alias l_array='local -a' > ># Global constants >int -r E_OK=0 >int -r E_FAIL=1 >int -r E_FATAL=2 >int -r TRUE=0 >int -r FALSE=1 > ># Use getent(1) >const PASSWD_FILE='/etc/passwd' >const GROUP_FILE='/etc/group' >const SHADOW_FILE='/etc/shadow' >const GSHADOW_FILE='/etc/gshadow' > >#file constants >const passwd=/etc/passwd >const group=/etc/group >const shadow=/etc/shadow >const group_shadow=/etc/gshadow > ># gettext settings >const TEXTDOMAIN='sectool' >. gettext.sh > ># msec security levels >. /etc/security/msec/security.conf >MSEC_PERMS=/etc/security/msec/perm.${BASE_LEVEL} > ># Global functions >function DEBUGMSG () { > echo $* 1>&2 >} > ># ># resolves dashes on the beginning of string ># >myeval_gettext () { > gettext -- "$1" | (export PATH `envsubst --variables -- "$1"`; envsubst -- "$1") >} > ># Don't use this function for debug messages! ># ># args: <type> [<id>] <string> ># type = WARNING|ERROR|HINT|INFO > >function report { > case "$1" in > WARNING) > local id=$2 > local text="$3" > > local E_TEXT="`myeval_gettext \"${text}\"`" > printf "W%02d : %s\n" "${id}" "${E_TEXT}" > ;; > ERROR) > local id=$2 > local text="$3" > > local E_TEXT="`myeval_gettext \"${text}\"`" > printf "E%02d : %s\n" "${id}" "${E_TEXT}" > ;; > HINT) > local id=$2 > local text="$3" > > local E_TEXT="`myeval_gettext \"${text}\"`" > printf "H%02d : %s\n" "${id}" "${E_TEXT}" > ;; > INFO|DEBUG) > local text="$2" > local E_TEXT="`myeval_gettext \"${text}\"`" > printf "I : %s\n" "${E_TEXT}" > ;; > *) DEBUGMSG "Bad parameter to report: ${type}" > ;; > esac >} > ># args: <retval> [<msg>] ># If retval != 0, then the msg argument is mandatory. >function test_exit { > if (( $1 == 0 )); then > printf "Test: ${NAME}, Succeeded\n" > exit ${E_OK} > else > printf "Test: ${NAME}, Error: %d, - %s\n" "$1" "$2" > exit $1 > fi >} > >function isset () { > case "${1}" in > [Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]|1) > return ${E_OK} > ;; > *) > #[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|0) > return ${E_FAIL} > ;; > esac > return ${E_FAIL} >} > ># <file> [1|0] ># 1 = hash only ># 0 = "SHA256(file) = hash" > >function sha256file () { > if isset "${2}"; then > openssl sha -sha256 "${1}" 2> /dev/null | sed -n 's/.*\([A-Fa-f0-9]\{64\}\).*/\1/p' > else > openssl sha -sha256 "${1}" 2> /dev/null > fi > return ${E_OK} >} > ># <file> <perm> <user:group> [0|1 <id> <desc>] ># 1 - verbose ># 0 - quiet > >function check_file_perm () { > if [[ -a "${1}" ]]; then > l_int CPERM=$(stat -c '%a' "${1}") > > if (( ${CPERM} != $2 )); then > if (( (8#${CPERM} | 8#${2}) == 8#${2} )); then > if (( ${4} == 1 )); then > report 'INFO' "Permissions on $(stat -c '%F' "${1}") \"${1}\" are more restrictive than required: ${CPERM} (${6:-uknown}, required persmissions are ${2})" > fi > return ${E_FAIL} > else > if (( ${4} == 1 )); then > report 'WARNING' ${5} "Wrong permissions on $(stat -c '%F' "${1}") \"${1}\": ${CPERM} (${6:-unknown}, required permissions are ${2})" > fi > return ${E_OK} > fi > fi > > if ! (stat -c '%U:%G' "${1}" | grep -q "${3}"); then > if (( ${4} == 1 )); then > report 'WARNING' ${5} "Wrong owner/group on $(stat -c '%F' "${1}"): \"${1}\" (${6:-unknown}, required owner/group is ${3})" > fi > return ${E_FAIL} > fi > > return ${E_OK} > else > if (( ${4} == 1 )); then > report 'ERROR' ${5} "Missing file or directory: \"${1}\" (${6:-unknown})" > fi > return ${E_FAIL} > fi >} > ># FIXME: use getent ># args: <uid> >function uid2user () { > getent passwd | sed -n "s/^\([^:]*\):[^:]*:${1}:.*/\1/p" >} > ># FIXME: use getent ># args: <gid> >function gid2user () { > getent group | sed -n "s/^\([^:]*\):[^:]*:${1}:.*/\1/p" >} > >function rel2abs () { > l_var DIR="$(dirname "${1}")" > l_var FIL="$(basename "${1}")" > l_var OLD="$(pwd)" > cd "${DIR}" && echo -n "$(pwd)/${FIL}" || echo "${1}" > cd "${OLD}" >} > ># is it an ordinary user? ># takes one param - username >function canLogIn { > if [[ "$(getent passwd "${1}" | cut -d: -f 7)" != "/sbin/nologin" ]]; then > password="$(getent shadow "${1}" | cut -d: -f 2)" > # length of passwd - very short means invalid password and disabled account > if (( ${#password} < 13 )); then > return ${E_FAIL} > else > return ${E_OK} > fi > else > return ${E_FAIL} > fi >} > ># gets a value of a constant defined in a c/c++ header file by #define ># usage example: ># getValueFromH '/usr/include/bits/utmp.h' 'UT_NAMESIZE' ># echo $ReturnVal >function getValueFromH { > if ! [[ -r "$1" ]]; then > report 'WARNING' 1234 "Can't read a constant $2, header file $1 not found" > return 0 > else > line="$(egrep "^#define $2..*" $1)" > if [[ -n "$line" ]]; then > l_int retval=$(echo "$line" | cut -f2) > return $retval > else > report 'WARNING' 1234 "Can't read a constant $2 from file $1, definition of the constant not found in this file" > return 0 > fi > fi >} > ># function isValidName ># tests a string whether it is a valid group/user name ># 1 - true ># 0 - false >function isValidName { > # first we need to set LC_ALL to C to get ranges working case-sensitively > oldLC_ALL=${LC_ALL} > LC_ALL="C" > > # this constant contains a regex which recognizes, if the string is valid name of user or group > const allowedNamesRegex='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$' > echo "$1" | egrep "$allowedNamesRegex" > > returnValue=$[ 1 - $? ] > LC_ALL=${oldLC_ALL} > return $returnValue >}
# bash_defs.sh # secTool support functions for bash shopt -s expand_aliases alias const='declare -xr' alias int='declare -xi' alias var='declare -x' alias array='declare -xa' alias l_const='local -r' alias l_int='local -i' alias l_var='local' alias l_array='local -a' # Global constants int -r E_OK=0 int -r E_FAIL=1 int -r E_FATAL=2 int -r TRUE=0 int -r FALSE=1 # Use getent(1) const PASSWD_FILE='/etc/passwd' const GROUP_FILE='/etc/group' const SHADOW_FILE='/etc/shadow' const GSHADOW_FILE='/etc/gshadow' #file constants const passwd=/etc/passwd const group=/etc/group const shadow=/etc/shadow const group_shadow=/etc/gshadow # gettext settings const TEXTDOMAIN='sectool' . gettext.sh # msec security levels . /etc/security/msec/security.conf MSEC_PERMS=/etc/security/msec/perm.${BASE_LEVEL} # Global functions function DEBUGMSG () { echo $* 1>&2 } # # resolves dashes on the beginning of string # myeval_gettext () { gettext -- "$1" | (export PATH `envsubst --variables -- "$1"`; envsubst -- "$1") } # Don't use this function for debug messages! # # args: <type> [<id>] <string> # type = WARNING|ERROR|HINT|INFO function report { case "$1" in WARNING) local id=$2 local text="$3" local E_TEXT="`myeval_gettext \"${text}\"`" printf "W%02d : %s\n" "${id}" "${E_TEXT}" ;; ERROR) local id=$2 local text="$3" local E_TEXT="`myeval_gettext \"${text}\"`" printf "E%02d : %s\n" "${id}" "${E_TEXT}" ;; HINT) local id=$2 local text="$3" local E_TEXT="`myeval_gettext \"${text}\"`" printf "H%02d : %s\n" "${id}" "${E_TEXT}" ;; INFO|DEBUG) local text="$2" local E_TEXT="`myeval_gettext \"${text}\"`" printf "I : %s\n" "${E_TEXT}" ;; *) DEBUGMSG "Bad parameter to report: ${type}" ;; esac } # args: <retval> [<msg>] # If retval != 0, then the msg argument is mandatory. function test_exit { if (( $1 == 0 )); then printf "Test: ${NAME}, Succeeded\n" exit ${E_OK} else printf "Test: ${NAME}, Error: %d, - %s\n" "$1" "$2" exit $1 fi } function isset () { case "${1}" in [Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]|1) return ${E_OK} ;; *) #[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|0) return ${E_FAIL} ;; esac return ${E_FAIL} } # <file> [1|0] # 1 = hash only # 0 = "SHA256(file) = hash" function sha256file () { if isset "${2}"; then openssl sha -sha256 "${1}" 2> /dev/null | sed -n 's/.*\([A-Fa-f0-9]\{64\}\).*/\1/p' else openssl sha -sha256 "${1}" 2> /dev/null fi return ${E_OK} } # <file> <perm> <user:group> [0|1 <id> <desc>] # 1 - verbose # 0 - quiet function check_file_perm () { if [[ -a "${1}" ]]; then l_int CPERM=$(stat -c '%a' "${1}") if (( ${CPERM} != $2 )); then if (( (8#${CPERM} | 8#${2}) == 8#${2} )); then if (( ${4} == 1 )); then report 'INFO' "Permissions on $(stat -c '%F' "${1}") \"${1}\" are more restrictive than required: ${CPERM} (${6:-uknown}, required persmissions are ${2})" fi return ${E_FAIL} else if (( ${4} == 1 )); then report 'WARNING' ${5} "Wrong permissions on $(stat -c '%F' "${1}") \"${1}\": ${CPERM} (${6:-unknown}, required permissions are ${2})" fi return ${E_OK} fi fi if ! (stat -c '%U:%G' "${1}" | grep -q "${3}"); then if (( ${4} == 1 )); then report 'WARNING' ${5} "Wrong owner/group on $(stat -c '%F' "${1}"): \"${1}\" (${6:-unknown}, required owner/group is ${3})" fi return ${E_FAIL} fi return ${E_OK} else if (( ${4} == 1 )); then report 'ERROR' ${5} "Missing file or directory: \"${1}\" (${6:-unknown})" fi return ${E_FAIL} fi } # FIXME: use getent # args: <uid> function uid2user () { getent passwd | sed -n "s/^\([^:]*\):[^:]*:${1}:.*/\1/p" } # FIXME: use getent # args: <gid> function gid2user () { getent group | sed -n "s/^\([^:]*\):[^:]*:${1}:.*/\1/p" } function rel2abs () { l_var DIR="$(dirname "${1}")" l_var FIL="$(basename "${1}")" l_var OLD="$(pwd)" cd "${DIR}" && echo -n "$(pwd)/${FIL}" || echo "${1}" cd "${OLD}" } # is it an ordinary user? # takes one param - username function canLogIn { if [[ "$(getent passwd "${1}" | cut -d: -f 7)" != "/sbin/nologin" ]]; then password="$(getent shadow "${1}" | cut -d: -f 2)" # length of passwd - very short means invalid password and disabled account if (( ${#password} < 13 )); then return ${E_FAIL} else return ${E_OK} fi else return ${E_FAIL} fi } # gets a value of a constant defined in a c/c++ header file by #define # usage example: # getValueFromH '/usr/include/bits/utmp.h' 'UT_NAMESIZE' # echo $ReturnVal function getValueFromH { if ! [[ -r "$1" ]]; then report 'WARNING' 1234 "Can't read a constant $2, header file $1 not found" return 0 else line="$(egrep "^#define $2..*" $1)" if [[ -n "$line" ]]; then l_int retval=$(echo "$line" | cut -f2) return $retval else report 'WARNING' 1234 "Can't read a constant $2 from file $1, definition of the constant not found in this file" return 0 fi fi } # function isValidName # tests a string whether it is a valid group/user name # 1 - true # 0 - false function isValidName { # first we need to set LC_ALL to C to get ranges working case-sensitively oldLC_ALL=${LC_ALL} LC_ALL="C" # this constant contains a regex which recognizes, if the string is valid name of user or group const allowedNamesRegex='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$' echo "$1" | egrep "$allowedNamesRegex" returnValue=$[ 1 - $? ] LC_ALL=${oldLC_ALL} return $returnValue }
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2808
:
3920
|
3926
|
3927
|
3936
|
3937
|
3938
|
3939
|
3940
|
3941
|
3942
|
3943
|
3944
|
3946
|
3947
|
3948
| 3952 |
3953
|
3954
|
3963
|
3964