autonomic-cooperative/unix-privesc-check
0
0
Fork 0
mirror of https://gitlab.com/kalilinux/packages/unix-privesc-check.git synced 2025-10-09 10:34:59 +00:00
Code Issues Projects Releases Wiki Activity

Imported Upstream version 1.4~svn361

Browse Source
This commit is contained in:
Devon Kearns
2012-12-20 15:42:13 -07:00
commit a75bafe602
147 changed files with 331854 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

247
lib/misc/binary Normal file
View File

@ -0,0 +1,247 @@
#!/bin/sh
# $Revision: 332 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux, AIX, Solaris
if [ -z "${binaryincluded}" ]
then
binaryincluded=1
. lib/misc/dependencies
. lib/misc/validate
binary_list_rpath () {
filename="${1}"
[ "`file_is_regular_file \"${filename}\"`" ] || false
# skip textual files (bash scripts, python scripts, etc)
if [ "`file_is_textual \"${filename}\"`" -eq 1 ]
then
printf -- ""
elif [ "`uname`" = "AIX" ]
then
dumpflag=0
dump -Hv -X 32_64 "${filename}" | while read line
do
if [ "${dumpflag}" -eq 1 ]
then
printf -- "${line}\n" | while read index base member
do
if [ "${index}" -eq 0 ]
then
printf -- "${base}\n" | tr ":" "\n" | while read filename
do
printf -- "${filename}\n"
done
fi
done
fi
if [ -n "`printf -- "${line}\n" | grep "INDEX"`" ]
then
dumpflag=1
fi
done | sort | uniq
elif [ "`uname`" = "SunOS" ]
then
dump -Lv "${filename}" | grep "RPATH" | while read _ header rpath
do
printf -- "${rpath}\n" | tr ":" "\n" | while read filename
do
printf -- "${filename}\n"
done
done | sort | uniq
dump -Lv "${filename}" | grep "RUNPATH" | while read _ header rpath
do
printf -- "${rpath}\n" | tr ":" "\n" | while read filename
do
printf -- "${filename}\n"
done
done | sort | uniq
else
objdump -x "${filename}" | grep -i "RPATH" | while read header rpath
do
printf -- "${rpath}\n" | tr ":" "\n" | while read filename
do
printf -- "${filename}\n"
done
done | sort | uniq
objdump -x "${filename}" | grep -i "RUNPATH" | while read header rpath
do
printf -- "${rpath}\n" | tr ":" "\n" | while read filename
do
printf -- "${filename}\n"
done
done | sort | uniq
fi
}
binary_pie() {
filename="${1}"
[ "`file_is_regular_file \"${filename}\"`" ] || false
# skip textual files (bash scripts, python scripts, etc)
if [ "`file_is_textual \"${filename}\"`" -eq 1 ]
then
printf -- "1\n"
elif [ "`uname`" = "Linux" ]
then
if [ -n "`objdump -x "${filename}" | head -5 | grep "DYNAMIC"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
else
printf -- "0\n"
fi
}
binary_relro_full() {
filename="${1}"
[ "`file_is_regular_file \"${filename}\"`" ] || false
# skip textual files (bash scripts, python scripts, etc)
if [ "`file_is_textual \"${filename}\"`" -eq 1 ]
then
printf -- "1\n"
elif [ "`uname`" = "Linux" ]
then
if [ -n "`objdump -x "${filename}" | grep "BIND_NOW"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
else
printf -- "0\n"
fi
}
binary_relro() {
filename="${1}"
[ "`file_is_regular_file \"${filename}\"`" ] || false
# skip textual files (bash scripts, python scripts, etc)
if [ "`file_is_textual \"${filename}\"`" -eq 1 ]
then
printf -- "1\n"
elif [ "`uname`" = "Linux" ]
then
if [ -n "`objdump -x "${filename}" | head -30 | grep "RELRO"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
else
printf -- "0\n"
fi
}
binary_nx() {
filename="${1}"
[ "`file_is_regular_file \"${filename}\"`" ] || false
# skip textual files (bash scripts, python scripts, etc)
if [ "`file_is_textual \"${filename}\"`" -eq 1 ]
then
printf -- "1\n"
elif [ "`uname`" = "Linux" ]
then
isstackline="0"
oldifs="${IFS}"
IFS="\n"
objdump -x "${filename}" | head -30 | while read line
do
if [ "${isstackline}" -eq 1 ]
then
if [ -n "`printf -- \"${line}\" | egrep -- \" rw-$\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
break
elif [ -n "`printf -- \"${line}\" | grep "STACK "`" ]
then
isstackline="1"
fi
done
IFS="${oldifs}"
else
printf -- "0\n"
fi
}
binary_matches_string () {
filename="${1}"
pattern="${2}"
[ "`file_is_regular_file \"${filename}\"`" ] || false
[ "`validate_is_string \"${pattern}\"`" ] || false
if [ -n "`strings \"${filename}\" | egrep -- \"${pattern}\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
binary_matches_string_grep () {
filename="${1}"
pattern="${2}"
[ "`file_is_regular_file \"${filename}\"`" ] || false
[ "`validate_is_string \"${pattern}\"`" ] || false
if [ -n "`strings \"${filename}\" | grep -- \"${pattern}\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
binary_matches_function () {
filename="${1}"
pattern="${2}"
[ "`file_is_regular_file \"${filename}\"`" ] || false
[ "`validate_is_string \"${pattern}\"`" ] || false
# skip textual files (bash scripts, python scripts, etc)
if [ "`file_is_textual \"${filename}\"`" -eq 1 ]
then
printf -- "0\n"
elif [ -n "`objdump -T "${filename}" | egrep "${pattern}"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
binary_banned_api () {
filename="${1}"
pattern="${2}"
[ "`file_is_regular_file \"${filename}\"`" ] || false
[ "`validate_is_string \"${pattern}\"`" ] || false
# skip textual files (bash scripts, python scripts, etc)
if [ "`file_is_textual \"${filename}\"`" -eq 1 ]
then
printf -- ""
else
printf -- "`objdump -T "${filename}" | egrep -o "${pattern}" | sort -u | xargs | tr " " ","`"
fi
}
fi

144
lib/misc/cron Normal file
View File

@ -0,0 +1,144 @@
#!/bin/sh
# $Revision: 354 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux
if [ -z "${cronincluded}" ]
then
cronincluded=1
. lib/misc/file
. lib/misc/parse
. lib/misc/user
. lib/misc/validate
cron_crontab_list () {
crontab -l | egrep -v "^#|^$" | while read minute hour dom mon dow command arguments
do
# Examples of ${command} ${arguments}:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 30 6 * * * id > /tmp/test
printf -- "`user_show_user_name` ${command}\n"
done
}
cron_crontabs_list () {
file_show_perms " /var/spool/cron/crontabs/" | while read filename permissions userid groupid
do
case "${permissions}" in
-?????????)
# ignore user's own crontab file as it is retrieved by cron_crontab_list function
if [ "${filename}" != "`user_show_user_name`" ]
then
printf -- "${userid} ${filename}\n"
fi
;;
l?????????)
printf -- "${userid} `file_show_symlinked_filename \"${filename}\"`\n"
;;
d?????????)
# ignore directories
continue
;;
esac
done
}
cron_system_crontab_list () {
cat "/etc/crontab" | egrep -v "^#|^$" | egrep -v "run-parts " | while read minute hour dom mon dow user command arguments
do
# Example of /etc/crontab lines:
# 18 23 2 * * luther command args
# 19 21 3 * * wu dir > /tmp/dir
if [ -n "${user}" -a -n "${command}" ]
then
printf -- "${user} ${command}\n"
fi
done
}
cron_system_get_user () {
filepath="${1}"
[ "`validate_is_string \"${filepath}\"`" ] || false
filepath="`dirname \"${filepath}\"`"
cat "/etc/crontab" | egrep -v "^#|^$" | egrep -- "run-parts " | while read minute hour dom mon dow user command arguments
do
# Example of /etc/crontab lines:
# 17 * * * * root cd / && run-parts --report /etc/cron.hourly
# 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
if [ -n "`printf -- \"${arguments}\" | egrep -- \" ${filepath}\"`" ]
then
printf -- "${user}\n"
break
fi
done
}
cron_system_list () {
file_show_perms " /etc/cron\." | while read filename permissions _ _
do
userid="`cron_system_get_user \"${filename}\"`"
if [ -z "${userid}" ]
then
userid="root"
fi
case "${permissions}" in
-?????????)
printf -- "${userid} ${filename}\n"
;;
l?????????)
printf -- "${userid} `file_show_symlinked_filename \"${filename}\"`\n"
;;
d?????????)
# ignore directories
continue
;;
esac
done
}
cron_file_extract_paths () {
filename="${1}"
[ "`file_is_regular_file \"${filename}\"`" ] || false
parse_extract_absolute_filepaths "`cat -- \"${filename}\"`" | while read filepath
do
# do not return file paths that do not exist, are device files or are within /proc
if [ "`file_exists_file \"${filepath}\"`" -ne 1 -o -n "`printf -- \"${filepath}\" | egrep -- \"^/dev/\"`" -o -n "`printf -- \"${filepath}\" | egrep -- \"^/proc/\"`" ]
then
continue
# follow symbolic links
elif [ -h "${filepath}" ]
then
symlinkedfilepath="`file_show_symlinked_filename \"${filepath}\"`"
if [ -n "${symlinkedfilepath}" -a "`file_is_directory \"${symlinkedfilepath}\"`" -ne 1 ]
then
printf -- "root ${symlinkedfilepath}\n"
fi
# ignore directories
elif [ "`file_is_directory \"${filepath}\"`" -ne 1 ]
then
printf -- "root ${filepath}\n"
fi
done
}
fi

43
lib/misc/dependencies Normal file
View File

@ -0,0 +1,43 @@
#!/bin/sh
# $Revision: 228 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux, Solaris
if [ -z "${dependenciesincluded}" ]
then
dependenciesincluded=1
. lib/misc/stdio
dependencies_check () {
# TODO the principle is solid, but at the moment it only caters for Linux
#if [ -z "`which objdump`" -o -z "`which strings`" ]
#then
# stdio_message_error "dependencies" "missing mandatory tool (objdump or strings), install binutils and rerun"
# #exit 127
#fi
false
}
dependencies_check
fi

216
lib/misc/device Normal file
View File

@ -0,0 +1,216 @@
#!/bin/sh
# $Revision: 337 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux
if [ -z "${deviceincluded}" ]
then
deviceincluded=1
. lib/misc/file
. lib/misc/validate
device_fstab_check () {
if [ "`file_is_readable_file \"/etc/fstab\"`" -eq 1 ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
device_fstab_list () {
if [ "`device_fstab_check`" -eq 1 ]
then
cat "/etc/fstab" | egrep -v "^#|^$" | while read device mountpoint filesystem options _ _
do
if [ -n "`printf -- \"${device}\" | egrep -- \"^/\"`" ]
then
printf -- "${device}\n"
fi
done | sort | uniq
fi
}
device_mounted_list () {
if [ "`uname`" = "SunOS" ]
then
mount | egrep -- "xattr" | while read device _ mountpoint _ filesystem options
do
if [ "`printf -- \"${device}\" | egrep -- \"^/\"`" ]
then
printf -- "${device}\n"
fi
done | sort | uniq
else
mount | while read device _ mountpoint _ filesystem options
do
if [ "`printf -- \"${device}\" | egrep -- \"^/\"`" ]
then
printf -- "${device}\n"
fi
done | sort | uniq
fi
}
device_blkid_list () {
[ "`file_show_real_filename \"blkid\"`" ] || false
blkid="`file_show_real_filename \"blkid\"`"
blkid -o device | while read device
do
printf -- "${device}\n"
done | sort | uniq
}
device_swap_list () {
# TODO does uname return HP-UX or HPUX?
if [ "`uname`" = "HP-UX" ]
then
swapinfo | egrep -v "^dev" | egrep -- "^/" | while read _ _ _ _ _ _ _ _ device _
do
printf -- "${device}\n"
done | sort | uniq
else
swapon -s | egrep -- "^/" | while read device _ _ _ _
do
printf -- "${device}\n"
done | sort | uniq
fi
}
device_list () {
device_mounted_list
device_fstab_list
device_blkid_list
device_swap_list
}
device_list_options () {
if [ "`device_fstab_check`" -eq 1 ]
then
cat "/etc/fstab" | egrep -v "^#|^$" | while read device mountpoint filesystem options _ _
do
# retrieve device file path from UUID representation
if [ -n "`printf -- \"${device}\" | egrep -- \"^UUID=\"`" ]
then
uuid="`printf \"${device}\" | cut -c6-`"
device="`device_uuid_to_filename \"${uuid}\"`"
# ignore swap
elif [ "${filesystem}" = "swap" ]
then
continue
fi
printf -- "${device} ${options}\n"
done
fi
}
device_get_mountpoint_from_blkid () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
[ "`file_show_real_filename \"blkid\"`" ] || false
blkid="`file_show_real_filename \"blkid\"`"
#blkid -o list | while read device filesystem label mountpoint uuid
blkid -o list | while read device filesystem mountpoint uuid
do
if [ "${device}" = "${pattern}" ]
then
printf -- "${mountpoint}\n"
fi
done
}
device_get_mountpoint_from_fstab () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
if [ "`device_fstab_check`" -eq 1 ]
then
cat "/etc/fstab" | egrep -v "^#|^$" | while read device mountpoint filesystem options _ _
do
if [ "${device}" = "${pattern}" ]
then
printf -- "${mountpoint}\n"
fi
done
fi
}
device_get_mountpoint_from_mount () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
mount | egrep -- "^${pattern}" | while read device _ mountpoint _ _ _
do
if [ "${device}" = "${pattern}" ]
then
printf -- "${mountpoint}\n"
fi
done
}
device_get_mountpoint () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
if [ -n "`device_get_mountpoint_from_mount \"${pattern}\" | egrep -- \"^/\"`" ]
then
printf -- "`device_get_mountpoint_from_mount \"${pattern}\" | egrep -- \"^/\"`\n"
elif [ -n "`device_get_mountpoint_from_fstab \"${pattern}\" | egrep -- \"^/\"`" ]
then
printf -- "`device_get_mountpoint_from_fstab \"${pattern}\" | egrep -- \"^/\"`\n"
elif [ -n "`device_get_mountpoint_from_blkid \"${pattern}\" | egrep -- \"^/\"`" ]
then
printf -- "`device_get_mountpoint_from_blkid \"${pattern}\" | egrep -- \"^/\"`\n"
fi
}
device_uuid_to_filename () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
[ "`file_show_real_filename \"blkid\"`" ] || false
blkid="`file_show_real_filename \"blkid\"`"
#blkid -o list | while read device filesystem label mountpoint uuid
blkid -o list | while read device filesystem mountpoint uuid
do
if [ "${uuid}" = "${pattern}" ]
then
printf -- "${device}\n"
break
fi
done
}
device_is_swap () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
ret="0"
device_swap_list | while read device
do
if [ "${device}" = "${pattern}" ]
then
ret="1"
break
fi
done
printf -- "${ret}\n"
}
fi

258
lib/misc/file Normal file
View File

@ -0,0 +1,258 @@
#!/bin/sh
# $Revision: 351 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: AIX, Solaris, Linux
if [ -z "${fileincluded}" ]
then
fileincluded=1
filecachefilename="files_cache.temp"
filecacherootpath="/"
. lib/misc/stdio
. lib/misc/validate
file_check_or_generate_cache () {
if [ ! -f "${filecachefilename}" ]
then
stdio_message_log "file" "Generating file cache..."
# the below looks a bit odd but it's the best way to normalise file's output since we're not interested in inodes, device major/minor numbers etc
find "${filecacherootpath}" -ls | sed "s/%/%%/g" | while read _ _ permissions _ userid groupid _ _ _ _ filename restofline
do
printf -- "${permissions} ${userid} ${groupid} ${filename}"
if [ -n "${restofline}" ]
then
printf -- " ${restofline}"
fi
printf "\n"
done >"${filecachefilename}"
stdio_message_log "file" "Cache generated..."
fi
}
file_list_by_perm () {
# patterns must always take the form "^.......... " i.e. regular expressions. for example "^...s...... |^....S...... " will select setuid binaries
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
egrep -- "${pattern}" "${filecachefilename}" | while read permissions userid groupid filename _
do
printf -- "${filename}\n"
done
}
file_list_by_filename () {
# patterns must always take the form " /path/*/find" i.e. regular expressions
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
# this will only work for files, not dirs - mostly what we want I think
egrep -- "^-.*${pattern}" "${filecachefilename}" | while read permissions userid groupid filename _
do
# TODO what if pattern matches on symlink? we may still revert to glob() style checking
printf -- "${filename}\n"
done
}
file_show_perms () {
# patterns must always take the form " /path/*/find" (permission are allowed too i.e. "^........w. ") regular expressions
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
egrep -- "${pattern}" "${filecachefilename}" | while read permissions userid groupid filename _
do
# TODO what if pattern matches on symlink? we may still revert to glob() style checking
printf -- "${filename} ${permissions} ${userid} ${groupid}\n"
done
}
file_show_non_symlink_perms () {
# patterns must always take the form " /path/*/find" (permission are allowed too i.e. "^........w. ") regular expressions
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
egrep -- "${pattern}" "${filecachefilename}" | while read permissions userid groupid filename _
do
case "${permissions}" in
l?????????)
continue
;;
*)
printf -- "${filename} ${permissions} ${userid} ${groupid}\n"
;;
esac
done
}
file_show_real_filename () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
# TODO we could be smarter about this, but for now, which should suffice.. alternatives could include whereis, locate etc
case "${pattern}" in
/*)
printf -- "${pattern}\n"
;;
*)
# AIX errors to stdout, ideally we'd use $? but which on Solaris doesn't exit() differently depending on result :(
# TODO maybe we should break it out with uname checks?
realfilename="`which \"\`basename \\\"${pattern}\\\"\`\" 2>&1 | egrep -v \"There is no |^no \"`"
if [ -n "${realfilename}" ]
then
printf -- "${realfilename}\n"
fi
;;
esac
}
file_show_symlinked_filename () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
# leave grep here otherwise libraries with ++ in the name will not be grepped properly (i.e. /usr/lib/i386-linux-gnu/libstdc++.so.6.0.16)
grep -- " ${pattern} ->" "${filecachefilename}" | while read permissions userid groupid filename _ linkedfilename
# FIXME The grep above is not always effective. Example: if file_show_symlinked_filename is passed "/lib64/ld-linux-x86-64.so.2"
# "/lib64/ld-linux-x86-64.so.2" does not appear in files_cache.temp
# Why? Because /lib64 is a symlink to /lib. The "find" therefore never recurses through /lib64.
# I have enabled lots of debug statements. To recreate the bug, run ./upc.sh --check binary_dependency
# and look for "linkedlibrary=" in the output - i.e. the linkedlibrary is empty.
do
# echo "file_show_symlinked_filename in loop with ${linkedfilename}" 1>&2
case "${linkedfilename}" in
/*)
if [ -h "${linkedfilename}" ]
then
file_show_symlinked_filename "${linkedfilename}"
else
printf -- "${linkedfilename}\n"
#stdio_message_debug "file" "file_show_symlinked_filename returning ${linkedfilename}"
fi
;;
# TODO handle the case where symlinked file is a relative path (e.g. ../linkedfilename)
*)
if [ -n "${linkedfilename}" ]
then
printf -- "`dirname \"${filename}\"`/${linkedfilename}\n"
#stdio_message_debug "file" "file_show_symlinked_filename returning `dirname \"${filename}\"`/${linkedfilename}"
fi
;;
esac
done
}
file_matches_string () {
filename="${1}"
pattern="${2}"
[ "`file_is_regular_file \"${filename}\"`" ] || false
[ "`validate_is_string \"${pattern}\"`" ] || false
if [ -n "`egrep \"${pattern}\" \"${filename}\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
file_parent_traverse () {
filename="${1}"
[ "`file_is_regular_file \"${filename}\"`" ] || false
# start with the dependency itself and then use dirname to find the parent directory
while [ "${filename}" != "/" ]
do
printf -- "${filename}\n"
# find the parent directory
filename="`dirname \"${filename}\"`"
done
}
file_is_textual () {
filename="${1}"
[ "`file_is_regular_file \"${filename}\"`" ] || false
if [ -n "`file \"${filename}\" | grep -i \" text\"`" ]
then
printf -- "1\n"
# consider empty files as textual files
elif [ -n "`file \"${filename}\" | grep -i \" empty\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
file_exists_file () {
filename="${1}"
[ "`validate_is_string \"${filename}\"`" ] || false
if [ -e "${filename}" ]
then
printf -- "1\n"
else
#stdio_message_error "file" "${filename} does not exist"
printf -- "0\n"
fi
}
file_is_regular_file () {
filename="${1}"
[ "`validate_is_string \"${filename}\"`" ] || false
if [ -f "${filename}" ]
then
printf -- "1\n"
else
#stdio_message_error "file" "${filename} is not a regular file"
printf -- "0\n"
fi
}
file_is_readable_file () {
filename="${1}"
[ "`validate_is_string \"${filename}\"`" ] || false
if [ -e "${filename}" -a -r "${filename}" ]
then
printf -- "1\n"
else
#stdio_message_error "file" "${filename} is not readable"
printf -- "0\n"
fi
}
file_is_directory () {
filename="${1}"
[ "`validate_is_string \"${filename}\"`" ] || false
if [ -e "${filename}" -a -d "${filename}" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
file_is_basename () {
filepath="${1}"
filename="${2}"
[ "`validate_is_string \"${filepath}\"`" ] || false
[ "`validate_is_string \"${filename}\"`" ] || false
if [ "`basename \"${filepath}\"`" = "${filename}" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
file_check_or_generate_cache
fi

113
lib/misc/group Normal file
View File

@ -0,0 +1,113 @@
#!/bin/sh
# $Revision: 279 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux
if [ -z "${groupincluded}" ]
then
groupincluded=1
. lib/misc/validate
group_is_trusted () {
group="${1}"
[ "`validate_is_string \"${group}\"`" ] || false
# TODO write this
false
}
group_is_root () {
group="${1}"
[ "`validate_is_string \"${group}\"`" ] || false
# TODO write this
false
}
group_is_group_id () {
groupid="${1}"
[ "`validate_is_number \"${groupid}\"`" ] || false
if [ "`group_show_group_id`" = "${groupid}" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
group_is_group_name () {
group="${1}"
[ "`validate_is_string \"${group}\"`" ] || false
if [ "`group_show_group_name`" = "${group}" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
group_is_in_group_id () {
groupid="${1}"
ret="0"
[ "`validate_is_number \"${groupid}\"`" ] || false
group_show_group_ids | while read usergroupid
do
if [ "${usergroupid}" = "${groupid}" ]
then
ret="1"
break
fi
done
printf -- "${ret}\n"
}
group_is_in_group_name () {
group="${1}"
ret="0"
[ "`validate_is_string \"${group}\"`" ] || false
group_show_group_names | while read usergroup
do
if [ "${usergroup}" = "${group}" ]
then
ret="1"
break
fi
done
printf -- "${ret}\n"
}
group_show_group_id () {
printf -- "`id -g`\n"
}
group_show_group_ids () {
printf -- "`id -G | tr \" \" \"\n\"`\n"
}
group_show_group_name () {
printf -- "`id -g -n`\n"
}
group_show_group_names () {
printf -- "`id -G -n | tr \" \" \"\n\"`\n"
}
fi

74
lib/misc/inetd Normal file
View File

@ -0,0 +1,74 @@
#!/bin/sh
# $Revision: 229 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux
if [ -z "${inetdincluded}" ]
then
inetdincluded=1
. lib/misc/validate
inetd_list () {
egrep -v "^#|^$" "/etc/inetd.conf" | while read portnumber sockettype protocol flags userid command arguments argumentsarguments
do
printf -- "${portnumber}-${protocol}\n";
done
}
inetd_show_command () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
egrep -v "^#|^$" "/etc/inetd.conf" | while read portnumber sockettype protocol flags userid command arguments argumentsarguments
do
if [ "${portnumber}-${protocol}" = "${pattern}" ]
then
printf -- "${command}\n"
fi
done
}
inetd_show_userid () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
egrep -v "^#|^$" "/etc/inetd.conf" | while read portnumber sockettype protocol flags userid command arguments argumentsarguments
do
if [ "${portnumber}-${protocol}" = "${pattern}" ]
then
printf -- "${userid}\n"
fi
done
}
inetd_show_arguments () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
egrep -v "^#|^$" "/etc/inetd.conf" | while read portnumber sockettype protocol flags userid command arguments argumentsarguments
do
if [ "${portnumber}-${protocol}" = "${pattern}" ]
then
printf -- "${arguments}\n"
fi
done
}
fi

75
lib/misc/init Normal file
View File

@ -0,0 +1,75 @@
#!/bin/sh
# $Revision: 355 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux
if [ -z "${initincluded}" ]
then
initincluded=1
. lib/misc/file
. lib/misc/parse
. lib/misc/user
. lib/misc/validate
init_list () {
file_show_perms " /etc/init.d/" | while read filename permissions userid groupid
do
if [ -h "${filename}" ]
then
symlinkedfilename="`file_show_symlinked_filename \"${filename}\"`"
if [ -n "${symlinkedfilename}" -a "`file_is_directory \"${symlinkedfilename}\"`" -ne 1 ]
then
printf -- "root ${symlinkedfilename}\n"
fi
else
printf -- "root ${filename}\n"
fi
done
}
init_file_extract_paths () {
filename="${1}"
[ "`file_is_regular_file \"${filename}\"`" ] || false
parse_extract_absolute_filepaths "`cat -- \"${filename}\"`" | while read filepath
do
# do not return file paths that do not exist, are device files or are within /proc
if [ "`file_exists_file \"${filepath}\"`" -ne 1 -o -n "`printf -- \"${filepath}\" | egrep -- \"^/dev/\"`" -o -n "`printf -- \"${filepath}\" | egrep -- \"^/proc/\"`" ]
then
continue
# follow symbolic links
elif [ -h "${filepath}" ]
then
symlinkedfilepath="`file_show_symlinked_filename \"${filepath}\"`"
if [ -n "${symlinkedfilepath}" -a "`file_is_directory \"${symlinkedfilepath}\"`" -ne 1 ]
then
printf -- "root ${symlinkedfilepath}\n"
fi
# ignore directories
elif [ "`file_is_directory \"${filepath}\"`" -ne 1 ]
then
printf -- "root ${filepath}\n"
fi
done
}
fi

58
lib/misc/inittab Normal file
View File

@ -0,0 +1,58 @@
#!/bin/sh
# $Revision: 321 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux
if [ -z "${inittabincluded}" ]
then
inittabincluded=1
. lib/misc/file
inittab_check () {
if [ "`file_is_readable_file \"/etc/inittab\"`" -eq 1 ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
inittab_list () {
if [ "`inittab_check`" -eq 1 ]
then
oldifs="${IFS}"
IFS=":"
egrep -v "^#|^$" "/etc/inittab" | while read _ _ _ filename _
do
IFS="${oldifs}"
if [ "`file_is_regular_file \"${filename}\"`" -eq 1 ]
then
printf -- "root ${filename}\n"
fi
IFS=":"
done
IFS="${oldifs}"
fi
}
fi

169
lib/misc/kernel Normal file
View File

@ -0,0 +1,169 @@
#!/bin/sh
# $Revision: 324 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux, AIX, Solaris
if [ -z "${kernelincluded}" ]
then
kernelincluded=1
. lib/misc/dependencies
. lib/misc/file
. lib/misc/validate
kernel_aslr_pax() {
if [ -n "`cat /proc/1/status | grep \"PaX:\" | grep \"R\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
kernel_aslr() {
if [ "`uname`" = "Linux" ]
then
sysctl kernel.randomize_va_space | while read _ _ value
do
printf -- "${value}\n"
break
done
else
printf -- "0\n"
fi
}
kernel_nx() {
if [ "`uname`" = "Linux" ]
then
if [ -n "`egrep -- \"^flags\" /proc/cpuinfo | egrep -- \"nx\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
elif [ "`uname`" = "SunOS" ]
then
if [ -n "`egrep -- \"noexec_user_stack\" /etc/system | egrep -v \"_log\" | egrep -- \"1\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
# TODO does uname return HP-UX or HPUX?
elif [ "`uname`" = "HP-UX" ]
then
kmtune -q "executable_stack" | egrep -- \"executable_stack\" | while read _ value _
do
case "${value}" in
0)
printf -- "1\n"
;;
1)
printf -- "0\n"
;;
esac
done
fi
}
kernel_nx_logging () {
if [ "`uname`" = "SunOS" ]
then
if [ -n "`egrep -- \"noexec_user_stack_log\" /etc/system | egrep -- \"1\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
# TODO does uname return HP-UX or HPUX?
elif [ "`uname`" = "HP-UX" ]
then
kmtune -q "executable_stack" | egrep -- \"executable_stack\" | while read _ value _
do
case "${value}" in
2)
printf -- "0\n"
;;
*)
printf -- "1\n"
;;
esac
done
else
printf -- "0\n"
fi
}
kernel_nx_audit () {
if [ "`uname`" = "SunOS" ]
then
if [ -n "`egrep -- \"c2audit:audit_load\" /etc/system | egrep -- \"1\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
else
printf -- "0\n"
fi
}
kernel_mmap_zero_allowed () {
if [ "`uname`" = "Linux" ]
then
if [ "`cat /proc/sys/vm/mmap_min_addr`" -eq 0 -o -z "`cat /proc/sys/vm/mmap_min_addr`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
else
printf -- "0\n"
fi
}
kernel_selinux_enforce () {
if [ "`file_exists_file \"/selinux/enforce\"`" -eq 1 ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
kernel_release() {
printf -- "`uname -r`\n"
}
kernel_release_is_backported() {
if [ -n "`kernel_version | egrep -- \"-\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
fi

59
lib/misc/ldap Normal file
View File

@ -0,0 +1,59 @@
#!/bin/sh
# $Revision: 340 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: AIX, Linux
if [ -z "${ldapincluded}" ]
then
ldapincluded=1
. lib/misc/file
ldap_authentication_in_use () {
# ldap_nis Uses LDAP NIS services for resolving names
# ldap4 Uses LDAP services for resolving only IPv4 addresses
# ldap6 Uses LDAP services for resolving only IPv6 addresses
# ldap_nis4 Uses NIS LDAP services for resolving only IPv4 addresses
# ldap_nis6 Uses NIS LDAP services for resolving only IPv6 addresses
# ldap Uses LDAP services for resolving names
if [ "`uname`" = "AIX" -a "`file_is_readable_file \"/etc/netsvc.conf\"`" -eq 1 ]
then
if [ -n "`egrep -- \"^host\" \"/etc/netsvc.conf\" | egrep -- \"ldap\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
elif [ "`file_is_readable_file \"/etc/nsswitch.conf\"`" -eq 1 ]
then
if [ -n "`egrep -- \"^passwd\" \"/etc/nsswitch.conf\" | egrep -- \"ldap\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
else
printf -- "0\n"
fi
}
fi

101
lib/misc/linker Normal file
View File

@ -0,0 +1,101 @@
#!/bin/sh
# $Revision: 311 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux, AIX
if [ -z "${linkerincluded}" ]
then
linkerincluded=1
. lib/misc/file
linker_list_dependencies () {
filename="${1}"
[ "`file_is_regular_file \"${filename}\"`" ] || false
[ "`file_is_textual \"${filename}\"`" -eq 0 ] || false
if [ "`uname`" = "AIX" ]
then
ldd "${filename}" | grep -v "needs:" | while read library
do
case "${library}" in
/*)
library="`printf -- \"${library}\" | sed \"s/(.*//g\"`"
printf -- "${library}\n"
;;
esac
done | sort | uniq
else
ldd "${filename}" | while read relativelibrary _ library _
do
case "${library}" in
/*)
printf -- "${library}\n"
;;
not)
printf -- "${relativelibrary}\n"
;;
esac
done | sort | uniq
# this is for cases where the first column of the ldd is not a symlink (for example a ldd /bin/umount has amongst its libraries also /lib/ld-linux.so.2 (0xb76e6000), not symlinked)
ldd "${filename}" | while read library _ _ _
do
case "${library}" in
/*)
printf -- "${library}\n"
;;
esac
done | sort | uniq
fi
}
linker_list_system_filenames () {
if [ "`uname`" = "AIX" ]
then
printf -- "/lib\n"
printf -- "/usr/lib\n"
elif [ "`uname`" = "Linux" ]
then
while read line
do
case "${line}" in
/*)
printf -- "${line}\n"
;;
include*)
printf -- "${line}\n" | while read _ filename
do
cat ${filename} | while read line
do
case "${line}" in
/*)
printf -- "${line}\n"
;;
esac
done
done
;;
esac
done <"/etc/ld.so.conf" | sort | uniq
fi
}
fi

60
lib/misc/nis Normal file
View File

@ -0,0 +1,60 @@
#!/bin/sh
# $Revision: 340 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: AIX, Linux
if [ -z "${nisincluded}" ]
then
nisincluded=1
. lib/misc/file
nis_authentication_in_use () {
# ldap_nis Uses LDAP NIS services for resolving names
# nis4 Uses NIS services for resolving only IPv4 addresses
# nis6 Uses NIS services for resolving only IPv6 addresses
# nis+4 Uses NIS plus services for resolving only IPv4 addresses
# nis+6 Uses NIS plus services for resolving only IPv6 addresses
# ldap_nis4 Uses NIS LDAP services for resolving only IPv4 addresses
# ldap_nis6 Uses NIS LDAP services for resolving only IPv6 addresses
if [ "`uname`" = "AIX" -a "`file_is_readable_file \"/etc/netsvc.conf\"`" -eq 1 ]
then
if [ -n "`egrep -- \"^host\" \"/etc/netsvc.conf\" | egrep -- \"nis\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
elif [ "`file_is_readable_file \"/etc/nsswitch.conf\"`" -eq 1 ]
then
if [ -n "`egrep -- \"^passwd\" \"/etc/nsswitch.conf\" | egrep -- \"nis\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
else
printf -- "0\n"
fi
}
fi

55
lib/misc/parse Normal file
View File

@ -0,0 +1,55 @@
#!/bin/sh
# $Revision: 353 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: AIX, Solaris, Linux
if [ -z "${parseincluded}" ]
then
parseincluded=1
. lib/misc/file
. lib/misc/validate
parse_extract_absolute_filepaths () {
pattern="${1}"
if [ -z "${pattern}" ]
then
printf -- ""
fi
printf -- "${pattern}" | egrep -o "/[a-z|A-Z|0-9|/|-|_|.]*" | while read filepath
do
printf -- "${filepath}\n"
done
}
parse_environ_cwd () {
pid="${1}"
[ "`validate_is_number \"${pid}\"`" ] || false
if [ "`file_is_readable_file \"/proc/${pid}/environ\"`" -eq 1 ]
then
# the tail is because /proc/PID/environ contains multiple PWD values, only the last is the current working directory
# the cut is to strip the 'PWD=' from the grepped pattern
printf -- "`egrep -a -o \"PWD=/[a-z|A-Z|0-9|/|-|_|.]*\" \"/proc/${pid}/environ\" | tail -1 | cut -c5-`\n"
fi
}
fi

78
lib/misc/passwd Normal file
View File

@ -0,0 +1,78 @@
#!/bin/sh
# $Revision: 278 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux
if [ -z "${passwdincluded}" ]
then
passwdincluded=1
. lib/misc/validate
passwd_list () {
oldifs="${IFS}"
IFS=":"
egrep -v "^#|^$" "/etc/passwd" | while read username hash userid groupid gecos homefilename shellfilename
do
IFS="${oldifs}"
printf -- "${username}\n"
IFS=":"
done
IFS="${oldifs}"
}
passwd_show_hash () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
oldifs="${IFS}"
IFS=":"
egrep -v "^#|^$" "/etc/passwd" | while read username hash userid groupid gecos homefilename shellfilename
do
hash="`printf \"${hash}\" | sed \"s/\\\!/\\\\\!/g\"`"
IFS="${oldifs}"
if [ "${username}" = "${pattern}" ]
then
printf -- "${hash}\n"
fi
IFS=":"
done
IFS="${oldifs}"
}
passwd_show_homedir () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
oldifs="${IFS}"
IFS=":"
egrep -v "^#|^$" "/etc/passwd" | while read username hash userid groupid gecos homefilename shellfilename
do
IFS="${oldifs}"
if [ "${username}" = "${pattern}" ]
then
printf -- "${homefilename}\n"
fi
IFS=":"
done
IFS="${oldifs}"
}
fi

141
lib/misc/permission Normal file
View File

@ -0,0 +1,141 @@
#!/bin/sh
# $Revision: 281 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux
if [ -z "${permissionincluded}" ]
then
permissionincluded=1
. lib/misc/validate
permission_is_owner_readable () {
permissions="${1}"
[ "`validate_is_string \"${permissions}\"`" ] || false
if [ -n "`printf -- \"${permissions}\" | egrep -- \"^.r........$\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
permission_is_owner_writable () {
permissions="${1}"
[ "`validate_is_string \"${permissions}\"`" ] || false
if [ -n "`printf -- \"${permissions}\" | egrep -- \"^..w.......$\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
permission_is_owner_executable () {
permissions="${1}"
[ "`validate_is_string \"${permissions}\"`" ] || false
if [ -n "`printf -- \"${permissions}\" | egrep -- \"^...x......$\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
permission_is_group_readable () {
permissions="${1}"
[ "`validate_is_string \"${permissions}\"`" ] || false
if [ -n "`printf -- \"${permissions}\" | egrep -- \"^....r.....$\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
permission_is_group_writable () {
permissions="${1}"
[ "`validate_is_string \"${permissions}\"`" ] || false
if [ -n "`printf -- \"${permissions}\" | egrep -- \"^.....w....$\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
permission_is_group_executable () {
permissions="${1}"
[ "`validate_is_string \"${permissions}\"`" ] || false
if [ -n "`printf -- \"${permissions}\" | egrep -- \"^......x...$\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
permission_is_world_readable () {
permissions="${1}"
[ "`validate_is_string \"${permissions}\"`" ] || false
if [ -n "`printf -- \"${permissions}\" | egrep -- \"^.......r..$\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
permission_is_world_writable () {
permissions="${1}"
[ "`validate_is_string \"${permissions}\"`" ] || false
if [ -n "`printf -- \"${permissions}\" | egrep -- \"^........w.$\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
permission_is_world_writable_sticky_bit () {
permissions="${1}"
[ "`validate_is_string \"${permissions}\"`" ] || false
if [ -n "`printf -- \"${permissions}\" | egrep -- \"^........wt$\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
permission_is_world_executable () {
permissions="${1}"
[ "`validate_is_string \"${permissions}\"`" ] || false
if [ -n "`printf -- \"${permissions}\" | egrep -- \"^.........x$\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
fi

70
lib/misc/postgresql Normal file
View File

@ -0,0 +1,70 @@
#!/bin/sh
# $Revision$
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: AIX, Linux
if [ -z "${postgresqlincluded}" ]
then
postgresqlincluded=1
. lib/misc/validate
postgresql_query () {
host="${1}"
port="${2}"
dbuser="${3}"
dbname="${4}"
query="${5}"
[ "`validate_is_string \"${host}\"`" ] || false
[ "`validate_is_number \"${port}\"`" ] || false
[ "`validate_is_string \"${dbuser}\"`" ] || false
[ "`validate_is_string \"${dbname}\"`" ] || false
[ "`validate_is_string \"${query}\"`" ] || false
psql -h "${host}" -p "${port}" -U "${dbuser}" -W "${dbname}" -c "${query}" -q -w 2>/dev/null
}
postgresql_version () {
host="${1}"
port="${2}"
dbuser="${3}"
dbname="${4}"
[ "`validate_is_string \"${host}\"`" ] || false
[ "`validate_is_number \"${port}\"`" ] || false
[ "`validate_is_string \"${dbuser}\"`" ] || false
[ "`validate_is_string \"${dbname}\"`" ] || false
postgresql_query "${host}" "${port}" "${dbuser}" "${dbname}" "SELECT version()"
}
postgresql_check_no_password () {
port="${1}"
dbuser="${2}"
[ "`validate_is_number \"${port}\"`" ] || false
[ "`validate_is_string \"${dbuser}\"`" ] || false
if [ -n "`postgresql_version \"127.0.0.1\" \"${port}\" \"${dbuser}\" \"template1\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
fi

193
lib/misc/privileged Normal file
View File

@ -0,0 +1,193 @@
#!/bin/sh
# $Revision: 355 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
if [ -z "${privilegedincluded}" ]
then
privilegedincluded=1
. lib/misc/cron
. lib/misc/file
. lib/misc/inetd
. lib/misc/init
. lib/misc/inittab
. lib/misc/process
. lib/misc/stdio
. lib/misc/sudo
privilegedcachefilename="privileged_cache.temp"
privileged_check_or_generate_cache () {
if [ ! -f "${privilegedcachefilename}" ]
then
stdio_message_debug "privileged" "Generating privileged cache"
file_list_by_perm "^-..s...... |^-..S...... " | while read filename
do
file_show_perms " ${filename}$" | while read filename permissions userid groupid
do
printf -- "setuid ${filename} ${userid}\n"
done
done >>"${privilegedcachefilename}"
file_list_by_perm "^-.....s... |^-.....S... " | while read filename
do
file_show_perms " ${filename}$" | while read filename permissions userid groupid
do
printf -- "setgid ${filename} ${groupid}\n"
done
done >>"${privilegedcachefilename}"
inetd_list | while read portnumberprotocol
do
privilegedfilename="`inetd_show_command \"${portnumberprotocol}\"`"
file_show_real_filename "${privilegedfilename}" | while read realfilename
do
userid="`inetd_show_userid \"${portnumberprotocol}\"`"
printf -- "inetd ${realfilename} ${userid}\n"
done
privilegedarguments="`inetd_show_arguments \"${portnumberprotocol}\"`"
file_show_real_filename "${privilegedarguments}" | while read realfilename
do
userid="`inetd_show_userid \"${portnumberprotocol}\"`"
printf -- "inetd-argument ${realfilename} ${userid}\n"
done
done >>"${privilegedcachefilename}"
inittab_list | while read userid filename
do
file_show_real_filename "${filename}" | while read realfilename
do
printf -- "inittab ${realfilename} ${userid}\n"
done
done >>"${privilegedcachefilename}"
init_list | while read userid filename
do
printf -- "init.d ${filename} ${userid}\n"
init_file_extract_paths "${filename}" | while read userid filepath
do
# avoid duplicates' file paths
if [ -n "`egrep \"^init.d-path ${filepath} ${userid}$\" ${privilegedcachefilename}`" ]
then
continue
else
printf -- "init.d-path ${filepath} ${userid}\n"
fi
done
done >>"${privilegedcachefilename}"
sudo_list | while read privilegeduser passwd privilegedfilename
do
file_show_real_filename "${privilegedfilename}" | while read realfilename
do
printf -- "sudo-${passwd} ${realfilename} ${privilegeduser}\n"
done
done >>"${privilegedcachefilename}"
sudo_sudoers_list | while read privilegeduser passwd privilegedfilename
do
file_show_real_filename "${privilegedfilename}" | while read realfilename
do
printf -- "sudoers-${passwd} ${realfilename} ${privilegeduser}\n"
done
done >>"${privilegedcachefilename}"
cron_crontab_list | while read userid filename
do
file_show_real_filename "${filename}" | while read realfilename
do
printf -- "crontab ${realfilename} ${userid}\n"
done
done >>"${privilegedcachefilename}"
cron_crontabs_list | while read userid filename
do
printf -- "crontabs ${filename} ${userid}\n"
cron_file_extract_paths "${filename}" | while read userid filepath
do
# avoid duplicates' file paths
if [ -n "`egrep \"^crontabs-path ${filepath} ${userid}$\" ${privilegedcachefilename}`" ]
then
continue
else
printf -- "crontabs-path ${filepath} ${userid}\n"
fi
done
done >>"${privilegedcachefilename}"
# crontab can set a different PATH for its process, hence we need to prepend the crontab PATH to ours
oldpath="${PATH}"
if [ "`file_is_readable_file \"/etc/crontab\"`" ]
then
cronpath="`egrep -o \"^PATH=.*\n\" \"/etc/crontab\" | cut -c6-`"
PATH="${cronpath}:${PATH}"
export PATH
fi
cron_system_crontab_list | while read userid filename
do
file_show_real_filename "${filename}" | while read realfilename
do
printf -- "crontab-system ${realfilename} ${userid}\n"
done
done >>"${privilegedcachefilename}"
cron_system_list | while read userid filename
do
printf -- "cron-system ${filename} ${userid}\n"
cron_file_extract_paths "${filename}" | while read userid filepath
do
# avoid duplicates' file paths
if [ -n "`egrep \"^cron-system-path ${filepath} ${userid}$\" ${privilegedcachefilename}`" ]
then
continue
else
printf -- "cron-system-path ${filepath} ${userid}\n"
fi
done
done >>"${privilegedcachefilename}"
# reset PATH to ours
PATH="${oldpath}"
process_list ".*" | while read processid
do
filename="`process_show_command \"${processid}\"`"
if [ -z "${filename}" ]
then
continue
fi
file_show_real_filename "${filename}" | while read realfilename
do
if [ -n "${realfilename}" ]
then
userid="`process_show_userid "${processid}"`"
# avoid duplicates' processes
if [ -n "`egrep \"^running ${realfilename} ${userid}$\" ${privilegedcachefilename}`" ]
then
continue
else
printf -- "running ${realfilename} ${userid}\n"
fi
fi
done
done >>"${privilegedcachefilename}"
# TODO still need to add similar checks for stuff spawned from init, fscaps and binds a listening port not via inetd
stdio_message_debug "privileged" "Cache generated"
fi
}
privileged_list () {
cat "${privilegedcachefilename}"
}
# TODO what we really need is a privileged_matches function for binary_dependency etc
privileged_check_or_generate_cache
fi

96
lib/misc/process Normal file
View File

@ -0,0 +1,96 @@
#!/bin/sh
# $Revision: 297 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux
if [ -z "${processincluded}" ]
then
processincluded=1
. lib/misc/parse
. lib/misc/validate
process_list () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
ps -aeo ruser,rgroup,pid,ppid,args | grep -v "PID" | grep "${pattern}" | grep -v "grep" | while read userid groupid processid parentid command arguments
do
printf -- "${processid}\n"
done
}
process_show_userid () {
pattern="${1}"
[ "`validate_is_number \"${pattern}\"`" ] || false
ps -aeo ruser,rgroup,pid,ppid,args | grep -v "PID" | grep "${pattern}" | grep -v "grep" | while read userid groupid processid parentid command arguments
do
if [ "${processid}" -eq "${pattern}" ]
then
printf -- "${userid}\n"
fi
done
}
process_show_parentid () {
pattern="${1}"
[ "`validate_is_number \"${pattern}\"`" ] || false
ps -aeo ruser,rgroup,pid,ppid,args | grep -v "PID" | grep "${pattern}" | grep -v "grep" | while read userid groupid processid parentid command arguments
do
if [ "${processid}" -eq "${pattern}" ]
then
printf -- "${parentid}\n"
fi
done
}
process_show_command () {
pattern="${1}"
[ "`validate_is_number \"${pattern}\"`" ] || false
ps -aeo ruser,rgroup,pid,ppid,args | grep -v "PID" | grep "${pattern}" | grep -v "grep" | while read userid groupid processid parentid command argument _
do
if [ "${processid}" -eq "${pattern}" ]
then
if [ -n "`printf -- \"${command}\" | egrep -- \"awk|ruby|python|perl|/sh|bash|dash|ksh|csh|expect\"`" ]
then
case "${argument}" in
/*)
printf -- "${argument}\n"
;;
# for cases where the script has been executed following a cd into its parent path it will show in the ps output as follows:
# foobar foobar pid ppid /bin/sh ./scriptname.sh
./*)
filepath="`parse_environ_cwd \"${processid}\"`"
if [ -n "${filepath}" ]
then
# the cut is to strip the './' as filepath is the absolute path
printf -- "${filepath}/`printf -- \"${argument}\" | cut -c3-`\n"
fi
;;
esac
else
printf -- "${command}\n"
fi
fi
done
}
fi

107
lib/misc/shadow Normal file
View File

@ -0,0 +1,107 @@
#!/bin/sh
# $Revision: 315 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux, AIX
if [ -z "${shadowincluded}" ]
then
shadowincluded=1
. lib/misc/file
. lib/misc/validate
shadow_list () {
if [ "`uname`" = "AIX" ]
then
grep "^[A-Za-z0-9]:$" "/etc/security/passwd" | sed "s/:$//g" | while read username
do
printf -- "${username}\n"
done
else
oldifs="${IFS}"
IFS=":"
egrep -v "^#|^$" "/etc/shadow" | while read username _
do
IFS="${oldifs}"
printf -- "${username}\n"
IFS=":"
done
IFS="${oldifs}"
fi
}
shadow_show_hash () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
if [ "`uname`" = "AIX" ]
then
passwordflag=0
while read line
do
if [ "${passwordflag}" -eq 1 ]
then
if [ -n "`printf -- \"${line}\" | grep \"password = \"`" ]
then
passwordflag=0
printf -- "${line}\n" | while read _ _ hash
do
hash="`printf \"${hash}\" | sed \"s/!/\!/g\"`"
printf -- "${hash}\n"
done
fi
else
if [ "${line}" = "${pattern}:" ]
then
passwordflag=1
fi
fi
done <"/etc/security/passwd"
else
oldifs="${IFS}"
IFS=":"
egrep -v "^#|^$" "/etc/shadow" | while read username hash userid groupid gecos homefilename shellfilename
do
IFS="${oldifs}"
if [ "${username}" = "${pattern}" ]
then
hash="`printf \"${hash}\" | sed \"s/!/\!/g\"`"
printf -- "${hash}\n"
fi
IFS=":"
done
IFS="${oldifs}"
fi
}
shadow_file_check () {
if [ "`uname`" = "AIX" -a "`file_is_readable_file \"/etc/security/passwd\"`" -eq 1 ]
then
printf -- "1\n"
elif [ "`file_is_readable_file \"/etc/shadow\"`" -eq 1 ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
fi

53
lib/misc/ssh_agent Normal file
View File

@ -0,0 +1,53 @@
#!/bin/sh
# $Revision: 231 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux
if [ -z "${ssh_agentincluded}" ]
then
ssh_agentincluded=1
. lib/misc/validate
ssh_agent_list () {
parentprocessid="${1}"
[ "`validate_is_number \"${parentprocessid}\"`" ] || false
# when ssh-agent parent process id is 10571, the temporary agent file is
# /tmp/ssh-???????10570/agent.10570 (not 10571) - tested on Ubuntu 12.04
processid="`expr ${2} - 1`"
for pid in ${parentprocessid} ${processid}
do
SSH_AUTH_SOCK="`ls /tmp/ssh-*/agent.${pid}`"
if [ -n "${SSH_AUTH_SOCK}" ]
then
export SSH_AUTH_SOCK
ssh-add -l | grep -v "The agent has no identities" | while read _ _ filename _
do
printf -- "${filename}\n"
done
fi
unset SSH_AUTH_SOCK
done
}
fi

86
lib/misc/stdio Normal file
View File

@ -0,0 +1,86 @@
#!/bin/sh
# $Revision: 276 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux, AIX, Solaris, HP-UX
if [ -z "${stdioincluded}" ]
then
stdioincluded=1
. lib/misc/validate
stdio_message_log () {
check="${1}"
message="${2}"
[ "`validate_is_string \"${check}\"`" ] || false
[ "`validate_is_string \"${message}\"`" ] || false
if [ "${VERBOSE}" -ge 1 ]
then
stdio_format_message "32" "I" "${check}" "${message}"
fi
}
stdio_message_warn () {
check="${1}"
message="${2}"
[ "`validate_is_string \"${check}\"`" ] || false
[ "`validate_is_string \"${message}\"`" ] || false
stdio_format_message "33" "W" "${check}" "${message}"
}
stdio_message_debug () {
check="${1}"
message="${2}"
[ "`validate_is_string \"${check}\"`" ] || false
[ "`validate_is_string \"${message}\"`" ] || false
if [ "${VERBOSE}" -ge 2 ]
then
stdio_format_message "35" "D" "${check}" "${message}" >&2
fi
}
stdio_message_error () {
check="${1}"
message="${2}"
[ "`validate_is_string \"${check}\"`" ] || false
[ "`validate_is_string \"${message}\"`" ] || false
stdio_format_message "31" "E" "${check}" "${message}" >&2
}
stdio_format_message () {
color="${1}"
type="${2}"
check="${3}"
message="${4}"
[ "`validate_is_string \"${type}\"`" ] || false
[ "`validate_is_string \"${check}\"`" ] || false
[ "`validate_is_string \"${message}\"`" ] || false
[ "`validate_is_number \"${color}\"`" ] || false
if [ "${COLORING}" -eq 1 ]
then
printf "\033[${color}m${type}: [${check}] ${message}\033[m\n"
else
printf "${type}: [${check}] ${message}\n"
fi
}
fi

114
lib/misc/sudo Normal file
View File

@ -0,0 +1,114 @@
#!/bin/sh
# $Revision: 320 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux
if [ -z "${sudoincluded}" ]
then
sudoincluded=1
. lib/misc/file
. lib/misc/parse
. lib/misc/validate
sudo_is_password_required () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
if [ -z "`sudo -l | egrep -- \"${pattern}\" | egrep \"NOPASSWD\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
sudo_list () {
sudo -l | egrep -v "^#|^$" | egrep -- "^ \(" | tr -d "(" | tr -d ")" | while read privilegeduser settings
do
if [ "`sudo_is_password_required \"${settings}\"`" -eq 1 ]
then
passwd="passwd"
else
passwd="nopasswd"
fi
# Examples of ${settings} (sudo -l relevant lines):
# /bin/su operator
# NOPASSWD: /usr/bin/test
# /sbin/, (foobar) /usr/sbin, (foobar) /usr/local/apps/check.pl
# /usr/sbin/lpc, /usr/bin/lprm
# All of the above cases are correctly handled here
# TODO this does not consider the common case (i.e. in Ubuntu) where a user can run all commands and the sudo -l output is " (root) NOPASSWD: ALL"
parse_extract_absolute_filepaths "${settings}" | while read filepath
do
case "${filepath}" in
/*/)
printf -- "${privilegeduser} ${passwd} ${filepath}*\n"
;;
/*)
printf -- "${privilegeduser} ${passwd} ${filepath}\n"
;;
esac
done
done
}
sudo_sudoers_check () {
if [ "`file_is_readable_file \"/etc/sudoers\"`" -eq 1 ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
sudo_sudoers_list () {
if [ "`sudo_sudoers_check`" -eq 1 ]
then
sudoers_entries="`egrep -v \"^#\" \"/etc/sudoers\" | egrep -v \"^[ \t]*$\" | egrep -v \"^[ \t]*Default\" | egrep -- \"=\"`"
# FIXME this printf fails when the an entry starts with percentage character (%) which is common for sudoers group
printf -- "${sudoers_entries}" | while read privilegeduser passwd settings
do
if [ -n "`printf -- \"${privilegeduser}\" | egrep -- \"_Alias\"`" ]
then
continue
fi
# TODO this does not consider command aliases (Cmnd_Alias setting)
if [ -z "`parse_extract_absolute_filepaths \"${settings}\"`" ]
then
printf -- "${privilegeduser} ${passwd} ${settings}\n"
fi
parse_extract_absolute_filepaths "${settings}" | while read filepath
do
case "${filepath}" in
/*/)
printf -- "${privilegeduser} ${passwd} ${filepath}*\n"
;;
/*)
printf -- "${privilegeduser} ${passwd} ${filepath}\n"
;;
esac
done
done
fi
}
fi

127
lib/misc/user Normal file
View File

@ -0,0 +1,127 @@
#!/bin/sh
# $Revision: 290 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux
if [ -z "${userincluded}" ]
then
userincluded=1
. lib/misc/passwd
. lib/misc/validate
user_is_trusted () {
username="${1}"
[ "`validate_is_string \"${username}\"`" ] || false
# TODO write this
false
}
user_is_root () {
if [ "`user_show_user_id`" = "0" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
user_is_user_root () {
username="${1}"
[ "`validate_is_string \"${username}\"`" ] || false
if [ "${username}" = "root" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
user_is_user_id () {
userid="${1}"
[ "`validate_is_number \"${userid}\"`" ] || false
if [ "`user_show_user_id`" = "${userid}" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
user_is_user_name () {
username="${1}"
[ "`validate_is_string \"${username}\"`" ] || false
if [ "`user_show_user_name`" = "${username}" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
user_is_in_group_id () {
username="${1}"
groupid="${2}"
[ "`validate_is_string \"${username}\"`" ] || false
[ "`validate_is_number \"${groupid}\"`" ] || false
# TODO write this
false
}
user_is_in_group_name () {
username="${1}"
group="${2}"
ret="0"
[ "`validate_is_string \"${username}\"`" ] || false
[ "`validate_is_string \"${group}\"`" ] || false
groups "${username}" | while read usergroup
do
if [ "${usergroup}" = "${group}" ]
then
ret="1"
break
fi
done
printf -- "${ret}\n"
}
user_show_user_id () {
printf -- "`id -u`\n"
}
user_show_user_name () {
printf -- "`id -u -n`\n"
}
user_match_user_name () {
pattern="${1}"
[ "`validate_is_string \"${pattern}\"`" ] || false
passwd_list | while read username
do
if [ -n "`printf -- \"${username}\" | egrep -- \"${pattern}\"`" ]
then
printf -- "${username}\n"
fi
done
}
fi

75
lib/misc/validate Normal file
View File

@ -0,0 +1,75 @@
#!/bin/sh
# $Revision: 247 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Supports: Linux, AIX, Solaris, HP-UX
if [ -z "${validateincluded}" ]
then
validateincluded=1
. lib/misc/stdio
validate_matches_regex () {
value="${1}"
regex="${2}"
if [ -n "`printf -- \"${value}\" | egrep -- \"$regex\"`" ]
then
printf -- "1\n"
else
printf -- "0\n"
fi
}
validate_is_string () {
value="${1}"
if [ "`validate_matches_regex \"${value}\" \".*\"`" -eq 1 ]
then
printf -- "1\n"
else
stdio_message_error "validate" "invalid string"
printf -- "0\n"
fi
}
validate_is_number () {
value="${1}"
if [ "`validate_matches_regex \"${value}\" \"^[0-9]+$\"`" -eq 1 ]
then
printf -- "1\n"
else
stdio_message_error "validate" "invalid number: ${value}"
printf -- "0\n"
fi
}
validate_is_boolean () {
value="${1}"
if [ "`validate_is_regex \"${value}\" \"^[0-1]$\"`" -eq 1 ]
then
printf -- "1\n"
else
stdio_message_error "validate" "invalid boolean: ${value}"
printf -- "0\n"
fi
}
fi