-
Notifications
You must be signed in to change notification settings - Fork 1
/
dev.chk
executable file
·128 lines (115 loc) · 3.42 KB
/
dev.chk
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
:
#
# dev.chk [-g]
#
# This shell script checks the permissions of all devs listed in the
# file /etc/fstab (the "mount" command would be a preferable way of
# getting the file system name, but the syntax of the output is variable
# from machine to machine), and flags them if they are readable by using
# the "is_able" command. It also checks for unrestricted NFS
# mountings. By default, dev_check will flag devs only if world readable
# or writable. The -g option tells it to print out devs that are also
# group readable/writable.
# As an aside, the fact that NFS mounted dirs are world readable isn't
# a big deal, but they shouldn't be world writable. So do two checks here,
# instead of one.
#
# (p.s. /dev/?mem and some misc files used to be checked here, but they
# are now checked in is_able.chk)
#
# Two types of /etc/fstab formats I've seen so far:
#
# spec:file:type:freq:passno:name:options
# NFS are indicated by an "@"
#
# fsname dir type opts freq passno
# NFS are indicated by an ":"
#
# I check for the second; comment that code out (lines 83-84), and
# uncomment the other style (lines 79-80), if you have the first type.
#
AWK=/bin/awk
SED=/bin/sed
ECHO=/bin/echo
TEST=/bin/test
# locations of vital stuff...
mtab=/etc/fstab
exports=/etc/exports
group=no
if $TEST $# -gt 1 ; then
$ECHO "Usage: $0 [-g]"
exit 2
fi
if $TEST $# -eq 1 ; then
if $TEST "X$1" = "X-g" ; then
group=yes
else
$ECHO "Usage: $0 [-g]"
exit 2
fi
fi
# Testing filesystems and devices for improper read/write permissions...
# grab devices from "/etc/fstab"....
# Format of /etc/fstab:
#
# spec:file:type:freq:passno:name:options
# NFS mounted:
# [email protected]:/usr/spaf:ect....
#
# Or, the default means of checking:
#
# filesystem directory type options freq pass
# NFS mounted:
# uther:foobar.edu /usr/spaf....
#
# kill comments, then get the device/filesystem in question.
#
# First style:
# nfs_devs=`$SED 's/^#.*//' $mtab | $AWK -F: '/@/ {print $2}'`
# local_devs=`$SED -e 's/^#.*$//' -e 's/^.*@.*$//' $mtab|$AWK -F: {print $1}'`
# Default style:
nfs_devs=`$SED -e 's/^#.*$//' $mtab | $AWK '/:/ {print $1}'`
local_devs=`$SED -e 's/^#.*$//' -e 's/^.*:.*$//' $mtab | $AWK '{print $1}'`
all_devs=$nfs_devs" "$local_devs
# Alternate way; grab devices from "mount [-p]"....
# Format of output from mount (some machines use -p option, some
# don't. Check your local man page... you might have to add a "-F:" or
# something, depending on your output:
# crit_devs=`/etc/mount -p|$AWK 'index($1, "/")==1
# {print $1} \
# }'`
# On an IBM/AIX box, you can try something like:
# all_devs=`$GREP 'dev.*=' /etc/filesystems | $AWK '{print $NF}'`
#
# However, do check for single line entries in /etc/exports:
if $TEST -s $exports
then
$SED -e '/^#/d' -e '/^$/d' $exports | $AWK '!/access=/ {
for (i=2;i<=NF;i++) if (substr($i,1,1) != "-") {next} \
print "Warning! NFS file system " $1 " exported with no restrictions!"}'
fi
#
# Have to get them in the format that "is_able" likes:
#
# filename {world|group} {writeable|readable|both}
#
# all things check world/group writability
for i in $all_devs
do
./is_able $i w w
if $TEST "$group" = "yes"
then
./is_able $i g w
fi
done
# For local devices, we want to make sure that no one can bypass
# security by reading straight from the device:
for i in $local_devs
do
./is_able $i w r
if $TEST "$group" = "yes"
then
./is_able $i g r
fi
done
# end of script