Changeset 115 for trunk/src

Timestamp:

Aug 21, 2007, 10:22:59 PM (17 years ago)

Author:

rainer

Message:

Fix the problem that new suid/sgid file found by the file system check already will not be quarantined in the suid check (ticket #71).

Location:

trunk/src

Files:

• sh_hash.c (modified) (6 diffs)
• sh_suidchk.c (modified) (5 diffs)

trunk/src/sh_hash.c

@@ -1054 +1054 @@
   memcpy( &(*p).theFile, &ft, sizeof(sh_filestore_t) );
 
-  p->fflags = 0;
-
+  /* init fflags, such that suid files in 
+   * database are recognized as such 
+   */
+  {
+    mode_t mode = (mode_t) ft.mode;
+
+    if (S_ISREG(mode) &&
+        (0 !=(S_ISUID & mode) ||
+#if defined(HOST_IS_LINUX)
+         (0 !=(S_ISGID & mode) && 
+          0 !=(S_IXGRP & mode)) 
+#else  
+         0 !=(S_ISGID & mode)
+#endif
+         )
+        )
+      p->fflags = SH_FFLAG_SUIDCHK;
+
+    else
+      p->fflags = 0;
+  }
+      
   p->modi_mask = 0L;
   p->fullpath  = fullpath;
@@ -1812 +1832 @@
   sh_file_t * p;
 
-  SL_ENTER(_("sh_hash_have_it"));
+  SL_ENTER(_("sh_hash_have_it_int"));
 
   if (newname == NULL)
-    SL_RETURN( (NULL), _("sh_hash_have_it"));
+    SL_RETURN( (NULL), _("sh_hash_have_it_int"));
 
   if (IsInit != 1) 
@@ -1824 +1844 @@
     p = hashsearch ( sh_tiger_hash(newname, TIGER_DATA, sl_strlen(newname)) );
   if (p == NULL) 
-     SL_RETURN( (NULL), _("sh_hash_have_it"));
+     SL_RETURN( (NULL), _("sh_hash_have_it_int"));
   /*
   if (p->allignore == S_FALSE && 
@@ -1831 +1851 @@
     SL_RETURN( (1), _("sh_hash_have_it"));
   */
-  SL_RETURN( (p), _("sh_hash_have_it"));
+  SL_RETURN( (p), _("sh_hash_have_it_int"));
 }
 
@@ -1860 +1880 @@
   return 0;
 }
- 
+
+int sh_hash_getflags (char * filename)
+{
+  sh_file_t * p = sh_hash_have_it_int (filename);
+  if (!p)
+    return (-1);
+  return (p->fflags);
+}
+
+int sh_hash_setflags (char * filename, int flags)
+{
+  sh_file_t * p = sh_hash_have_it_int (filename);
+  if (!p)
+    return (-1);
+  p->fflags = flags;
+  return 0;
+}
+
+/* needs lock to be threadsafe
+ */
+void sh_hash_addflag (char * filename, int flag_to_set)
+{
+  int fflags = sh_hash_getflags(filename);
+
+  if (fflags >= 0)
+    {
+      fflags |= flag_to_set;
+      sh_hash_setflags(filename, fflags);
+    }
+  return;
+}
 
 /*****************************************************************
@@ -2106 +2156 @@
 
   memcpy( &(*fp).theFile, &p, sizeof(sh_filestore_t) );
-  fp->fflags    = 0;
+  fp->fflags    = 0;  /* init fflags */
   fp->modi_mask = 0L;
 

trunk/src/sh_suidchk.c

@@ -831 +831 @@
   struct stat     buf;
   int             status;
+  int             fflags;
   char          * fs;
   long            sl_status = SL_ENONE;
@@ -910 +911 @@
       ++FileLimTotal;
 
+      /* Rate limit (Fps == Files per second)
+       */
       if ((ShSuidchkFps > 0 && FileLimNum > ShSuidchkFps && FileLimTotal > 0)&&
           (ShSuidchkYield == S_FALSE))
@@ -995 +998 @@
               else
                 {
-                  if (sh.flag.update == S_TRUE && 
+
+                  if ( sh.flag.update   == S_TRUE && 
                       (sh.flag.checkSum == SH_CHECK_INIT  || 
                        sh.flag.checkSum == SH_CHECK_CHECK))
                     {
+                      /* Updating database. Report new files that
+                       * are not in database already. Then compare
+                       * to database and report changes.
+                       */
                       if (-1 == sh_hash_have_it (tmpcat))
                         {
@@ -1017 +1025 @@
                           sh_hash_pushdata_memory (&theFile, fileHash);
                         }
+                      
+                      sh_hash_addflag(tmpcat, SH_FFLAG_SUIDCHK);
+                      
                     }
+
                   else if (sh.flag.checkSum == SH_CHECK_INIT  && 
                            sh.flag.update == S_FALSE )
                     {
+                      /* Running init. Report on files detected.
+                       */
                       sh_hash_pushdata (&theFile, fileHash);
                       sh_error_handle ((-1), FIL__, __LINE__, 
                                        0, MSG_SUID_FOUND, tmp );
                     }
+
                   else if (sh.flag.checkSum == SH_CHECK_CHECK )
                     {
+                      /* Running file check. Report on new files
+                       * detected, and quarantine them.
+                       */
                       sh_error_handle (SH_ERR_ALL, FIL__, __LINE__, 
                                        0, MSG_SUID_FOUND, tmp );
-                      if (-1 == sh_hash_have_it (tmpcat))
+
+                      fflags = sh_hash_getflags(tmpcat);
+
+                      if ( (-1 == fflags) || (!SH_FFLAG_SUIDCHK_SET(fflags)))
                         {
-                          report_file(tmpcat, &theFile, timestrc, timestra, timestrm);
+                          if (-1 == fflags)
+                            report_file(tmpcat, &theFile, timestrc, timestra, timestrm);
 
                           /* Quarantine file according to configured method
@@ -1063 +1085 @@
                                                        _("[SuidCheck]"),
                                                        ShSuidchkSeverity);
+
+                              sh_hash_addflag(tmpcat, SH_FFLAG_SUIDCHK);
+
                             }
                         }
                       else
                         {
+                          /* File exists. Check for modifications.
+                           */
                           (void) sh_hash_compdata (SH_LEVEL_READONLY, 
                                                    &theFile, fileHash,
                                                    _("[SuidCheck]"),
                                                    ShSuidchkSeverity);
+                          
+                          sh_hash_addflag(tmpcat, SH_FFLAG_SUIDCHK);
+
                         }
                     }