Changeset 115 for trunk/src/sh_suidchk.c

Timestamp:

Aug 21, 2007, 10:22:59 PM (17 years ago)

Author:

rainer

Message:

Fix the problem that new suid/sgid file found by the file system check already will not be quarantined in the suid check (ticket #71).

File:

• trunk/src/sh_suidchk.c (modified) (5 diffs)

trunk/src/sh_suidchk.c

@@ -831 +831 @@
   struct stat     buf;
   int             status;
+  int             fflags;
   char          * fs;
   long            sl_status = SL_ENONE;
@@ -910 +911 @@
       ++FileLimTotal;
 
+      /* Rate limit (Fps == Files per second)
+       */
       if ((ShSuidchkFps > 0 && FileLimNum > ShSuidchkFps && FileLimTotal > 0)&&
           (ShSuidchkYield == S_FALSE))
@@ -995 +998 @@
               else
                 {
-                  if (sh.flag.update == S_TRUE && 
+
+                  if ( sh.flag.update   == S_TRUE && 
                       (sh.flag.checkSum == SH_CHECK_INIT  || 
                        sh.flag.checkSum == SH_CHECK_CHECK))
                     {
+                      /* Updating database. Report new files that
+                       * are not in database already. Then compare
+                       * to database and report changes.
+                       */
                       if (-1 == sh_hash_have_it (tmpcat))
                         {
@@ -1017 +1025 @@
                           sh_hash_pushdata_memory (&theFile, fileHash);
                         }
+                      
+                      sh_hash_addflag(tmpcat, SH_FFLAG_SUIDCHK);
+                      
                     }
+
                   else if (sh.flag.checkSum == SH_CHECK_INIT  && 
                            sh.flag.update == S_FALSE )
                     {
+                      /* Running init. Report on files detected.
+                       */
                       sh_hash_pushdata (&theFile, fileHash);
                       sh_error_handle ((-1), FIL__, __LINE__, 
                                        0, MSG_SUID_FOUND, tmp );
                     }
+
                   else if (sh.flag.checkSum == SH_CHECK_CHECK )
                     {
+                      /* Running file check. Report on new files
+                       * detected, and quarantine them.
+                       */
                       sh_error_handle (SH_ERR_ALL, FIL__, __LINE__, 
                                        0, MSG_SUID_FOUND, tmp );
-                      if (-1 == sh_hash_have_it (tmpcat))
+
+                      fflags = sh_hash_getflags(tmpcat);
+
+                      if ( (-1 == fflags) || (!SH_FFLAG_SUIDCHK_SET(fflags)))
                         {
-                          report_file(tmpcat, &theFile, timestrc, timestra, timestrm);
+                          if (-1 == fflags)
+                            report_file(tmpcat, &theFile, timestrc, timestra, timestrm);
 
                           /* Quarantine file according to configured method
@@ -1063 +1085 @@
                                                        _("[SuidCheck]"),
                                                        ShSuidchkSeverity);
+
+                              sh_hash_addflag(tmpcat, SH_FFLAG_SUIDCHK);
+
                             }
                         }
                       else
                         {
+                          /* File exists. Check for modifications.
+                           */
                           (void) sh_hash_compdata (SH_LEVEL_READONLY, 
                                                    &theFile, fileHash,
                                                    _("[SuidCheck]"),
                                                    ShSuidchkSeverity);
+                          
+                          sh_hash_addflag(tmpcat, SH_FFLAG_SUIDCHK);
+
                         }
                     }