Index: trunk/src/sh_hash.c =================================================================== --- trunk/src/sh_hash.c (revision 114) +++ trunk/src/sh_hash.c (revision 115) @@ -1054,6 +1054,26 @@ memcpy( &(*p).theFile, &ft, sizeof(sh_filestore_t) ); - p->fflags = 0; - + /* init fflags, such that suid files in + * database are recognized as such + */ + { + mode_t mode = (mode_t) ft.mode; + + if (S_ISREG(mode) && + (0 !=(S_ISUID & mode) || +#if defined(HOST_IS_LINUX) + (0 !=(S_ISGID & mode) && + 0 !=(S_IXGRP & mode)) +#else + 0 !=(S_ISGID & mode) +#endif + ) + ) + p->fflags = SH_FFLAG_SUIDCHK; + + else + p->fflags = 0; + } + p->modi_mask = 0L; p->fullpath = fullpath; @@ -1812,8 +1832,8 @@ sh_file_t * p; - SL_ENTER(_("sh_hash_have_it")); + SL_ENTER(_("sh_hash_have_it_int")); if (newname == NULL) - SL_RETURN( (NULL), _("sh_hash_have_it")); + SL_RETURN( (NULL), _("sh_hash_have_it_int")); if (IsInit != 1) @@ -1824,5 +1844,5 @@ p = hashsearch ( sh_tiger_hash(newname, TIGER_DATA, sl_strlen(newname)) ); if (p == NULL) - SL_RETURN( (NULL), _("sh_hash_have_it")); + SL_RETURN( (NULL), _("sh_hash_have_it_int")); /* if (p->allignore == S_FALSE && @@ -1831,5 +1851,5 @@ SL_RETURN( (1), _("sh_hash_have_it")); */ - SL_RETURN( (p), _("sh_hash_have_it")); + SL_RETURN( (p), _("sh_hash_have_it_int")); } @@ -1860,5 +1880,35 @@ return 0; } - + +int sh_hash_getflags (char * filename) +{ + sh_file_t * p = sh_hash_have_it_int (filename); + if (!p) + return (-1); + return (p->fflags); +} + +int sh_hash_setflags (char * filename, int flags) +{ + sh_file_t * p = sh_hash_have_it_int (filename); + if (!p) + return (-1); + p->fflags = flags; + return 0; +} + +/* needs lock to be threadsafe + */ +void sh_hash_addflag (char * filename, int flag_to_set) +{ + int fflags = sh_hash_getflags(filename); + + if (fflags >= 0) + { + fflags |= flag_to_set; + sh_hash_setflags(filename, fflags); + } + return; +} /***************************************************************** @@ -2106,5 +2156,5 @@ memcpy( &(*fp).theFile, &p, sizeof(sh_filestore_t) ); - fp->fflags = 0; + fp->fflags = 0; /* init fflags */ fp->modi_mask = 0L; Index: trunk/src/sh_suidchk.c =================================================================== --- trunk/src/sh_suidchk.c (revision 114) +++ trunk/src/sh_suidchk.c (revision 115) @@ -831,4 +831,5 @@ struct stat buf; int status; + int fflags; char * fs; long sl_status = SL_ENONE; @@ -910,4 +911,6 @@ ++FileLimTotal; + /* Rate limit (Fps == Files per second) + */ if ((ShSuidchkFps > 0 && FileLimNum > ShSuidchkFps && FileLimTotal > 0)&& (ShSuidchkYield == S_FALSE)) @@ -995,8 +998,13 @@ else { - if (sh.flag.update == S_TRUE && + + if ( sh.flag.update == S_TRUE && (sh.flag.checkSum == SH_CHECK_INIT || sh.flag.checkSum == SH_CHECK_CHECK)) { + /* Updating database. Report new files that + * are not in database already. Then compare + * to database and report changes. + */ if (-1 == sh_hash_have_it (tmpcat)) { @@ -1017,19 +1025,33 @@ sh_hash_pushdata_memory (&theFile, fileHash); } + + sh_hash_addflag(tmpcat, SH_FFLAG_SUIDCHK); + } + else if (sh.flag.checkSum == SH_CHECK_INIT && sh.flag.update == S_FALSE ) { + /* Running init. Report on files detected. + */ sh_hash_pushdata (&theFile, fileHash); sh_error_handle ((-1), FIL__, __LINE__, 0, MSG_SUID_FOUND, tmp ); } + else if (sh.flag.checkSum == SH_CHECK_CHECK ) { + /* Running file check. Report on new files + * detected, and quarantine them. + */ sh_error_handle (SH_ERR_ALL, FIL__, __LINE__, 0, MSG_SUID_FOUND, tmp ); - if (-1 == sh_hash_have_it (tmpcat)) + + fflags = sh_hash_getflags(tmpcat); + + if ( (-1 == fflags) || (!SH_FFLAG_SUIDCHK_SET(fflags))) { - report_file(tmpcat, &theFile, timestrc, timestra, timestrm); + if (-1 == fflags) + report_file(tmpcat, &theFile, timestrc, timestra, timestrm); /* Quarantine file according to configured method @@ -1063,12 +1085,20 @@ _("[SuidCheck]"), ShSuidchkSeverity); + + sh_hash_addflag(tmpcat, SH_FFLAG_SUIDCHK); + } } else { + /* File exists. Check for modifications. + */ (void) sh_hash_compdata (SH_LEVEL_READONLY, &theFile, fileHash, _("[SuidCheck]"), ShSuidchkSeverity); + + sh_hash_addflag(tmpcat, SH_FFLAG_SUIDCHK); + } }