Changeset 3


Ignore:
Timestamp:
Dec 21, 2005, 10:07:54 PM (15 years ago)
Author:
rainer
Message:

More fixes for update function, released 2.1.1 version.

Location:
trunk
Files:
10 edited

Legend:

Unmodified
Added
Removed
  • trunk/docs/Changelog

    r1 r3  
     1
    122.1.1:
     3        * sh_calls.c: protect sh_calls_set_bind_addr against overriding
     4        * comINSTALL, updateDB: use locking
     5        * samhainadmin.pl: use locking
    26        * fix typos in samhainrc.solaris (noticed by Robby Cauwerts)
    37        * improve zAVLSearch (remove redundant strcmp)
    4         * use AVL tree in sh_files.c instead of linked list (scales way better)
     8        * use AVL tree in sh_files.c instead of linked list (better scaling)
    59        * fix bug with suidcheck (no update/check in one-shot mode with
    610          schedule instead of check interval; noticed by R. Rati)
  • trunk/dsys/comINSTALL

    r1 r3  
    340340    #---------------------------------------------------------------------
    341341
     342    instlock="${yule_conf}.lockdir";
     343    trap "rm -rf ${instlock}" 1 2 13 15
     344
     345    if test x"$simulate" = x0
     346    then
     347        #
     348        # A lockfile will not work, because 'root' can write anyway.
     349        # However, 'mkdir' an existing directory will fail even for root
     350        #
     351        until (umask 222; mkdir "${instlock}") 2>/dev/null   # test & set
     352        do
     353           printINFO "Waiting for lock"
     354           sleep 1
     355        done
     356    fi
     357
    342358    Replace=`"${yule_exec}" -P "${is_passwd}" | sed s%HOSTNAME%${host}%g`
    343359    if test "x$Replace" = x
    344360    then
     361        rm -rf "${instlock}"
    345362        printFATAL "Could not execute ${yule_exec} -P ${is_passwd}."
    346363    fi
     
    356373            then
    357374                Seen=y
    358                 echo "$Replace" >>"$tmpF" || printFATAL "Cannot write new server configuration."
     375                echo "$Replace" >>"$tmpF"
     376                if [ $? -ne 0 ]; then
     377                        rm -rf "${instlock}"
     378                        printFATAL "Cannot write new server configuration."
     379                fi
    359380            fi
    360381        else
     
    363384                :
    364385            else
    365                 echo "$line" >>"$tmpF" || printFATAL "Cannot write new server configuration."
     386                echo "$line" >>"$tmpF"
     387                if [ $? -ne 0 ]; then
     388                        rm -rf "${instlock}"
     389                        printFATAL "Cannot write new server configuration."
     390                fi
    366391            fi
    367392        fi
     
    380405    if test x"$simulate" = x0
    381406    then
    382         ageFILE "${yule_conf}" || printFATAL "Could not backup ${yule_conf}."
    383         rm -f "${yule_conf}" && { cp "$tmpF"  "${yule_conf}" || printFATAL "Could not write new server config. Backup is ${yule_conf}.1"; }
    384         chown ${rcfile_owner}:${rcfile_group} "${yule_conf}" || printFATAL "Could not chown ${rcfile_owner}:${rcfile_group} ${yule_conf}"
    385         chmod ${rcfile_perm} "${yule_conf}" || printFATAL "Could not chmod ${rcfile_perm} ${yule_conf}"
     407        ageFILE "${yule_conf}"
     408        if [ $? -ne 0 ]; then
     409                rm -rf "${instlock}"
     410                printFATAL "Could not backup ${yule_conf}"
     411        fi
     412
     413        rm -f "${yule_conf}" && cp "$tmpF"  "${yule_conf}"
     414        if [ $? -ne 0 ]; then
     415                rm -rf "${instlock}"
     416                printFATAL "Could not write new server config. Backup is ${yule_conf}.1"
     417        fi
     418
     419        chown ${rcfile_owner}:${rcfile_group} "${yule_conf}"
     420        if [ $? -ne 0 ]; then
     421                rm -rf "${instlock}"
     422                printFATAL "Could not chown ${rcfile_owner}:${rcfile_group} ${yule_conf}"
     423        fi
     424
     425        chmod ${rcfile_perm} "${yule_conf}"
     426        if [ $? -ne 0 ]; then
     427                rm -rf "${instlock}"
     428                printFATAL "Could not chmod ${rcfile_perm} ${yule_conf}"
     429        fi
    386430    else
    387431        printINFO "Backup and update ${yule_conf}"
     
    423467        sleep 5
    424468        #
     469        rm -rf "${instlock}"
    425470    else
    426471        printINFO "Reloading server configuration."
     
    428473
    429474    printLOG "Server configuration updated and reloaded."
     475
    430476
    431477    #---------------------------------------------------------------------
  • trunk/dsys/funcINSTALL

    r1 r3  
    9191        DATABASE="${basedir}/${defdatabase}"
    9292    fi
     93
     94    updlock="${DATABASE}.lockdir"
     95    trap "rm -rf ${updlock}" 1 2 13 15
     96
     97    #
     98    # A lockfile will not work, because 'root' can write anyway.
     99    # However, 'mkdir' an existing directory will fail even for root
     100    #
     101    until (umask 222; mkdir "${updlock}") 2>/dev/null   # test & set
     102    do
     103       printINFO "Waiting for lock"
     104       sleep 1
     105    done
     106
    93107
    94108    IDATE=`date +"%Y-%m-%d %H:%M:%S"`
     
    223237    fi
    224238
    225     chown ${rcfile_owner}:${rcfile_group} "${DATABASE}" || printFATAL "Could not chown ${rcfile_owner}:${rcfile_group} ${DATABASE}"
    226     chmod ${rcfile_perm} "${DATABASE}" || printFATAL "Could not chmod ${rcfile_perm} ${DATABASE}"
    227 
     239    chown ${rcfile_owner}:${rcfile_group} "${DATABASE}"
     240    if [ $? -ne 0 ]; then
     241        rm -rf "${instlock}"
     242        printFATAL "Could not chown ${rcfile_owner}:${rcfile_group} ${DATABASE}"
     243    fi
     244    chmod ${rcfile_perm} "${DATABASE}"
     245    if [ $? -ne 0 ]; then
     246        rm -rf "${instlock}"
     247        printFATAL "Could not chmod ${rcfile_perm} ${DATABASE}"
     248    fi
     249
     250    rm -rf "${updlock}"
    228251}
    229252
  • trunk/man/samhain.8

    r1 r3  
    1414{
    1515.I \-t update|\-\-set\-checksum\-test=update
    16 } [\-r DEPTH|\-\-recursion=DEPTH] [log-options]
     16} [\-D | \-\-daemon | \-\-foreground] [\-\-forever] [\-r DEPTH|\-\-recursion=DEPTH] [log-options]
    1717
    1818.B samhain
     
    195195[\-r DEPTH|\-\-recursion=DEPTH]
    196196Set the (global) recursion depth.
     197.TP
     198[\-D|\-\-daemon]
     199Run as daemon. File checks are performed as specified by the timing
     200options in the configuration file. Updates are saved after each file check.
     201.TP
     202[\-\-foreground]
     203Run in the foreground. This will cause samhain to exit after the update,
     204unless the option
     205.I "\-\-forever"
     206is used.
     207.TP
     208[\-\-forever]
     209If not running as daemon, do not exit after finishing the update, but
     210loop forever, and perform checks with corresponding database updates
     211according to the timing options in the
     212configuration file.
    197213
    198214.PP
  • trunk/scripts/samhainadmin.pl.in

    r1 r3  
    2323use Getopt::Long;
    2424use File::Basename;
     25use File::Copy;
    2526use File::stat;
    2627use File::Temp qw/ tempfile tempdir unlink0 /;
    2728use IO::Handle;
     29use Fcntl qw(:DEFAULT :flock);
    2830
    2931File::Temp->safe_level( File::Temp::HIGH );
     
    3638my $return_from_sign = 0;
    3739my $no_print_examine = 0;
     40my $no_remove_lock   = 0;
    3841my $base = basename($0);
    3942
     
    4245my $daemon   = "@sbindir@/@install_name@";
    4346my $gpg      = "@mygpg@";
     47
     48$cfgfile  =~ s/^REQ_FROM_SERVER//;
     49$datafile =~ s/^REQ_FROM_SERVER//;
    4450
    4551$gpg = "gpg" if ($gpg eq "");
     
    186192
    187193    my $dir = tempdir( CLEANUP => 1 );
    188     $filename = $dir . "/exa_jhfdbilw";
     194    $filename = $dir . "/exa_jhfdbilw." . $$;
    189195    open $fh, ">$filename" or die "Cannot open $filename";
    190196    autoflush $fh 1;
     
    281287    open FH, "<$file1" or die "Cannot open file $file1 for read: $!";
    282288    if (!($file1 =~ /^\-$/)) {
     289        flock(FH, LOCK_EX) unless ($no_remove_lock == 1);
    283290        my $dir = tempdir( CLEANUP => 1 ) or die "Tempdir failed";
    284         $filename = $dir . "/rem_iqegBCQb";
     291        $filename = $dir . "/rem_iqegBCQb." . $$;
    285292        open $fh, ">$filename" or die "Cannot open $filename";
    286293        $stats = stat($file1);
     
    313320    }
    314321    if (!($file1 =~ /^\-$/)) {
    315         my $command = "cp $filename $file1";
    316         system ($command) == 0
    317             or die "system $command failed: $?";
     322        copy("$filename", "$file1")
     323            or die "Copy $filename to $file1 failed: $!";
    318324        chmod $stats->mode, $file1;
    319325        chown $stats->uid, $stats->gid, $file1;
     326        flock(FH, LOCK_UN) unless ($no_remove_lock == 1);
     327        close FH;
    320328    }
    321329    unlink0( $fh, $filename ) or die "Cannot unlink $filename safely";
     
    386394    if ($file1 =~ /^\-$/) {
    387395        my $dir = tempdir( CLEANUP => 1 ) or die "Tempdir failed";
    388         $filename1 = $dir . "/sig_vs8827sd";
     396        $filename1 = $dir . "/sig_vs8827sd." . $$;
    389397        open $fh1, ">$filename1" or die "Cannot open $filename1";
    390398        $flag1 = 1;
     
    419427        $fileout = '-';
    420428    } else {
     429        open (LOCKFILE, "<$file1") or die "Cannot open $file1: $!";
     430        flock(LOCKFILE, LOCK_EX);
    421431        $no_print_examine = 1;
     432        $no_remove_lock   = 1;
    422433        if (examine() < 2) {
    423434            remove();
    424435        }
    425436        $fileout = $file1 . ".asc";
    426         $stats   = stat($file1);
     437        $stats   = stat($file1)
     438            or die "No file $file1: $!";
    427439    }
    428440
     
    446458        die ("Signed file is smaller than unsigned file")
    447459            unless ($st_new->size > $st_old->size);
    448         system ("mv $fileout $file2") == 0
    449             or die "system mv $fileout $file2 failed: $?";
     460        move("$fileout", "$file2")
     461            or die "Move $fileout to $file2 failed: $!";
    450462        chmod $stats->mode, $file2;
    451463        chown $stats->uid, $stats->gid, $file2;
     464        flock(LOCKFILE, LOCK_UN);
    452465    }
    453466
  • trunk/src/sh_calls.c

    r1 r3  
    138138int sh_calls_set_bind_addr (char * str)
    139139{
     140  static int reject = 0;
     141
     142  if (reject == 1)
     143    return (0);
     144
     145  if (sh.flag.opts == S_TRUE) 
     146    reject = 1;
     147
    140148  if (0 == /*@-unrecog@*/inet_aton(str, &bind_addr)/*@+unrecog@*/)
    141149    {
  • trunk/src/sh_database.c

    r1 r3  
    3838#include "sh_error.h"
    3939#include "sh_utils.h"
     40
     41extern int safe_logger (int signal, int method, pid_t thepid);
    4042
    4143#undef  FIL__
     
    10091011{
    10101012  int               status = 0;
    1011   char            * p;
     1013  const char      * p;
    10121014  static MYSQL    * db_conn = NULL;
    10131015  static SH_TIMEOUT sh_timer = { 0, 3600, S_TRUE };
     
    14471449          retv = S_FALSE;
    14481450        }
     1451      else if (*p == '\"' && escp == 0)
     1452        {
     1453          retv = S_FALSE;
     1454        }
    14491455      else
    14501456        {
     
    14531459      ++p;
    14541460    }
     1461  if (escp == 1)
     1462    retv = S_FALSE;
    14551463  return retv;
    14561464}
     
    15461554
    15471555              if (S_FALSE == is_escaped(&p[j+2])) {
     1556                sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
     1557                                _("Message not properly escaped"),
     1558                                _("sh_database_parse"));
    15481559                SL_RETURN(NULL, _("sh_database_parse"));
    15491560              }
  • trunk/src/sh_forward.c

    r1 r3  
    19441944  SL_RET0(_("free_client"));
    19451945}
     1946
     1947extern int safe_logger (int signal, int method, pid_t thepid);
    19461948
    19471949int sh_forward_register_client (char * str)
  • trunk/src/sh_hash.c

    r1 r3  
    653653{
    654654  sh_file_t * p;
     655  sh_file_t * q;
    655656  int key;
    656657
     
    674675              strlen(s->fullpath) == strlen(p->fullpath))
    675676            {
    676               SH_FREE(s->fullpath);
    677               if(s->linkpath)
    678                 SH_FREE(s->linkpath);
     677              q = p->next;
     678              SH_FREE(p->fullpath);
     679              if(p->linkpath)
     680                SH_FREE(p->linkpath);
     681              memcpy(p, s, sizeof(sh_file_t));
     682              p->next = q;
    679683              SH_FREE(s);
    680684              s = NULL;
  • trunk/src/sh_kern.c

    r1 r3  
    859859   * Stored(old) is system_call_code[]
    860860   */
    861   if (sh.flag.checkSum == SH_CHECK_INIT)
     861  if (sh.flag.checkSum == SH_CHECK_INIT || sh.flag.update == S_TRUE)
    862862    {
    863863      store0 = 0; store1 = 0; store2 = 0;
     
    935935   * Stored(old) is sh_syscalls[] array.
    936936   */
    937   if (sh.flag.checkSum == SH_CHECK_INIT)
     937  if (sh.flag.checkSum == SH_CHECK_INIT || sh.flag.update == S_TRUE)
    938938    {
    939939      for (i = 0; i < SH_MAXCALLS; ++i)
     
    11251125  if (ShKernIDT == S_TRUE)
    11261126    {
    1127       if (sh.flag.checkSum == SH_CHECK_INIT)
     1127      if (sh.flag.checkSum == SH_CHECK_INIT || sh.flag.update == S_TRUE)
    11281128        {
    11291129          datasize = 8;
     
    14471447   * Stored(old) is sh_syscalls[] array.
    14481448   */
    1449   if (sh.flag.checkSum == SH_CHECK_INIT)
     1449  if (sh.flag.checkSum == SH_CHECK_INIT || sh.flag.update == S_TRUE)
    14501450    {
    14511451      for (i = 0; i < SH_MAXCALLS; ++i)
Note: See TracChangeset for help on using the changeset viewer.