Changeset 412

Timestamp:

Sep 1, 2012, 4:25:30 PM (12 years ago)

Author:

katerina

Message:

Enhancements for ticket #312 (logrotate) and #313 (--enable-suid).

Location:

trunk

Files:

• Makefile.in (modified) (2 diffs)
• aclocal.m4 (modified) (1 diff)
• configure.ac (modified) (2 diffs)
• include/samhain.h (modified) (2 diffs)
• include/slib.h (modified) (1 diff)
• samhain-install.sh.in (modified) (1 diff)
• samhain.spec.in (modified) (1 diff)
• scripts/check_samhain.pl.in (modified) (6 diffs)
• scripts/redhat_i386.client.spec.in (modified) (1 diff)
• scripts/samhain.spec.in (modified) (1 diff)
• src/sh_calls.c (modified) (3 diffs)
• src/sh_database.c (modified) (1 diff)
• src/slib.c (modified) (2 diffs)

trunk/Makefile.in

@@ -610 +610 @@
                 if test -f $(srcdir)/stealth_template.jpg; then \
                         cp $(srcdir)/stealth_template.jpg . ; \
+                fi; \
+        fi
+        @if test -d /etc/logrotate.d; then \
+                if test ! -f /etc/logrotate.d/@install_name@; then \
+                        cp $(srcdir)/scripts/logrotate /etc/logrotate.d/@install_name@; \
+                else \
+                        echo "/etc/logrotate.d/@install_name@ exists, not overwriting"; \
                 fi; \
         fi
@@ -1633 +1640 @@
 samhain.startIRIX samhain.startMACOSX
 
-SCRIPTFILES=redhat_i386.client.spec check_samhain.pl samhainadmin.pl 
+SCRIPTFILES=redhat_i386.client.spec check_samhain.pl samhainadmin.pl logrotate \
+yuleadmin.pl samhain.ebuild samhain.ebuild-light samhain.spec
 
 distdir: distfilecheck
         -rm -f $(top_srcdir)/init/*~
+        -rm -f $(top_srcdir)/sql_init/*~
         -rm -f $(top_srcdir)/dsys/*~
         -rm -f $(top_srcdir)/docs/*~

trunk/aclocal.m4

@@ -409 +409 @@
 x_libraries=NONE
 DESTDIR=
-SH_ENABLE_OPTS="ssp db-reload xml-log message-queue login-watch process-check port-check mounts-check logfile-monitor userfiles debug ptrace static network udp nocl stealth micro-stealth install-name identity khide suidcheck base largefile mail external-scripts encrypt srp dnmalloc ipv6 shellexpand"
+SH_ENABLE_OPTS="ssp db-reload xml-log message-queue login-watch process-check port-check mounts-check logfile-monitor userfiles debug ptrace static network udp nocl stealth micro-stealth install-name identity khide suidcheck base largefile mail external-scripts encrypt srp dnmalloc ipv6 shellexpand suid"
 SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file"
 

trunk/configure.ac

@@ -805 +805 @@
         ],
         [AC_DEFINE(SH_WITH_MAIL)]
+)
+
+AC_ARG_ENABLE(suid,
+        [  --enable-suid                allow suid],
+        [
+        if test "x${enable_suid}" = xyes; then
+                AC_DEFINE(SH_ALLOW_SUID, [1], [Define if you want to allow suid execution for samhain])
+        fi
+        ]
 )
 
@@ -2759 +2768 @@
 rules.deb-light
 hp_ux.psf
+scripts/logrotate
 scripts/samhain.spec
 scripts/redhat_i386.client.spec

trunk/include/samhain.h

@@ -458 +458 @@
 
 #if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
+#ifdef USE_SUID
 #define MLOCK(a, b) \
       if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
         (void) sl_set_suid(); \
         if (sh_unix_mlock(FIL__, __LINE__, a, b) < 0) skey->mlock_failed = SL_TRUE; \
-        (void) sl_unset_suid(); } 
+        (void) sl_unset_suid(); }
+#else
+#define MLOCK(a, b) \
+      if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
+        if (sh_unix_mlock(FIL__, __LINE__, a, b) < 0) skey->mlock_failed = SL_TRUE; }
+#endif 
 #else
 #define MLOCK(a, b) \
@@ -469 +475 @@
 
 #if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK)
+#ifdef USE_SUID
 #define MUNLOCK(a, b) \
       if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
         (void) sl_set_suid(); \
         (void) sh_unix_munlock( a, b );\
-        (void) sl_unset_suid(); } 
+        (void) sl_unset_suid(); }
+#else
+#define MUNLOCK(a, b) \
+      if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \
+        (void) sh_unix_munlock( a, b ); }
+#endif 
 #else
 #define MUNLOCK(a, b) \

trunk/include/slib.h

@@ -39 +39 @@
 
 *****************/
+
 
 /* --------------------------------------------------------------

trunk/samhain-install.sh.in

@@ -1264 +1264 @@
         fi
 
+        
+        if test -d /etc/logrotate.d; then
+            if test -f /etc/logrotate.d/@install_name@; then
+                test -z "$verbose" || echo $ECHO_N "  rm -f /etc/logrotate.d/@install_name@ ... $ECHO_C"
+                rm -f /etc/logrotate.d/@install_name@;
+                if test x$? = x0; then
+                     test -z "$verbose" || echo "${ECHO_T}done"
+                else
+                    test -z "$verbose" || echo "${ECHO_T}failed"
+                fi
+            fi
+        fi
+
         if test x"$force" = "xyes"
         then

trunk/samhain.spec.in

@@ -196 +196 @@
 %attr(644,root,root) @mandir@/man5/@install_name@*
 %attr(644,root,root) @mandir@/man8/@install_name@*
+%attr(644,root,root) /etc/logrotate.d/@install_name@
 %config(noreplace) @myrpmconffile@
 

trunk/scripts/check_samhain.pl.in

@@ -4 +4 @@
 #   by the samhain file integrity checker.
 #
-# Copyright Rainer Wichmann (2004)
+# Copyright Rainer Wichmann (2004, 2012)
 #
 # License Information:
@@ -28 +28 @@
 use Getopt::Long;
 use vars qw($PROGNAME $SAMHAIN $opt_V $opt_h $opt_v $verbose $opt_w $opt_c $opt_t $status $msg $state $retval);
-use lib  "utils.pm";
+use lib  "/usr/local/nagios/libexec" ;
 use utils qw(%ERRORS &print_revision);
 
@@ -49 +49 @@
 # -----------------------------------------------------------------[ Global ]--
 
-$PROGNAME = "check_samhain";
+$PROGNAME = "check_@install_name@";
 $SAMHAIN = "@sbindir@/@install_name@"; 
 
@@ -99 +99 @@
     $state = $ERRORS{'WARNING'};
 } else {
-    $msg = "CRITICAL: $status policy violations (threshold w=$opt_w)";
+    $msg = "CRITICAL: $status policy violations (threshold c=$opt_c)";
     $state = $ERRORS{'CRITICAL'};
 }
@@ -143 +143 @@
     
     if ($opt_V) {
-        print_revision($PROGNAME,'$Revision: 1.0 $ ');
+        print_revision($PROGNAME,'$Revision: 1.1 $ ');
         exit $ERRORS{'OK'};
     }
@@ -182 +182 @@
 
 sub print_help () {
-    print_revision($PROGNAME, '$Revision: 1.0 $');
-    print "Copyright (c) 2004 Rainer Wichmann
+    print_revision($PROGNAME, '1.1');
+    print "Copyright (c) 2004,2012 Rainer Wichmann
 
 This plugin checks the number of policy violations reported by the

trunk/scripts/redhat_i386.client.spec.in

@@ -141 +141 @@
 /usr/local/sbin/samhain_setpwd
 /lib/modules
+%attr(644,root,root) /etc/logrotate.d/@install_name@
 #%attr(644,root,root) /usr/local/man/man5/samhain*
 #%attr(644,root,root) /usr/local/man/man8/samhain*

trunk/scripts/samhain.spec.in

@@ -127 +127 @@
 %attr(644,root,root) %{_mandir}/man5/samhain*
 %attr(644,root,root) %{_mandir}/man8/samhain*
+%attr(644,root,root) /etc/logrotate.d/@install_name@
 %config(noreplace) %{_sysconfdir}/samhainrc
 

trunk/src/sh_calls.c

@@ -696 +696 @@
   SL_ENTER(_("aud_open"));
 
+#ifdef USE_SUID
+  if (0 == strcmp(pathname, "/usr/bin/sudo"))
+    {
+      uid_t ruid; uid_t euid; uid_t suid;
+      getresuid(&ruid, &euid, &suid);
+    }
+  if (privs == SL_YESPRIV)
+    sl_set_suid();
+#else
+  /*@-noeffect@*/
+  (void) privs; /* fix compiler warning */
+  /*@+noeffect@*/
+#endif
+
   val_return = open (pathname, *o_noatime|flags, mode);
+
+#ifdef USE_SUID
+  if (privs == SL_YESPRIV)
+    sl_unset_suid();
+#endif
+
   if ((val_return < 0) && (*o_noatime != 0))
     {
@@ -704 +724 @@
     }
   error = errno;
-  /*@-noeffect@*/
-  (void) privs; /* fix compiler warning */
-  /*@+noeffect@*/
 
   if (val_return < 0)
@@ -736 +753 @@
   SL_ENTER(_("aud_open"));
 
-  val_return = open (pathname, flags, mode);
-  error = errno;
+#ifdef USE_SUID
+  if (privs == SL_YESPRIV)
+    sl_set_suid();
+#else
   /*@-noeffect@*/
   (void) privs; /* fix compiler warning */
   /*@+noeffect@*/
+#endif
+
+  val_return = open (pathname, flags, mode);
+
+#ifdef USE_SUID
+  if (privs == SL_YESPRIV)
+    sl_unset_suid();
+#endif
+
+  error = errno;
 
   if (val_return < 0)

trunk/src/sh_database.c

@@ -1764 +1764 @@
 
 /* recursively enter linked list of messages into database, last first
+ * - last is client (if this is a client message received by client)
  */
 long sh_database_insert_rec (dbins * curr, int depth, char * host)

trunk/src/slib.c

@@ -1535 +1535 @@
   SL_REQUIRE (sl_save_uids() == SL_ENONE, _("sl_save_uids() == SL_ENONE"));
 
+#ifndef SH_ALLOW_SUID
   if (euid != ruid || egid != rgid)
     {
@@ -1556 +1557 @@
 #endif
     }
+#endif
   SL_IRETURN(SL_ENONE, _("sl_policy_get_user"));
 }