Index: trunk/Makefile.in =================================================================== --- trunk/Makefile.in (revision 411) +++ trunk/Makefile.in (revision 412) @@ -610,4 +610,11 @@ if test -f $(srcdir)/stealth_template.jpg; then \ cp $(srcdir)/stealth_template.jpg . ; \ + fi; \ + fi + @if test -d /etc/logrotate.d; then \ + if test ! -f /etc/logrotate.d/@install_name@; then \ + cp $(srcdir)/scripts/logrotate /etc/logrotate.d/@install_name@; \ + else \ + echo "/etc/logrotate.d/@install_name@ exists, not overwriting"; \ fi; \ fi @@ -1633,8 +1640,10 @@ samhain.startIRIX samhain.startMACOSX -SCRIPTFILES=redhat_i386.client.spec check_samhain.pl samhainadmin.pl +SCRIPTFILES=redhat_i386.client.spec check_samhain.pl samhainadmin.pl logrotate \ +yuleadmin.pl samhain.ebuild samhain.ebuild-light samhain.spec distdir: distfilecheck -rm -f $(top_srcdir)/init/*~ + -rm -f $(top_srcdir)/sql_init/*~ -rm -f $(top_srcdir)/dsys/*~ -rm -f $(top_srcdir)/docs/*~ Index: trunk/aclocal.m4 =================================================================== --- trunk/aclocal.m4 (revision 411) +++ trunk/aclocal.m4 (revision 412) @@ -409,5 +409,5 @@ x_libraries=NONE DESTDIR= -SH_ENABLE_OPTS="ssp db-reload xml-log message-queue login-watch process-check port-check mounts-check logfile-monitor userfiles debug ptrace static network udp nocl stealth micro-stealth install-name identity khide suidcheck base largefile mail external-scripts encrypt srp dnmalloc ipv6 shellexpand" +SH_ENABLE_OPTS="ssp db-reload xml-log message-queue login-watch process-check port-check mounts-check logfile-monitor userfiles debug ptrace static network udp nocl stealth micro-stealth install-name identity khide suidcheck base largefile mail external-scripts encrypt srp dnmalloc ipv6 shellexpand suid" SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file" Index: trunk/configure.ac =================================================================== --- trunk/configure.ac (revision 411) +++ trunk/configure.ac (revision 412) @@ -805,4 +805,13 @@ ], [AC_DEFINE(SH_WITH_MAIL)] +) + +AC_ARG_ENABLE(suid, + [ --enable-suid allow suid], + [ + if test "x${enable_suid}" = xyes; then + AC_DEFINE(SH_ALLOW_SUID, [1], [Define if you want to allow suid execution for samhain]) + fi + ] ) @@ -2759,4 +2768,5 @@ rules.deb-light hp_ux.psf +scripts/logrotate scripts/samhain.spec scripts/redhat_i386.client.spec Index: trunk/include/samhain.h =================================================================== --- trunk/include/samhain.h (revision 411) +++ trunk/include/samhain.h (revision 412) @@ -458,9 +458,15 @@ #if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK) +#ifdef USE_SUID #define MLOCK(a, b) \ if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \ (void) sl_set_suid(); \ if (sh_unix_mlock(FIL__, __LINE__, a, b) < 0) skey->mlock_failed = SL_TRUE; \ - (void) sl_unset_suid(); } + (void) sl_unset_suid(); } +#else +#define MLOCK(a, b) \ + if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \ + if (sh_unix_mlock(FIL__, __LINE__, a, b) < 0) skey->mlock_failed = SL_TRUE; } +#endif #else #define MLOCK(a, b) \ @@ -469,9 +475,15 @@ #if defined(HAVE_MLOCK) && !defined(HAVE_BROKEN_MLOCK) +#ifdef USE_SUID #define MUNLOCK(a, b) \ if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \ (void) sl_set_suid(); \ (void) sh_unix_munlock( a, b );\ - (void) sl_unset_suid(); } + (void) sl_unset_suid(); } +#else +#define MUNLOCK(a, b) \ + if ((skey != NULL) && skey->mlock_failed == SL_FALSE){ \ + (void) sh_unix_munlock( a, b ); } +#endif #else #define MUNLOCK(a, b) \ Index: trunk/include/slib.h =================================================================== --- trunk/include/slib.h (revision 411) +++ trunk/include/slib.h (revision 412) @@ -39,4 +39,5 @@ *****************/ + /* -------------------------------------------------------------- Index: trunk/samhain-install.sh.in =================================================================== --- trunk/samhain-install.sh.in (revision 411) +++ trunk/samhain-install.sh.in (revision 412) @@ -1264,4 +1264,17 @@ fi + + if test -d /etc/logrotate.d; then + if test -f /etc/logrotate.d/@install_name@; then + test -z "$verbose" || echo $ECHO_N " rm -f /etc/logrotate.d/@install_name@ ... $ECHO_C" + rm -f /etc/logrotate.d/@install_name@; + if test x$? = x0; then + test -z "$verbose" || echo "${ECHO_T}done" + else + test -z "$verbose" || echo "${ECHO_T}failed" + fi + fi + fi + if test x"$force" = "xyes" then Index: trunk/samhain.spec.in =================================================================== --- trunk/samhain.spec.in (revision 411) +++ trunk/samhain.spec.in (revision 412) @@ -196,4 +196,5 @@ %attr(644,root,root) @mandir@/man5/@install_name@* %attr(644,root,root) @mandir@/man8/@install_name@* +%attr(644,root,root) /etc/logrotate.d/@install_name@ %config(noreplace) @myrpmconffile@ Index: trunk/scripts/check_samhain.pl.in =================================================================== --- trunk/scripts/check_samhain.pl.in (revision 411) +++ trunk/scripts/check_samhain.pl.in (revision 412) @@ -4,5 +4,5 @@ # by the samhain file integrity checker. # -# Copyright Rainer Wichmann (2004) +# Copyright Rainer Wichmann (2004, 2012) # # License Information: @@ -28,5 +28,5 @@ use Getopt::Long; use vars qw($PROGNAME $SAMHAIN $opt_V $opt_h $opt_v $verbose $opt_w $opt_c $opt_t $status $msg $state $retval); -use lib "utils.pm"; +use lib "/usr/local/nagios/libexec" ; use utils qw(%ERRORS &print_revision); @@ -49,5 +49,5 @@ # -----------------------------------------------------------------[ Global ]-- -$PROGNAME = "check_samhain"; +$PROGNAME = "check_@install_name@"; $SAMHAIN = "@sbindir@/@install_name@"; @@ -99,5 +99,5 @@ $state = $ERRORS{'WARNING'}; } else { - $msg = "CRITICAL: $status policy violations (threshold w=$opt_w)"; + $msg = "CRITICAL: $status policy violations (threshold c=$opt_c)"; $state = $ERRORS{'CRITICAL'}; } @@ -143,5 +143,5 @@ if ($opt_V) { - print_revision($PROGNAME,'$Revision: 1.0 $ '); + print_revision($PROGNAME,'$Revision: 1.1 $ '); exit $ERRORS{'OK'}; } @@ -182,6 +182,6 @@ sub print_help () { - print_revision($PROGNAME, '$Revision: 1.0 $'); - print "Copyright (c) 2004 Rainer Wichmann + print_revision($PROGNAME, '1.1'); + print "Copyright (c) 2004,2012 Rainer Wichmann This plugin checks the number of policy violations reported by the Index: trunk/scripts/redhat_i386.client.spec.in =================================================================== --- trunk/scripts/redhat_i386.client.spec.in (revision 411) +++ trunk/scripts/redhat_i386.client.spec.in (revision 412) @@ -141,4 +141,5 @@ /usr/local/sbin/samhain_setpwd /lib/modules +%attr(644,root,root) /etc/logrotate.d/@install_name@ #%attr(644,root,root) /usr/local/man/man5/samhain* #%attr(644,root,root) /usr/local/man/man8/samhain* Index: trunk/scripts/samhain.spec.in =================================================================== --- trunk/scripts/samhain.spec.in (revision 411) +++ trunk/scripts/samhain.spec.in (revision 412) @@ -127,4 +127,5 @@ %attr(644,root,root) %{_mandir}/man5/samhain* %attr(644,root,root) %{_mandir}/man8/samhain* +%attr(644,root,root) /etc/logrotate.d/@install_name@ %config(noreplace) %{_sysconfdir}/samhainrc Index: trunk/src/sh_calls.c =================================================================== --- trunk/src/sh_calls.c (revision 411) +++ trunk/src/sh_calls.c (revision 412) @@ -696,5 +696,25 @@ SL_ENTER(_("aud_open")); +#ifdef USE_SUID + if (0 == strcmp(pathname, "/usr/bin/sudo")) + { + uid_t ruid; uid_t euid; uid_t suid; + getresuid(&ruid, &euid, &suid); + } + if (privs == SL_YESPRIV) + sl_set_suid(); +#else + /*@-noeffect@*/ + (void) privs; /* fix compiler warning */ + /*@+noeffect@*/ +#endif + val_return = open (pathname, *o_noatime|flags, mode); + +#ifdef USE_SUID + if (privs == SL_YESPRIV) + sl_unset_suid(); +#endif + if ((val_return < 0) && (*o_noatime != 0)) { @@ -704,7 +724,4 @@ } error = errno; - /*@-noeffect@*/ - (void) privs; /* fix compiler warning */ - /*@+noeffect@*/ if (val_return < 0) @@ -736,9 +753,21 @@ SL_ENTER(_("aud_open")); - val_return = open (pathname, flags, mode); - error = errno; +#ifdef USE_SUID + if (privs == SL_YESPRIV) + sl_set_suid(); +#else /*@-noeffect@*/ (void) privs; /* fix compiler warning */ /*@+noeffect@*/ +#endif + + val_return = open (pathname, flags, mode); + +#ifdef USE_SUID + if (privs == SL_YESPRIV) + sl_unset_suid(); +#endif + + error = errno; if (val_return < 0) Index: trunk/src/sh_database.c =================================================================== --- trunk/src/sh_database.c (revision 411) +++ trunk/src/sh_database.c (revision 412) @@ -1764,4 +1764,5 @@ /* recursively enter linked list of messages into database, last first + * - last is client (if this is a client message received by client) */ long sh_database_insert_rec (dbins * curr, int depth, char * host) Index: trunk/src/slib.c =================================================================== --- trunk/src/slib.c (revision 411) +++ trunk/src/slib.c (revision 412) @@ -1535,4 +1535,5 @@ SL_REQUIRE (sl_save_uids() == SL_ENONE, _("sl_save_uids() == SL_ENONE")); +#ifndef SH_ALLOW_SUID if (euid != ruid || egid != rgid) { @@ -1556,4 +1557,5 @@ #endif } +#endif SL_IRETURN(SL_ENONE, _("sl_policy_get_user")); }