Changeset 55
- Timestamp:
- Aug 17, 2006, 10:31:24 PM (18 years ago)
- Location:
- trunk
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/docs/Changelog
r54 r55 1 2 * fix bug with SuidExclude (files in directory were still checked) 3 1 4 2.2.3: 2 5 * fix samhainadmin.pl: check for gpg-agent running if use-agent is set -
trunk/src/sh_suidchk.c
r34 r55 519 519 if (/*@-usedef@*/S_ISDIR(buf.st_mode)/*@+usedef@*/ && 520 520 (ShSuidchkExclude == NULL || 521 0 != strncmp(tmpcat, ShSuidchkExclude, (size_t) ExcludeLen)))521 0 != strcmp(tmpcat, ShSuidchkExclude))) 522 522 { 523 523 /* fs is a STATIC string … … 1118 1118 SH_FREE(ShSuidchkExclude); 1119 1119 1120 /* 1.8.1 add trailing slash1121 */1122 1120 ExcludeLen = (int) sl_strlen(c); 1123 if (c[ExcludeLen-1] != '/') 1124 { 1125 ExcludeLen++; 1126 if ((ExcludeLen <= 0) || (ExcludeLen+1 <= 0)) /* may overflow */ 1127 { 1128 SL_RETURN(-1, _("sh_suidchk_set_exclude")); 1129 } 1121 if (c[ExcludeLen-1] == '/') 1122 { 1123 c[ExcludeLen-1] = '\0'; 1124 ExcludeLen--; 1130 1125 } 1131 1126 ShSuidchkExclude = SH_ALLOC((size_t) ExcludeLen + 1); 1132 1127 (void) sl_strlcpy(ShSuidchkExclude, c, (size_t)(ExcludeLen + 1)); 1133 ShSuidchkExclude[ExcludeLen-1] = '/';1134 1128 1135 1129 SL_RETURN(0, _("sh_suidchk_set_exclude")); -
trunk/test/testrun_1c.sh
r51 r55 23 23 export BUILDOPTS 24 24 25 MAXTEST= 6; export MAXTEST25 MAXTEST=7; export MAXTEST 26 26 27 27 ## Quarantine SUID/SGID files if found … … 39 39 # 40 40 # SuidCheckQuarantineDelete = yes 41 42 SUIDPOLICY_7=" 43 [ReadOnly] 44 file=${BASE} 45 [SuidCheck] 46 SuidCheckActive = yes 47 SuidCheckExclude = ${BASE}/a/a 48 SuidCheckInterval = 10 49 SeveritySuidCheck = crit 50 SuidCheckQuarantineFiles = no 51 SuidCheckQuarantineMethod = 2 52 SuidCheckQuarantineDelete = yes 53 " 54 55 mod_suiddata_7 () { 56 one_sec_sleep 57 chmod 4444 "${BASE}/a/a/y" 58 chmod 4444 "${BASE}/a/a/a/y" 59 mkdir "${BASE}/a/abc" 60 touch "${BASE}/a/abc/y" 61 chmod 4444 "${BASE}/a/abc/y" 62 } 63 64 chk_suiddata_7 () { 65 one_sec_sleep 66 tmp=`ls -l "${BASE}/a/a/y" 2>/dev/null | awk '{ print $1}'` 67 if [ "x$tmp" = "x-r-Sr--r--" ]; then 68 egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1 69 if [ $? -eq 0 ]; then 70 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y"; 71 return 1 72 fi 73 egrep "CRIT.*POLICY ADDED.*${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1 74 if [ $? -eq 0 ]; then 75 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y"; 76 return 1 77 fi 78 else 79 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (suid not kept)"; 80 return 1 81 fi 82 tmp=`ls -l "${BASE}/a/a/a/y" 2>/dev/null | awk '{ print $1}'` 83 if [ "x$tmp" = "x-r-Sr--r--" ]; then 84 egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/a/a/y" $LOGFILE >/dev/null 2>&1 85 if [ $? -eq 0 ]; then 86 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y"; 87 return 1 88 fi 89 egrep "CRIT.*POLICY ADDED.*${BASE}/a/a/a/y" $LOGFILE >/dev/null 2>&1 90 if [ $? -eq 0 ]; then 91 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y"; 92 return 1 93 fi 94 else 95 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y (suid not kept)"; 96 return 1 97 fi 98 tmp=`ls -l "${BASE}/a/abc/y" 2>/dev/null | awk '{ print $1}'` 99 if [ "x$tmp" = "x-r-Sr--r--" ]; then 100 egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/abc/y" $LOGFILE >/dev/null 2>&1 101 if [ $? -ne 0 ]; then 102 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y"; 103 return 1 104 fi 105 egrep "CRIT.*POLICY ADDED.*${BASE}/a/abc/y" $LOGFILE >/dev/null 2>&1 106 if [ $? -ne 0 ]; then 107 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y"; 108 return 1 109 fi 110 return 0; 111 else 112 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y (suid not kept)"; 113 return 1 114 fi 115 } 116 41 117 42 118 SUIDPOLICY_6="
Note:
See TracChangeset
for help on using the changeset viewer.