Changeset 55


Ignore:
Timestamp:
Aug 17, 2006, 10:31:24 PM (18 years ago)
Author:
rainer
Message:

Fix for bug with SuidCheckExclude (ticket #30)

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/docs/Changelog

    r54 r55  
     1
     2        * fix bug with SuidExclude (files in directory were still checked)
     3
    142.2.3:
    25        * fix samhainadmin.pl: check for gpg-agent running if use-agent is set
  • trunk/src/sh_suidchk.c

    r34 r55  
    519519          if (/*@-usedef@*/S_ISDIR(buf.st_mode)/*@+usedef@*/ &&
    520520              (ShSuidchkExclude == NULL ||
    521               0 != strncmp(tmpcat, ShSuidchkExclude, (size_t) ExcludeLen)))
     521               0 != strcmp(tmpcat, ShSuidchkExclude)))
    522522            {
    523523              /* fs is a STATIC string
     
    11181118    SH_FREE(ShSuidchkExclude);
    11191119
    1120   /* 1.8.1 add trailing slash
    1121    */
    11221120  ExcludeLen       = (int) sl_strlen(c);
    1123   if (c[ExcludeLen-1] != '/')
    1124     {
    1125       ExcludeLen++;
    1126       if ((ExcludeLen <= 0) || (ExcludeLen+1 <= 0)) /* may overflow */
    1127         {
    1128           SL_RETURN(-1, _("sh_suidchk_set_exclude"));
    1129         }
     1121  if (c[ExcludeLen-1] == '/')
     1122    {
     1123      c[ExcludeLen-1] = '\0';
     1124      ExcludeLen--;
    11301125    }
    11311126  ShSuidchkExclude = SH_ALLOC((size_t) ExcludeLen + 1);
    11321127  (void) sl_strlcpy(ShSuidchkExclude, c, (size_t)(ExcludeLen + 1));
    1133   ShSuidchkExclude[ExcludeLen-1] = '/';
    11341128
    11351129  SL_RETURN(0, _("sh_suidchk_set_exclude"));
  • trunk/test/testrun_1c.sh

    r51 r55  
    2323export BUILDOPTS
    2424
    25 MAXTEST=6; export MAXTEST
     25MAXTEST=7; export MAXTEST
    2626
    2727## Quarantine SUID/SGID files if found
     
    3939#
    4040# SuidCheckQuarantineDelete = yes
     41
     42SUIDPOLICY_7="
     43[ReadOnly]
     44file=${BASE}
     45[SuidCheck]
     46SuidCheckActive = yes
     47SuidCheckExclude = ${BASE}/a/a
     48SuidCheckInterval = 10
     49SeveritySuidCheck = crit
     50SuidCheckQuarantineFiles = no
     51SuidCheckQuarantineMethod = 2
     52SuidCheckQuarantineDelete = yes
     53"
     54
     55mod_suiddata_7 () {
     56    one_sec_sleep
     57    chmod 4444 "${BASE}/a/a/y"
     58    chmod 4444 "${BASE}/a/a/a/y"
     59    mkdir "${BASE}/a/abc"
     60    touch "${BASE}/a/abc/y"
     61    chmod 4444 "${BASE}/a/abc/y"
     62}
     63
     64chk_suiddata_7 () {
     65    one_sec_sleep
     66    tmp=`ls -l "${BASE}/a/a/y" 2>/dev/null | awk '{ print $1}'`
     67    if [ "x$tmp" = "x-r-Sr--r--" ]; then
     68        egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
     69        if [ $? -eq 0 ]; then
     70            [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y";
     71            return 1
     72        fi
     73        egrep "CRIT.*POLICY ADDED.*${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
     74        if [ $? -eq 0 ]; then
     75            [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y";
     76            return 1
     77        fi
     78    else
     79        [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (suid not kept)";
     80        return 1
     81    fi
     82    tmp=`ls -l "${BASE}/a/a/a/y" 2>/dev/null | awk '{ print $1}'`
     83    if [ "x$tmp" = "x-r-Sr--r--" ]; then
     84        egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/a/a/y" $LOGFILE >/dev/null 2>&1
     85        if [ $? -eq 0 ]; then
     86            [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y";
     87            return 1
     88        fi
     89        egrep "CRIT.*POLICY ADDED.*${BASE}/a/a/a/y" $LOGFILE >/dev/null 2>&1
     90        if [ $? -eq 0 ]; then
     91            [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y";
     92            return 1
     93        fi
     94    else
     95        [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y (suid not kept)";
     96        return 1
     97    fi
     98    tmp=`ls -l "${BASE}/a/abc/y" 2>/dev/null | awk '{ print $1}'`
     99    if [ "x$tmp" = "x-r-Sr--r--" ]; then
     100        egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/abc/y" $LOGFILE >/dev/null 2>&1
     101        if [ $? -ne 0 ]; then
     102            [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y";
     103            return 1
     104        fi
     105        egrep "CRIT.*POLICY ADDED.*${BASE}/a/abc/y" $LOGFILE >/dev/null 2>&1
     106        if [ $? -ne 0 ]; then
     107            [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y";
     108            return 1
     109        fi
     110        return 0;
     111    else
     112        [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y (suid not kept)";
     113        return 1
     114    fi
     115}
     116
    41117
    42118SUIDPOLICY_6="
Note: See TracChangeset for help on using the changeset viewer.