Index: /trunk/docs/Changelog =================================================================== --- /trunk/docs/Changelog (revision 54) +++ /trunk/docs/Changelog (revision 55) @@ -1,2 +1,5 @@ + + * fix bug with SuidExclude (files in directory were still checked) + 2.2.3: * fix samhainadmin.pl: check for gpg-agent running if use-agent is set Index: /trunk/src/sh_suidchk.c =================================================================== --- /trunk/src/sh_suidchk.c (revision 54) +++ /trunk/src/sh_suidchk.c (revision 55) @@ -519,5 +519,5 @@ if (/*@-usedef@*/S_ISDIR(buf.st_mode)/*@+usedef@*/ && (ShSuidchkExclude == NULL || - 0 != strncmp(tmpcat, ShSuidchkExclude, (size_t) ExcludeLen))) + 0 != strcmp(tmpcat, ShSuidchkExclude))) { /* fs is a STATIC string @@ -1118,18 +1118,12 @@ SH_FREE(ShSuidchkExclude); - /* 1.8.1 add trailing slash - */ ExcludeLen = (int) sl_strlen(c); - if (c[ExcludeLen-1] != '/') - { - ExcludeLen++; - if ((ExcludeLen <= 0) || (ExcludeLen+1 <= 0)) /* may overflow */ - { - SL_RETURN(-1, _("sh_suidchk_set_exclude")); - } + if (c[ExcludeLen-1] == '/') + { + c[ExcludeLen-1] = '\0'; + ExcludeLen--; } ShSuidchkExclude = SH_ALLOC((size_t) ExcludeLen + 1); (void) sl_strlcpy(ShSuidchkExclude, c, (size_t)(ExcludeLen + 1)); - ShSuidchkExclude[ExcludeLen-1] = '/'; SL_RETURN(0, _("sh_suidchk_set_exclude")); Index: /trunk/test/testrun_1c.sh =================================================================== --- /trunk/test/testrun_1c.sh (revision 54) +++ /trunk/test/testrun_1c.sh (revision 55) @@ -23,5 +23,5 @@ export BUILDOPTS -MAXTEST=6; export MAXTEST +MAXTEST=7; export MAXTEST ## Quarantine SUID/SGID files if found @@ -39,4 +39,80 @@ # # SuidCheckQuarantineDelete = yes + +SUIDPOLICY_7=" +[ReadOnly] +file=${BASE} +[SuidCheck] +SuidCheckActive = yes +SuidCheckExclude = ${BASE}/a/a +SuidCheckInterval = 10 +SeveritySuidCheck = crit +SuidCheckQuarantineFiles = no +SuidCheckQuarantineMethod = 2 +SuidCheckQuarantineDelete = yes +" + +mod_suiddata_7 () { + one_sec_sleep + chmod 4444 "${BASE}/a/a/y" + chmod 4444 "${BASE}/a/a/a/y" + mkdir "${BASE}/a/abc" + touch "${BASE}/a/abc/y" + chmod 4444 "${BASE}/a/abc/y" +} + +chk_suiddata_7 () { + one_sec_sleep + tmp=`ls -l "${BASE}/a/a/y" 2>/dev/null | awk '{ print $1}'` + if [ "x$tmp" = "x-r-Sr--r--" ]; then + egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1 + if [ $? -eq 0 ]; then + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y"; + return 1 + fi + egrep "CRIT.*POLICY ADDED.*${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1 + if [ $? -eq 0 ]; then + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y"; + return 1 + fi + else + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (suid not kept)"; + return 1 + fi + tmp=`ls -l "${BASE}/a/a/a/y" 2>/dev/null | awk '{ print $1}'` + if [ "x$tmp" = "x-r-Sr--r--" ]; then + egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/a/a/y" $LOGFILE >/dev/null 2>&1 + if [ $? -eq 0 ]; then + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y"; + return 1 + fi + egrep "CRIT.*POLICY ADDED.*${BASE}/a/a/a/y" $LOGFILE >/dev/null 2>&1 + if [ $? -eq 0 ]; then + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y"; + return 1 + fi + else + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y (suid not kept)"; + return 1 + fi + tmp=`ls -l "${BASE}/a/abc/y" 2>/dev/null | awk '{ print $1}'` + if [ "x$tmp" = "x-r-Sr--r--" ]; then + egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/abc/y" $LOGFILE >/dev/null 2>&1 + if [ $? -ne 0 ]; then + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y"; + return 1 + fi + egrep "CRIT.*POLICY ADDED.*${BASE}/a/abc/y" $LOGFILE >/dev/null 2>&1 + if [ $? -ne 0 ]; then + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y"; + return 1 + fi + return 0; + else + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y (suid not kept)"; + return 1 + fi +} + SUIDPOLICY_6="