Changeset 78
- Timestamp:
- Jan 9, 2007, 10:32:21 PM (18 years ago)
- Location:
- trunk
- Files:
-
- 10 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/configure.ac
r76 r78 202 202 elf.h linux/elf.h \ 203 203 paths.h arpa/nameser.h arpa/nameser_compat.h \ 204 rpc/rpcent.h ,204 rpc/rpcent.h sys/statvfs.h, 205 205 [], 206 206 [], … … 267 267 initgroups getpagesize \ 268 268 ttyname fchmod \ 269 getsid getpriority getpgid 269 getsid getpriority getpgid statvfs 270 270 ) 271 271 AC_CHECK_FUNC(statfs, AC_DEFINE(HAVE_STATFS) statfs="yes", statfs="no") -
trunk/docs/Changelog
r76 r78 1 1 2.3.1: 2 * sh_portcheck.c: make connect errors more descriptive 3 * sh_portcheck.c: fix ignored setting of PortCheckActive 4 * sh_processcheck.c: add statvfs, and wrap for EINTR 5 * sh_portcheck.c: add wrappers for EINTR 6 * report user and executable for hidden processes 7 * fix update failure if reportonlyonce = false (reported 8 by D. Strine) 2 9 * fix compile error in sh_portcheck.c (problem on cygwin 3 10 reported by J. D. Fiori) … … 8 15 * CL option -v|--version for info on version and compiled-in options 9 16 10 2.3.0a :17 2.3.0a (01-11-2006): 11 18 * fix compile failure with portcheck + stealth (reported by lucas) 12 19 -
trunk/include/sh_cat.h
r68 r78 135 135 MSG_PCK_CHECK, 136 136 MSG_PCK_OK, 137 MSG_PCK_P_HIDDEN, 137 138 MSG_PCK_HIDDEN, 138 139 MSG_PCK_FAKE, -
trunk/include/sh_unix.h
r68 r78 259 259 /* Test whether file exists 260 260 */ 261 int sh_unix_file_ stat(char * path);261 int sh_unix_file_exists(char * path); 262 262 263 263 /* test whether file exists with proper attributes 264 264 */ 265 int sh_unix_ file_exists(int fd);265 int sh_unix_device_readable(int fd); 266 266 267 267 /* local host -
trunk/src/sh_cat.c
r68 r78 127 127 { MSG_PCK_CHECK, SH_ERR_NOTICE, RUN, N_("msg=\"Checking processes in pid interval [%ld,%ld]\"")}, 128 128 { MSG_PCK_OK, SH_ERR_ALL, RUN, N_("msg=\"PID %ld found with tests %s\"")}, 129 { MSG_PCK_P_HIDDEN,SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [Process] Hidden pid: %ld tests: %s\" path=\"%s\" userid=\"%s\"")}, 129 130 { MSG_PCK_HIDDEN, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [Process] Hidden pid: %ld tests: %s\"")}, 130 131 { MSG_PCK_FAKE, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [Process] Fake pid: %ld tests: %s\"")}, … … 441 442 { MSG_PCK_CHECK, SH_ERR_NOTICE, RUN, N_("msg=<Checking processes in pid interval [%ld,%ld]>")}, 442 443 { MSG_PCK_OK, SH_ERR_ALL, RUN, N_("msg=<PID %ld found with tests %s>")}, 444 { MSG_PCK_P_HIDDEN,SH_ERR_SEVERE, EVENT, N_("msg=<POLICY [Process] Hidden pid: %ld tests: %s> path=<%s> userid=<%s>")}, 443 445 { MSG_PCK_HIDDEN, SH_ERR_SEVERE, EVENT, N_("msg=<POLICY [Process] Hidden pid: %ld tests: %s>")}, 444 446 { MSG_PCK_FAKE, SH_ERR_SEVERE, EVENT, N_("msg=<POLICY [Process] Fake pid: %ld tests: %s>")}, -
trunk/src/sh_entropy.c
r32 r78 310 310 { 311 311 /* Test whether file is a character device, and is 312 * not world writeable.313 */ 314 if (0 == sh_unix_ file_exists(fd2))312 * readable. 313 */ 314 if (0 == sh_unix_device_readable(fd2)) 315 315 { 316 316 -
trunk/src/sh_files.c
r77 r78 2077 2077 if (sl_strlen(testpath) == (17 + sl_strlen(fullpath))) 2078 2078 { 2079 if ( 0 != sh_unix_file_stat(testpath))2079 if (S_TRUE == sh_unix_file_exists (testpath)) 2080 2080 { 2081 2081 sh_files_filecheck (class, fullpath, rsrc, &dummy, 1); -
trunk/src/sh_portcheck.c
r76 r78 593 593 char * p; 594 594 char buf[8]; 595 595 #ifndef TEST_ONLY 596 char errmsg[256]; 597 int nerr; 598 #endif 596 599 597 600 /* inet_aton(interface, &haddr); */ … … 601 604 sinr.sin_addr = haddr; 602 605 603 retval = connect(fd, (struct sockaddr *) &sinr, sizeof(sinr)); 606 do { 607 retval = connect(fd, (struct sockaddr *) &sinr, sizeof(sinr)); 608 } while (retval < 0 && errno == EINTR); 609 604 610 if (retval == -1) 605 611 { … … 608 614 perror(_("connect")); 609 615 #else 610 sh_error_handle((-1), FIL__, __LINE__, errno, MSG_E_SUBGEN, 611 sh_error_message(errno), _("connect")); 616 nerr = errno; 617 sl_snprintf(errmsg, sizeof(errmsg), _("check port: %5d/udp on %15s: %s"), 618 port, inet_ntoa(haddr), sh_error_message(errno)); 619 sh_error_handle((-1), FIL__, __LINE__, nerr, MSG_E_SUBGEN, 620 errmsg, _("connect")); 612 621 #endif 613 622 } 614 623 else 615 624 { 616 retval = send (fd, buf, 0, 0); 625 do { 626 retval = send (fd, buf, 0, 0); 627 } while (retval < 0 && errno == EINTR); 617 628 618 629 if (retval == -1 && errno == ECONNREFUSED) … … 624 635 else 625 636 { 626 retval = send (fd, buf, 0, 0); 637 /* Only the second send() may catch the error 638 */ 639 do { 640 retval = send (fd, buf, 0, 0); 641 } while (retval < 0 && errno == EINTR); 642 627 643 if (retval == -1 && errno == ECONNREFUSED) 628 644 { … … 661 677 int retval; 662 678 char * p; 679 #ifndef TEST_ONLY 680 char errmsg[256]; 681 int nerr; 682 #endif 663 683 664 684 … … 669 689 sinr.sin_addr = haddr; 670 690 671 retval = connect(fd, (struct sockaddr *) &sinr, sizeof(sinr)); 691 do { 692 retval = connect(fd, (struct sockaddr *) &sinr, sizeof(sinr)); 693 } while (retval < 0 && errno == EINTR); 694 672 695 if (retval == -1 && errno == ECONNREFUSED) 673 696 { … … 682 705 perror(_("connect")); 683 706 #else 684 sh_error_handle((-1), FIL__, __LINE__, errno, MSG_E_SUBGEN, 685 sh_error_message(errno), _("connect")); 707 nerr = errno; 708 sl_snprintf(errmsg, sizeof(errmsg), _("check port: %5d/tcp on %15s: %s"), 709 port, inet_ntoa(haddr), sh_error_message(errno)); 710 sh_error_handle((-1), FIL__, __LINE__, nerr, MSG_E_SUBGEN, 711 errmsg, _("connect")); 686 712 #endif 687 713 } … … 738 764 if (portchk_debug) 739 765 fprintf(stderr, _("checking ports on: %s\n"), portchk_hostname ? portchk_hostname : _("NULL")); 766 740 767 if (!portchk_hostname) 768 return -1; 769 770 if (sh_portchk_active == S_FALSE) 741 771 return -1; 742 772 … … 767 797 int sh_portchk_reconf () 768 798 { 769 iface_initialized = 0; 799 iface_initialized = 0; 800 801 sh_portchk_active = 1; 802 sh_portchk_check_upd = 1; 770 803 771 804 portlist_udp = sh_portchk_kill_list (portlist_udp); … … 1139 1172 int min_port = 0; 1140 1173 1141 sh_portchk_reset_lists(); 1142 if (0 != geteuid()) 1143 { 1144 min_port = 1024; 1145 #ifdef TEST_ONLY 1146 fprintf(stderr, "** WARNING not scanning ports < 1024\n"); 1147 #else 1148 sh_error_handle(SH_ERR_ERR, FIL__, __LINE__, 0, MSG_E_SUBGEN, 1149 _("not scanning ports below 1024"), _("sh_portchk_check")); 1150 #endif 1151 } 1152 if (sh_portchk_check_udp == 1) 1153 sh_portchk_scan_ports_udp(min_port, -1); 1154 sh_portchk_scan_ports_tcp(min_port, -1); 1155 sh_portchk_check_list (&portlist_tcp, "tcp", SH_PORT_REPORT); 1156 if (sh_portchk_check_udp == 1) 1157 sh_portchk_check_list (&portlist_udp, "udp", SH_PORT_REPORT); 1174 if (sh_portchk_active != S_FALSE) 1175 { 1176 sh_portchk_reset_lists(); 1177 if (0 != geteuid()) 1178 { 1179 min_port = 1024; 1180 #ifdef TEST_ONLY 1181 fprintf(stderr, "** WARNING not scanning ports < 1024\n"); 1182 #else 1183 sh_error_handle(SH_ERR_ERR, FIL__, __LINE__, 0, MSG_E_SUBGEN, 1184 _("not scanning ports below 1024"), _("sh_portchk_check")); 1185 #endif 1186 } 1187 if (sh_portchk_check_udp == 1) 1188 sh_portchk_scan_ports_udp(min_port, -1); 1189 sh_portchk_scan_ports_tcp(min_port, -1); 1190 sh_portchk_check_list (&portlist_tcp, "tcp", SH_PORT_REPORT); 1191 if (sh_portchk_check_udp == 1) 1192 sh_portchk_check_list (&portlist_udp, "udp", SH_PORT_REPORT); 1193 } 1158 1194 return 0; 1159 1195 } -
trunk/src/sh_processcheck.c
r77 r78 48 48 #endif 49 49 50 #ifdef HAVE_SYS_STATVFS_H 51 #include <sys/statvfs.h> 52 #endif 53 54 50 55 #ifdef HAVE_REGEX_H 51 56 #include <regex.h> … … 58 63 #include "sh_error.h" 59 64 #include "sh_extern.h" 65 #include "sh_calls.h" 60 66 61 67 #ifdef SH_USE_PROCESSCHECK … … 157 163 158 164 static const short SH_PR_PRIORITY = 0x0100; 159 160 static const short SH_PR_PS2 = 0x0200; 161 static const short SH_PR_PS_ANY = 0x0400; 162 static const short SH_PR_ALL = 0x0800; 163 static const short SH_PR_ANY = 0x1000; 165 static const short SH_PR_STATVSF = 0x0200; 166 167 static const short SH_PR_PS2 = 0x1000; 168 static const short SH_PR_PS_ANY = 0x2000; 169 static const short SH_PR_ALL = 0x4000; 170 static const short SH_PR_ANY = 0x8000; 164 171 165 172 /* /proc: … … 168 175 * solaris10: /proc/pid/path/a.out 169 176 */ 177 static char * get_user_and_path (pid_t pid, char * user, size_t usrlen) 178 { 179 extern char * sh_unix_getUIDname (int level, uid_t uid); 180 181 char path[128]; 182 char * buf; 183 struct stat sbuf; 184 int len; 185 char * tmp; 186 187 sl_snprintf (path, sizeof(path), "/proc/%ld/exe", (unsigned long) pid); 188 189 if (0 == retry_lstat(FIL__, __LINE__, path, &sbuf) && S_ISLNK(sbuf.st_mode)) 190 { 191 goto linkread; 192 } 193 194 sl_snprintf (path, sizeof(path), "/proc/%ld/file", (unsigned long) pid); 195 196 if (0 == retry_lstat(FIL__, __LINE__, path, &sbuf) && S_ISLNK(sbuf.st_mode)) 197 { 198 goto linkread; 199 } 200 201 sl_snprintf (path, sizeof(path), "/proc/%ld/path/a.out", (unsigned long) pid); 202 203 if (0 == retry_lstat(FIL__, __LINE__, path, &sbuf) && S_ISLNK(sbuf.st_mode)) 204 { 205 goto linkread; 206 } 207 208 return NULL; 209 210 linkread: 211 212 buf = SH_ALLOC(PATH_MAX); 213 len = readlink(path, buf, PATH_MAX); /* flawfinder: ignore */ 214 len = (len >= PATH_MAX) ? (PATH_MAX-1) : len; 215 216 if (len > 0) 217 { 218 buf[len] = '\0'; 219 } 220 else 221 { 222 SH_FREE(buf); 223 return NULL; 224 } 225 226 tmp = sh_unix_getUIDname (SH_ERR_ALL, sbuf.st_uid); 227 228 if (tmp) 229 sl_strlcpy(user, tmp, usrlen); 230 else 231 sl_snprintf (user, usrlen, "%ld", (unsigned long) sbuf.st_uid); 232 233 return buf; 234 } 235 170 236 171 237 struct watchlist { … … 483 549 size_t value; 484 550 char * foo; 485 int retval = 0;551 int retval = -1; 486 552 487 553 SL_ENTER(_("sh_prochk_set_maxpid")); 488 554 489 555 value = (size_t) strtoul(str, &foo, 0); 490 if (*foo != '\0') { 491 retval = -1; 492 } else { 556 557 if (*foo == '\0' && SL_TRUE == sl_ok_adds(value, 1)) { 493 558 sh_prochk_maxpid = value + 1; 494 559 userdef_maxpid = 1; … … 593 658 if (res & SH_PR_GETPGID) sl_strlcat(list, _(" getpgid"), len); 594 659 if (res & SH_PR_KILL) sl_strlcat(list, _(" kill"), len); 660 if (res & SH_PR_STATVSF) sl_strlcat(list, _(" statvfs"), len); 595 661 if (res & SH_PR_PS2) sl_strlcat(list, _(" ps(final)"), len); 596 662 return; 597 663 } 598 664 599 /* FIXME: add open, statvfs, sched_getaffinity 600 */ 665 601 666 static short sh_processes_check (pid_t pid, short res) 602 667 { 668 int retval; 603 669 int have_checks = 0; 604 670 int need_checks = 0; … … 608 674 DIR * dir; 609 675 #endif 676 #ifdef HAVE_STATVFS 677 struct statvfs vfsbuf; 678 #endif 610 679 611 680 #if !defined(sun) && !defined(__sun) && !defined(__sun__) … … 624 693 ++need_checks; 625 694 } 695 626 696 627 697 #ifdef HAVE_GETPGID … … 666 736 sl_snprintf (path, sizeof(path), "/proc/%ld", (unsigned long) pid); 667 737 668 if (0 == lstat (path, &buf))738 if (0 == retry_lstat (FIL__, __LINE__, path, &buf)) 669 739 { 670 740 res |= SH_PR_LSTAT; res |= SH_PR_ANY; ++have_checks; … … 678 748 } 679 749 ++need_checks; 750 751 #ifdef HAVE_STATVFS 752 do { 753 retval = statvfs (path, &vfsbuf); 754 } while (retval < 0 && errno == EINTR); 755 756 if (0 == retval) 757 { 758 res |= SH_PR_STATVSF; res |= SH_PR_ANY; ++have_checks; 759 } 760 ++need_checks; 761 #endif 680 762 681 763 #if !defined(SH_PROFILE) … … 972 1054 if (S_FALSE == is_in_list(&list_hidden, NULL, i)) 973 1055 { 974 sh_error_handle(sh_prochk_severity, FIL__, __LINE__, 0, 975 MSG_PCK_HIDDEN, 976 (unsigned long) i, tests); 1056 char user[16]; 1057 char * aout; 1058 char * safe; 1059 1060 aout = get_user_and_path ((pid_t) i, user, sizeof(user)); 1061 1062 if (aout) 1063 { 1064 safe = sh_util_safe_name (aout); 1065 sh_error_handle(sh_prochk_severity, FIL__, __LINE__, 0, 1066 MSG_PCK_P_HIDDEN, 1067 (unsigned long) i, tests, safe, user); 1068 SH_FREE(safe); 1069 SH_FREE(aout); 1070 } 1071 else 1072 sh_error_handle(sh_prochk_severity, FIL__, __LINE__, 0, 1073 MSG_PCK_HIDDEN, 1074 (unsigned long) i, tests); 1075 977 1076 } 978 1077 } -
trunk/src/sh_unix.c
r76 r78 3833 3833 /* Test whether file exists 3834 3834 */ 3835 int sh_unix_file_ stat(char * path)3835 int sh_unix_file_exists(char * path) 3836 3836 { 3837 3837 struct stat buf; 3838 3838 3839 SL_ENTER(_("sh_unix_file_ stat"));3839 SL_ENTER(_("sh_unix_file_exists")); 3840 3840 3841 3841 if (-1 == retry_stat(FIL__, __LINE__, path, &buf)) 3842 SL_RETURN( (0), _("sh_unix_file_stat"));3842 SL_RETURN( S_FALSE, _("sh_unix_file_exists")); 3843 3843 else 3844 SL_RETURN( (-1), _("sh_unix_file_stat"));3845 } 3846 3847 3848 /* Test whether file exists, is a character device, a llows read3849 * access , and is not world writeable.3844 SL_RETURN( S_TRUE, _("sh_unix_file_exists")); 3845 } 3846 3847 3848 /* Test whether file exists, is a character device, and allows read 3849 * access. 3850 3850 */ 3851 int sh_unix_ file_exists(int fd)3851 int sh_unix_device_readable(int fd) 3852 3852 { 3853 3853 struct stat buf; 3854 3854 3855 SL_ENTER(_("sh_unix_ file_exists"));3855 SL_ENTER(_("sh_unix_device_readable")); 3856 3856 3857 3857 if (retry_fstat(FIL__, __LINE__, fd, &buf) == -1) 3858 SL_RETURN( (-1), _("sh_unix_file_exists")); 3859 else if ( S_ISCHR(buf.st_mode) && 0 != (S_IROTH & buf.st_mode) 3860 /* 3861 * #if !defined(__CYGWIN32__) && !defined(__CYGWIN__) 3862 * && 0 == (S_IWOTH & buf.st_mode) 3863 * #endif 3864 */ 3865 ) 3866 SL_RETURN( (0), _("sh_unix_file_exists")); 3858 SL_RETURN( (-1), _("sh_unix_device_readable")); 3859 else if ( S_ISCHR(buf.st_mode) && 0 != (S_IROTH & buf.st_mode) ) 3860 SL_RETURN( (0), _("sh_unix_device_readable")); 3867 3861 else 3868 SL_RETURN( (-1), _("sh_unix_ file_exists"));3862 SL_RETURN( (-1), _("sh_unix_device_readable")); 3869 3863 } 3870 3864
Note:
See TracChangeset
for help on using the changeset viewer.