checksecurity 2.0.16+nmu1ubuntu1 / usr / share / checksecurity / check-setuid

#!/bin/sh
#
# Check-setuid checksecurity plugin 
#
# This script is designed to find the setuid files present on the system
# 
# It is part of the 'checksecurity' package, and tests may be configured
# by the global file '/etc/checksecurity.conf' and the file 
# '/etc/checksecurity/check-setuid.conf'.
#
# Copyright (C) 2003-2005 Steve Kemp <skx@debian.org>
#
# Licensed under the GNU General Public License
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.

set -e

PATH=/sbin:/bin:/usr/sbin:/usr/bin


umask 027
cd /

if [ -e /etc/checksecurity/check-setuid.conf ]
then
   . /etc/checksecurity/check-setuid.conf
fi

if [ `/usr/bin/id -u` != 0 ] ; then
   echo "Only root has permission to run this script"
   exit 1
fi

TMPSETUID=${LOGDIR:=/var/log/setuid}/setuid.new.tmp
TMPDIFF=${LOGDIR:=/var/log/setuid}/setuid.diff.tmp

#
# Check for NFS/AFS mounts that are not nosuid/nodev
#
if [ ! "$CHECKSECURITY_NONFSAFS" = "TRUE" ] ; then
   # temporarily disable error exit, as grep may give errors if no nfs/afs
   # are mounted.
   set +e
   nfssys=`mount | grep -E 'type (nfs|afs)' | grep -vE '\(.*(nosuid|noexec).*nodev.*\)'`
   nfssyscnt=`echo $nfssys |grep "[a-z]"| wc -l`
   set -e
   if [ $nfssyscnt -gt 0 ] ; then
      echo "The following NFS or AFS filesystems are mounted insecurely:"
      echo ""
      echo $nfssys
      echo ""
      echo "If this is intentional and you have supreme confidence in the"
      echo "security of the server for these file systems, you may disable"
      echo "this message by editing the value of CHECKSECURITY_NONFSAFS in"
      echo "the file /etc/checksecurity/check-setuid.conf."
   fi
fi

if [ "$CHECKSECURITY_NOFINDERRORS" = "TRUE" ] ; then
	exec 9>&2
	exec 2>/dev/null
fi

# Guard against undefined vars
[ -z "$LOGDIR" ] && LOGDIR=/var/log/setuid
if [ ! -e "$LOGDIR" ] ; then
    echo "ERROR: Log directory $LOGDIR does not exist"
    exit 1
fi

if [ -n "$CHECKSECURITY_PATHFILTER" ]; then
	PATHCHK="( $CHECKSECURITY_PATHFILTER ) -prune -o"
else
	PATHCHK=" -prune -o"
fi

if [ -n "$CHECKSECURITY_DEVICEFILTER" ]; then
	DEVCHK="-a -not ( $CHECKSECURITY_DEVICEFILTER )"
else
	DEVCHK=""
fi


# This is the only way to pass '*' through a variable (NODEVDIRS)  -- Marc
set -o noglob
ionice -t -c3 \
find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \
        -ignore_readdir_race  \
	-xdev $PATHCHK \
	\( -type f -perm /06000 -o \( \( -type b -o -type c \) \
	$DEVCHK \) \) \
	-printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" |
	sort -k 12 >$TMPSETUID
set +o noglob

if [ "$CHECKSECURITY_NOFINDERRORS" = "TRUE" ] ; then
	exec 2>&9
fi

cd $LOGDIR

test -f setuid.today || touch setuid.today

if cmp -s setuid.today $TMPSETUID >/dev/null
then
    :
else
	diff -U0 setuid.today $TMPSETUID >> $TMPDIFF || [ $? = 1 ]
	echo "`hostname` changes to setuid programs and devices:" 
	cat $TMPDIFF 
	
	if [ `cat $TMPDIFF | wc -l` -gt 0 -a ! -z "$CHECKSECURITY_EMAIL" ]; then
		/usr/bin/mail -s "Setuid changes for `hostname -f` on `date '+%D %T'`" $CHECKSECURITY_EMAIL < $TMPDIFF
	fi
	
        # Log the changes
        cp $TMPDIFF setuid.changes
	mv setuid.today setuid.yesterday
	mv $TMPSETUID setuid.today
        chown root:adm setuid.today
fi
rm -f $TMPDIFF
rm -f $TMPSETUID

exit 0