diff options
| author | Michael Boelen <michael.boelen@cisofy.com> | 2019-07-12 14:05:43 +0300 |
|---|---|---|
| committer | Michael Boelen <michael.boelen@cisofy.com> | 2019-07-12 14:05:43 +0300 |
| commit | 0f80fa07aa3ef9f412a3d72cda433839fe8238df (patch) | |
| tree | a8b4bb680b4a35352612c2c08bd86aff1c11355d /include | |
| parent | 21f9a18e8b4bf8441e1fb9d07bba414f97013840 (diff) | |
New function SafeFile
Diffstat (limited to 'include')
| -rw-r--r-- | include/functions | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/include/functions b/include/functions index 140e7d9d..06f77c67 100644 --- a/include/functions +++ b/include/functions @@ -88,6 +88,7 @@ # ReportManual Log manual actions to report file # ReportSuggestion Add a suggestion to report file # ReportWarning Add a warning and priority to report file +# SafeFile Security tests to perform on a file before using it # SafePerms Check if a file has safe permissions # SafeInput Test provided string to see if it contains unwanted characters # SearchItem Search a string in a file @@ -2611,6 +2612,56 @@ } + ################################################################################ + # Name : SafeFile() + # Description : Check if a file is safe to use + # + ################################################################################ + + SafeFile() { + unsafe=0 + if [ $# -ne 1 ]; then + ExitFatal "No argument or too many arguments provided to SafeFile()" + else + FILE="$1" + + # Generic checks + if [ -g "${FILE}" ]; then + LogText "Security alert: file has setgid attribute" + unsafe=1 + # sticky bit + elif [ -k "${FILE}" ]; then + LogText "Security alert: file has sticky bit" + unsafe=1 + # symbolic link + elif [ -L "${FILE}" ]; then + LogText "Security alert: file is a symbolic link" + unsafe=1 + elif [ -f "${FILE}" ]; then + LogText "Security check: file is normal" + else + unsafe=1 + fi + + # Perform additional checks based on privilege level + if [ ${PRIVILEGED} -eq 0 ]; then + # File is not owned by active user, but still able to write + if [ ! -O "${FILE}" -a -w "${FILE}" ]; then + unsafe=1 + LogText "Security alert: file is not owned by active user, but can write to it" + fi + fi + + # Check file permissions + if ! SafePerms "${FILE}"; then + unsafe=1 + fi + + fi + + return ${unsafe} + } + ################################################################################ # Name : SafePerms() |