Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 99111289c9627b8c2203c3defb7cd5e358f70c53 / . / meta-security / recipes-security / redhat-security / files / rpm-drop-groups.sh
blob: 8c757834ba0db49b6c42a42d8c6d3e8173f995ec [file] [log] [blame]
Richard Marian Thomaiyar14fddef2018-07-13 23:55:56 +0530[diff] [blame]1#!/bin/sh
2# rpm-drop-groups
3#
4# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED.
5# sgrubb@redhat.com
6#
7# This software may be freely redistributed under the terms of the GNU
8# public license.
9#
10# You should have received a copy of the GNU General Public License
11# along with this program; if not, write to the Free Software
12# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
13#
14# Given an rpm, it will look at each file to check if it tries to change
15# group and user credentials. If so, it further tries to determine if
16# it also calls setgroups or initgroups. To correctly change groups, the
17# program must drop supplemntal groups. Programs are classified into: n/a
18# meaning no group dropping occurs, yes its done correctly, and no meaning
19# there seems to be a problem.
20#
21# If the --all option is given, it will generate a list of rpms and then
22# summarize the rpm's state. For yes, then all files are in the expected
23# state. Just one program failing can turn the package's summary to no.
24# Re-run passing that package (instead of --all) for the details.
25#
26# To save to file: ./rpm-drop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt
27
28VERSION="0.1"
29
30usage () {
31 echo "rpm-drop-groups [--all|<rpmname>|--version]"
32 exit 0
33}
34
35if [ "$1" = "--help" -o $# -eq 0 ] ; then
36 usage
37fi
38if [ "$1" = "--version" ] ; then
39 echo "rpm-drop-groups $VERSION"
40 exit 0
41fi
42if [ "$1" = "--all" ] ; then
43 MODE="all"
44else
45 MODE="single"
46fi
47
48do_one () {
49if ! rpm -q $1 >/dev/null 2>&1 ; then
50 if [ "$MODE" = "single" ] ; then
51 echo "$1 is not installed"
52 exit 1
53 else
54 echo "not installed"
55 return
56 fi
57fi
58files=`rpm -ql $1`
59
60for f in $files
61do
62 if [ ! -f $f ] ; then
63 continue
64 fi
65 if ! file $f | grep -q 'ELF'; then
66 continue
67 fi
68
69 CORRECT="n/a"
70 syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'`
71 if [ x"$syms" != "x" ] ; then
72 CORRECT="yes"
73 syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'`
74 if [ x"$syms" != "x" ] ; then
75 syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'`
76 if [ x"$syms" = "x" ] ; then
77 syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print`
78 if [ x"$syms" = "x" ] ; then
79 CORRECT="no"
80 fi
81 fi
82 fi
83 fi
84
85 # OK, ready for the output
86 if [ "$MODE" = "single" ] ; then
87 printf "%-60s " $f
88 if [ "$CORRECT" = "yes" ] ; then
89 printf "\033[32m%-7s\033[m " $CORRECT
90 elif [ "$CORRECT" = "no" ] ; then
91 printf "\033[31m%-7s\033[m " $CORRECT
92 else
93 printf "\033[33m%-7s\033[m " $CORRECT
94 fi
95 echo
96 else
97 if [ "$CORRECT" = "no" ] ; then
98 CORRECT_SUM="no"
99 fi
100 fi
101done
102}
103
104if [ "$MODE" = "single" ] ; then
105 printf "%-60s%-7s" "FILE" "CORRECT"
106 echo
107 for i; do
108 do_one $1
109 shift
110 done
111 exit 0
112fi
113
114packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | sort`
115printf "%-50s %-7s" "PACKAGE" "CORRECT"
116echo
117for p in $packages
118do
119 CORRECT_SUM="yes"
120 printf "%-50s " $p
121 do_one $p
122 if [ "$CORRECT_SUM" = "yes" ] ; then
123 printf "\033[32m%-7s\033[m " $CORRECT_SUM
124 else
125 printf "\033[31m%-7s\033[m " $CORRECT_SUM
126 fi
127 echo
128done
129exit 0
130
131