Squashed 'import-layers/meta-security/' content from commit 4d139b9
Subtree from git://git.yoctoproject.org/meta-security
Change-Id: I14bb13faa3f2b2dc1f5d81b339dd48ffedf8562f
git-subtree-dir: import-layers/meta-security
git-subtree-split: 4d139b95c4f152d132592f515c5151f4dd6269c1
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
diff --git a/import-layers/meta-security/recipes-security/redhat-security/files/rpm-drop-groups.sh b/import-layers/meta-security/recipes-security/redhat-security/files/rpm-drop-groups.sh
new file mode 100644
index 0000000..8c75783
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/redhat-security/files/rpm-drop-groups.sh
@@ -0,0 +1,131 @@
+#!/bin/sh
+# rpm-drop-groups
+#
+# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED.
+# sgrubb@redhat.com
+#
+# This software may be freely redistributed under the terms of the GNU
+# public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+# Given an rpm, it will look at each file to check if it tries to change
+# group and user credentials. If so, it further tries to determine if
+# it also calls setgroups or initgroups. To correctly change groups, the
+# program must drop supplemntal groups. Programs are classified into: n/a
+# meaning no group dropping occurs, yes its done correctly, and no meaning
+# there seems to be a problem.
+#
+# If the --all option is given, it will generate a list of rpms and then
+# summarize the rpm's state. For yes, then all files are in the expected
+# state. Just one program failing can turn the package's summary to no.
+# Re-run passing that package (instead of --all) for the details.
+#
+# To save to file: ./rpm-drop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt
+
+VERSION="0.1"
+
+usage () {
+ echo "rpm-drop-groups [--all|<rpmname>|--version]"
+ exit 0
+}
+
+if [ "$1" = "--help" -o $# -eq 0 ] ; then
+ usage
+fi
+if [ "$1" = "--version" ] ; then
+ echo "rpm-drop-groups $VERSION"
+ exit 0
+fi
+if [ "$1" = "--all" ] ; then
+ MODE="all"
+else
+ MODE="single"
+fi
+
+do_one () {
+if ! rpm -q $1 >/dev/null 2>&1 ; then
+ if [ "$MODE" = "single" ] ; then
+ echo "$1 is not installed"
+ exit 1
+ else
+ echo "not installed"
+ return
+ fi
+fi
+files=`rpm -ql $1`
+
+for f in $files
+do
+ if [ ! -f $f ] ; then
+ continue
+ fi
+ if ! file $f | grep -q 'ELF'; then
+ continue
+ fi
+
+ CORRECT="n/a"
+ syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'`
+ if [ x"$syms" != "x" ] ; then
+ CORRECT="yes"
+ syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'`
+ if [ x"$syms" != "x" ] ; then
+ syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'`
+ if [ x"$syms" = "x" ] ; then
+ syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print`
+ if [ x"$syms" = "x" ] ; then
+ CORRECT="no"
+ fi
+ fi
+ fi
+ fi
+
+ # OK, ready for the output
+ if [ "$MODE" = "single" ] ; then
+ printf "%-60s " $f
+ if [ "$CORRECT" = "yes" ] ; then
+ printf "\033[32m%-7s\033[m " $CORRECT
+ elif [ "$CORRECT" = "no" ] ; then
+ printf "\033[31m%-7s\033[m " $CORRECT
+ else
+ printf "\033[33m%-7s\033[m " $CORRECT
+ fi
+ echo
+ else
+ if [ "$CORRECT" = "no" ] ; then
+ CORRECT_SUM="no"
+ fi
+ fi
+done
+}
+
+if [ "$MODE" = "single" ] ; then
+ printf "%-60s%-7s" "FILE" "CORRECT"
+ echo
+ for i; do
+ do_one $1
+ shift
+ done
+ exit 0
+fi
+
+packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | sort`
+printf "%-50s %-7s" "PACKAGE" "CORRECT"
+echo
+for p in $packages
+do
+ CORRECT_SUM="yes"
+ printf "%-50s " $p
+ do_one $p
+ if [ "$CORRECT_SUM" = "yes" ] ; then
+ printf "\033[32m%-7s\033[m " $CORRECT_SUM
+ else
+ printf "\033[31m%-7s\033[m " $CORRECT_SUM
+ fi
+ echo
+done
+exit 0
+
+