[23881] in Source-Commits
/svn/athena r23491 - in trunk/debathena/config/linerva: debian files/usr files/usr/sbin
daemon@ATHENA.MIT.EDU (Gregory Nathan Price)
Sat Feb 28 18:57:52 2009
Date: Sat, 28 Feb 2009 18:57:05 -0500
From: Gregory Nathan Price <price@MIT.EDU>
Message-Id: <200902282357.n1SNv54J029411@drugstore.mit.edu>
To: source-commits@mit.edu
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Author: price
Date: 2009-02-28 18:57:04 -0500 (Sat, 28 Feb 2009)
New Revision: 23491
Added:
trunk/debathena/config/linerva/files/usr/sbin/
trunk/debathena/config/linerva/files/usr/sbin/linerva-clean-setugid
Modified:
trunk/debathena/config/linerva/debian/changelog
trunk/debathena/config/linerva/debian/debathena-linerva.postinst
Log:
linerva: pull out setuid/setgid cleanup into a script; also whitelist, not blacklist
Modified: trunk/debathena/config/linerva/debian/changelog
===================================================================
--- trunk/debathena/config/linerva/debian/changelog 2009-02-28 23:31:05 UTC (rev 23490)
+++ trunk/debathena/config/linerva/debian/changelog 2009-02-28 23:57:04 UTC (rev 23491)
@@ -3,8 +3,9 @@
* cut commented code
* EDIT_MOTD no longer exists in /etc/default/rcS
* use DEB_TRANSFORM_FILES rather than sed -i in postinst
+ * pull out setuid/setgid cleanup into a script; whitelist, not blacklist
- -- Greg Price <price@mit.edu> Sat, 28 Feb 2009 16:40:36 -0500
+ -- Greg Price <price@mit.edu> Sat, 28 Feb 2009 18:48:50 -0500
debathena-linerva (1.12) unstable; urgency=low
Modified: trunk/debathena/config/linerva/debian/debathena-linerva.postinst
===================================================================
--- trunk/debathena/config/linerva/debian/debathena-linerva.postinst 2009-02-28 23:31:05 UTC (rev 23490)
+++ trunk/debathena/config/linerva/debian/debathena-linerva.postinst 2009-02-28 23:57:04 UTC (rev 23491)
@@ -20,12 +20,6 @@
#DEBHELPER#
-lose_setuid()
-{
- file=$1
- dpkg-statoverride --update --add root root 755 "$file"
-}
-
case "$1" in
configure)
chmod 700 /root
@@ -41,59 +35,9 @@
chown logcheck /var/lock/logcheck/
chmod 750 /etc/logcheck
- lose_setuid /usr/bin/newgrp
- lose_setuid /usr/bin/chage
- lose_setuid /usr/bin/expiry
- lose_setuid /usr/bin/dotlockfile
- lose_setuid /usr/bin/lockfile
- lose_setuid /usr/bin/ksu
- lose_setuid /usr/bin/sudo
- lose_setuid /usr/lib/pt_chown
- lose_setuid /usr/lib/emacs/21.4/i386-linux/movemail
- lose_setuid /usr/lib/openssh/ssh-keysign
- lose_setuid /usr/lib/ssh-keysign
- lose_setuid /usr/sbin/pppd
- lose_setuid /usr/sbin/pppoe
- lose_setuid /usr/sbin/utempter
- lose_setuid /usr/X11R6/bin/X
- lose_setuid /bin/su
- lose_setuid /bin/ping6
- lose_setuid /sbin/unix_chkpwd
- lose_setuid /usr/bin/crontab
- lose_setuid /usr/bin/procmail
- lose_setuid /usr/bin/at
-
- # Fix chfn, chsh to no longer be setuid.
- lose_setuid /usr/bin/chfn.debathena-orig
- lose_setuid /usr/bin/chfn
- lose_setuid /usr/bin/chsh.debathena-orig
- lose_setuid /usr/bin/chsh
-
- lose_setuid /usr/bin/passwd
- lose_setuid /usr/bin/bsd-write
- lose_setuid /usr/lib/libfakeroot-tcp.so.0.0.1
- lose_setuid /usr/lib/libfakeroot-sysv.so.0.0.1
- lose_setuid /usr/bin/gpg
- lose_setuid /usr/bin/screen
- lose_setuid /usr/bin/gpasswd
- lose_setuid /bin/mount
- lose_setuid /bin/umount
- lose_setuid /usr/bin/ssh-agent
- lose_setuid /bin/login
- lose_setuid /usr/X11R6/bin/xterm
- lose_setuid /usr/bin/wall
-
- lose_setuid /usr/lib/apache2/suexec
- lose_setuid /usr/bin/lppasswd
-
chmod a=rwx,o+t /var/run/screen # So that screen works without setuid.
- echo ""
- echo "Displaying Current setuid binaries:"
- find / -xdev -type f -perm +4000 -print 2> /dev/null
- echo ""
- echo "Displaying Current setgid binaries:"
- find / -xdev -type f -perm +2000 -print 2> /dev/null
+ linerva-clean-setugid --clean
if hash invoke-rc.d; then
invoke-rc.d openafs-client restart
Added: trunk/debathena/config/linerva/files/usr/sbin/linerva-clean-setugid
===================================================================
--- trunk/debathena/config/linerva/files/usr/sbin/linerva-clean-setugid 2009-02-28 23:31:05 UTC (rev 23490)
+++ trunk/debathena/config/linerva/files/usr/sbin/linerva-clean-setugid 2009-02-28 23:57:04 UTC (rev 23491)
@@ -0,0 +1,57 @@
+#!/bin/bash
+
+list_bad_setuid () {
+ find / -xdev -type f -perm +4000 -print 2> /dev/null \
+ | diff --old-line-format= --unchanged-line-format= /dev/fd/3 - 3<<EOF
+#for pyhesiodfs
+/usr/bin/fusermount
+#for athmode
+/usr/bin/schroot
+#network utilities
+/usr/bin/traceroute.lbl
+/usr/bin/traceroute6
+/usr/bin/mtr
+/bin/ping6
+/bin/ping
+EOF
+}
+
+list_bad_setgid () {
+ find / -xdev -type f -perm +2000 \
+ -not -group mit -not -group games -print 2> /dev/null \
+ | diff --old-line-format= --unchanged-line-format= /dev/fd/3 - 3<<EOF
+#for attachtab
+/usr/bin/quota.debathena
+/bin/attach
+EOF
+}
+
+case "$1" in
+ --list|"")
+ echo "Unexpected setuid files:"
+ ls -l $(list_bad_setuid)
+ echo
+ echo "Unexpected setgid files:"
+ ls -l $(list_bad_setgid)
+ echo
+ echo "Run $0 --clean to fix these."
+ ;;
+
+ --clean)
+ setuid="$(list_bad_setuid)"
+ setgid="$(list_bad_setgid)"
+ echo "Unexpected setuid files:"
+ ls -l $setuid
+ echo
+ echo "Unexpected setgid files:"
+ ls -l $setgid
+ echo
+ chmod u-s $setuid
+ chmod g-s $setgid
+ ;;
+
+ *)
+ echo "Huh? Try --list or --clean." >&2
+ exit 2
+ ;;
+esac
Property changes on: trunk/debathena/config/linerva/files/usr/sbin/linerva-clean-setugid
___________________________________________________________________
Name: svn:executable
+ *
