security permissions issues - bash

[Knurpht]

Just some additions:
- instead of the long chmod command, you can use the numeric notation 700. This means that for the owner it's rwx ( 2²+2¹+2⁰ = 7 ), and no permissions for group and world. So, owner - group - world needs three bytes. The often seen 644 ( rw-r--r-- ) can be calculated the same way ( 2²+2¹+0 = 6, 2²+0+0 = 4 etc ).
- you already know that /var/log exists, but if you wouldn't 'mkdir -p /var/log/blah' would not result in an error, but create the entire path ).

[lord_valarian]

In a shell script:

Code:

command1  && command2

just runs "command1" and if that is successful, then it runs "command2".

In this case, I use parentheses "(" and ")" so that the commands run is a subshell. That is so that the umask command only affects the subshell and does not affect the rest of your script after that line. However, affecting the rest of the script might be harmless or even good in this case. But that would be for you to decide.

The main point, though, is the use of "umask" to set permissions. The way that you were setting permissions, was to first create the file, and then change to restrictive permissions. That leaves a few milliseconds where the file or directory exists with weak permissions, and maybe a clever hacker could exploit that. Using "umask" makes sure that the file or directory is created with the restrictive permissions, which avoids those few milliseconds.

I see your point. I've adapted that into the code. Also, it creates text files.

Code:

#create VirusVault folder if not present
if [[ ! -d "/var/log/VirusVault" ]]; then
     printf "creating VirusVault\n"
     #chmod u=rwx,g=,o= /var/log/VirusVault
     ( umask 077 && mkdir /var/log/VirusVault )
fi

So, this should be put in as well.

Code:

#create VirusScanLog file if not present
if [[ ! -f "/var/log/VirusVault/VirusScanLog.txt" ]]; then
     printf "creating VirusScanLog\n"
     #chmod u=rw,g=,o= /var/log/VirusVault/VirusScanLog.txt
     ( umask 077 && touch /var/log/VirusVault/VirusScanLog.txt )

     printf "\n..... Virus Scan Log .....\n" >> "/var/log/VirusVault/VirusScanLog.txt"
     printf "_____________________________________________________________________\n\n" >> "/var/log/VirusVault/VirusScanLog.txt"
fi

[lord_valarian]

Just some additions:
- instead of the long chmod command, you can use the numeric notation 700. This means that for the owner it's rwx ( 2²+2¹+2⁰ = 7 ), and no permissions for group and world. So, owner - group - world needs three bytes. The often seen 644 ( rw-r--r-- ) can be calculated the same way ( 2²+2¹+0 = 6, 2²+0+0 = 4 etc ).
- you already know that /var/log exists, but if you wouldn't 'mkdir -p /var/log/blah' would not result in an error, but create the entire path ).

I'm very aware of this method to set permissions, but this is much more readable.

Code:

 chmod u=rwx,g=,o= /var/log/VirusVault/VirusFound

Thanks for the tip. I was able to clip out more code.

Code:

#create VirusVault and VirusFound folder if not present
if [[ ! -d "/var/log/VirusVault" ]] || [[ ! -d "/var/log/VirusVault/VirusFound" ]]; then
     printf "Creating folders VirusVault and VirusFound\n"
     #chmod u=rwx,g=,o= /var/log/VirusVault
     ( umask 077 && mkdir -p /var/log/VirusVault/VirusFound )
fi

[hcvv]

If I were writing that script, I would probably change those two lines to:

Code:

    ( umask 077 && mkdir /var/log/VirusVault )

That is a nice solution when you want this umask only for that command, without chaning the umask for the rest of your script.

When one has a rather large/complicated script
and
one wants to have tight permissions set on all the files created in that script

my advice would be to have

Code:

umask 077

as one of the first statements in the script.

It would then influence all the file creations in the script regardless if it is done directy or in child processes started from commands in the script. Specialy nice to have when making changes to the script, no need to bother to not forget about using that mkdir again and agin.

It would of course be complete independent and not alter the umask of the parent process of your executing script.

[lord_valarian]

That is a nice solution when you want this umask only for that command, without chaning the umask for the rest of your script.

When one has a rather large/complicated script
and
one wants to have tight permissions set on all the files created in that script

my advice would be to have

Code:

umask 077

as one of the first statements in the script.

It would then influence all the file creations in the script regardless if it is done directly or in child processes started from commands in the script. Specialy nice to have when making changes to the script, no need to bother to not forget about using that mkdir again and again.

It would of course be complete independent and not alter the umask of the parent process of your executing script.

I fixed it, clipping more excess code. So, any umask set will be removed on exit from the script. Thanks for the tip.

[hcvv]

So, any umask set will be removed on exit from the script. .

That is either a very sloppy remark or you do not understand it.

Every process has a process environment and umask is part of it. There is always an umask in the environment it can not be "removed".

• The process environment and thus the umask, is inherited by a child process.
• Items in the environment, including the umask, can be altered by a child process.
• When the child process exits, the parent process runs on with it original environment, including the original umask, because nothing from a child process environment is going backwards/upwards to the environment of the parent process.

[lord_valarian]

That is either a very sloppy remark or you do not understand it.

Every process has a process environment and umask is part of it. There is always an umask in the environment it can not be "removed".

• The process environment and thus the umask, is inherited by a child process.
• Items in the environment, including the umask, can be altered by a child process.
• When the child process exits, the parent process runs on with it original environment, including the original umask, because nothing from a child process environment is going backwards/upwards to the environment of the parent process.

you do not understand it.

Yes, I'm still learning bash as I write code. It comes in handy to know 5+ computer languages and two operating systems.

If I close the terminal window, then start another it will use the default umask?

[hcvv]

you do not understand it.

Yes, I'm still learning bash as I write code. It comes in handy to know 5+ computer languages and two operating systems.

If I close the terminal window, then start another it will use the default umask?

This has not much to do with learning bash. It is basic knowledge about how a Unix/Linux like operating system works. While I have published some basic knowledge here on the forums in the Dutch section with the goal to provide information to those native Dutch speakers who feel they have problems to understand computer technical English, I do not think it useful to translate this information back into English. I assume there is more then enough information available on the internet about Unix (and thus Linux) basic functionality. So search for yourself and try to get a thourough bottom layer of it upon which you can then build further, e.g. by using a programming language.

Following my own preferred sequence that I have in my Dutch articles, subjects are:

• The Kernel
• Processes
• Process environment (like PATH, DISPLAY, LANG and it also includes umask)

Already now you should be able to understand what means "if I close the terminal window" with respect to processes involved and what you can expect from "start another".

There is no clue to answer "yes" or "no" to your question when you do not understand why it is so.

[malcolmlewis]

Hi
@OP, if you need files and directories to be specific permissions/ownership don't script it, create a permissions file down in /etc/permissions.d for your script and use chkstat....

[lord_valarian]

Hi
@OP, if you need files and directories to be specific permissions/ownership don't script it, create a permissions file down in /etc/permissions.d for your script and use chkstat....

Is chkstat a opensuse command? I'v made the script to be very general to any linux install.

Code:

Checking permissions and ownerships - using the permissions files
        /etc/permissions.d/scanvirus_permissions.cfg
setting /var/log/VirusVault/VirusScanLog.txt to root:root 0700. (wrong permissions 0600)
setting /var/log/VirusVault/scanvirus.cfg to root:root 0700. (wrong permissions 0600)

Somehow only the text files are being not set properly.

Code:

#chmod u=rwx,g=,o= [folder/file]
umask 077

#export TERM=vt100

#create VirusVault and VirusFound folder if not present
if [[ ! -d "/var/log/VirusVault" ]] || [[ ! -d "/var/log/VirusVault/VirusFound" ]]; then
     printf "Creating folders VirusVault and VirusFound\n"
     mkdir -p /var/log/VirusVault/VirusFound
fi

#create VirusScanLog file if not present
if [[ ! -f "/var/log/VirusVault/VirusScanLog.txt" ]]; then
     printf "creating VirusScanLog\n"
     printf "..... Virus Scan Log .....\n" > "/var/log/VirusVault/VirusScanLog.txt"
     printf "_____________________________________________________________________\n\n" >> "/var/log/VirusVault/VirusScanLog.txt"
fi

#create configuration file if not present
if [[ ! -f "/var/log/VirusVault/scanvirus.cfg" ]]; then
     printf "creating scanvirus configuration\n"
     cat > /var/log/VirusVault/scanvirus.cfg <<EOL
______________________________scanvirus configuration______________________________
Date[space]Time or Time[space]Date
date +'%Y-%m-%d %I:%M:%S%P'
DateTimeStamp= %Y-%m-%d %I:%M:%S%P
___________________________________________________________________________________
ExcludedScanFolders= dev etc kdeinit5__0 proc tmp srv sys var .snapshots
___________________________________________________________________________________
Bash Suspend Command
1= 'systemctl suspend' - openSUSE, Ubuntu, Fedora, Arch, Debian, etc
2= 'pm-suspend' - Void, Gentoo, Devuan etc - pm-utils power management suite
SuspendCommand= 1
___________________________________________________________________________________
EOL
fi

#create security permissions file if not present
if [[ ! -f "/etc/permissions.d/scanvirus_permissions.cfg" ]]; then
     printf "creating scanvirus security permissions\n"
     cat > /etc/permissions.d/scanvirus_permissions.cfg <<EOL
     /var/log/VirusVault                root:root   0700
     /var/log/VirusVault/VirusFound     root:root   0700
     /var/log/VirusVault/VirusScanLog.txt     root:root   0700
     /var/log/VirusVault/scanvirus.cfg        root:root   0700
EOL
fi

#check configuration file permissions
     printf "checking file permissions\n"
     chkstat --set /etc/permissions.d/scanvirus_permissions.cfg
     #exit