Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: security permissions issues - bash

  1. #11
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    20,930
    Blog Entries
    14

    Default Re: security permissions issues - bash

    Just some additions:
    - instead of the long chmod command, you can use the numeric notation 700. This means that for the owner it's rwx ( 2²+2¹+2⁰ = 7 ), and no permissions for group and world. So, owner - group - world needs three bytes. The often seen 644 ( rw-r--r-- ) can be calculated the same way ( 2²+2¹+0 = 6, 2²+0+0 = 4 etc ).
    - you already know that /var/log exists, but if you wouldn't 'mkdir -p /var/log/blah' would not result in an error, but create the entire path ).
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  2. #12

    Default Re: security permissions issues - bash

    Quote Originally Posted by nrickert View Post
    In a shell script:
    Code:
    command1  && command2
    just runs "command1" and if that is successful, then it runs "command2".

    In this case, I use parentheses "(" and ")" so that the commands run is a subshell. That is so that the umask command only affects the subshell and does not affect the rest of your script after that line. However, affecting the rest of the script might be harmless or even good in this case. But that would be for you to decide.

    The main point, though, is the use of "umask" to set permissions. The way that you were setting permissions, was to first create the file, and then change to restrictive permissions. That leaves a few milliseconds where the file or directory exists with weak permissions, and maybe a clever hacker could exploit that. Using "umask" makes sure that the file or directory is created with the restrictive permissions, which avoids those few milliseconds.
    I see your point. I've adapted that into the code. Also, it creates text files.

    Code:
    #create VirusVault folder if not present
    if [[ ! -d "/var/log/VirusVault" ]]; then
         printf "creating VirusVault\n"
         #chmod u=rwx,g=,o= /var/log/VirusVault
         ( umask 077 && mkdir /var/log/VirusVault )
    fi
    So, this should be put in as well.

    Code:
    #create VirusScanLog file if not present
    if [[ ! -f "/var/log/VirusVault/VirusScanLog.txt" ]]; then
         printf "creating VirusScanLog\n"
         #chmod u=rw,g=,o= /var/log/VirusVault/VirusScanLog.txt
         ( umask 077 && touch /var/log/VirusVault/VirusScanLog.txt )
    
         printf "\n..... Virus Scan Log .....\n" >> "/var/log/VirusVault/VirusScanLog.txt"
         printf "_____________________________________________________________________\n\n" >> "/var/log/VirusVault/VirusScanLog.txt"
    fi

  3. #13

    Default Re: security permissions issues - bash

    Quote Originally Posted by Knurpht View Post
    Just some additions:
    - instead of the long chmod command, you can use the numeric notation 700. This means that for the owner it's rwx ( 2²+2¹+2⁰ = 7 ), and no permissions for group and world. So, owner - group - world needs three bytes. The often seen 644 ( rw-r--r-- ) can be calculated the same way ( 2²+2¹+0 = 6, 2²+0+0 = 4 etc ).
    - you already know that /var/log exists, but if you wouldn't 'mkdir -p /var/log/blah' would not result in an error, but create the entire path ).
    I'm very aware of this method to set permissions, but this is much more readable.

    Code:
     chmod u=rwx,g=,o= /var/log/VirusVault/VirusFound
    Thanks for the tip. I was able to clip out more code.

    Code:
    #create VirusVault and VirusFound folder if not present
    if [[ ! -d "/var/log/VirusVault" ]] || [[ ! -d "/var/log/VirusVault/VirusFound" ]]; then
         printf "Creating folders VirusVault and VirusFound\n"
         #chmod u=rwx,g=,o= /var/log/VirusVault
         ( umask 077 && mkdir -p /var/log/VirusVault/VirusFound )
    fi

  4. #14
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    30,967

    Default Re: security permissions issues - bash

    Quote Originally Posted by nrickert View Post
    If I were writing that script, I would probably change those two lines to:
    Code:
        ( umask 077 && mkdir /var/log/VirusVault )
    That is a nice solution when you want this umask only for that command, without chaning the umask for the rest of your script.

    When one has a rather large/complicated script
    and
    one wants to have tight permissions set on all the files created in that script

    my advice would be to have
    Code:
    umask 077
    as one of the first statements in the script.

    It would then influence all the file creations in the script regardless if it is done directy or in child processes started from commands in the script. Specialy nice to have when making changes to the script, no need to bother to not forget about using that mkdir again and agin.

    It would of course be complete independent and not alter the umask of the parent process of your executing script.
    Henk van Velden

  5. #15

    Default Re: security permissions issues - bash

    Quote Originally Posted by hcvv View Post
    That is a nice solution when you want this umask only for that command, without chaning the umask for the rest of your script.

    When one has a rather large/complicated script
    and
    one wants to have tight permissions set on all the files created in that script

    my advice would be to have
    Code:
    umask 077
    as one of the first statements in the script.

    It would then influence all the file creations in the script regardless if it is done directly or in child processes started from commands in the script. Specialy nice to have when making changes to the script, no need to bother to not forget about using that mkdir again and again.

    It would of course be complete independent and not alter the umask of the parent process of your executing script.
    I fixed it, clipping more excess code. So, any umask set will be removed on exit from the script. Thanks for the tip.

  6. #16
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    30,967

    Default Re: security permissions issues - bash

    Quote Originally Posted by lord_valarian View Post
    So, any umask set will be removed on exit from the script. .
    That is either a very sloppy remark or you do not understand it.

    Every process has a process environment and umask is part of it. There is always an umask in the environment it can not be "removed".

    • The process environment and thus the umask, is inherited by a child process.
    • Items in the environment, including the umask, can be altered by a child process.
    • When the child process exits, the parent process runs on with it original environment, including the original umask, because nothing from a child process environment is going backwards/upwards to the environment of the parent process.
    Henk van Velden

  7. #17

    Default Re: security permissions issues - bash

    Quote Originally Posted by hcvv View Post
    That is either a very sloppy remark or you do not understand it.

    Every process has a process environment and umask is part of it. There is always an umask in the environment it can not be "removed".

    • The process environment and thus the umask, is inherited by a child process.
    • Items in the environment, including the umask, can be altered by a child process.
    • When the child process exits, the parent process runs on with it original environment, including the original umask, because nothing from a child process environment is going backwards/upwards to the environment of the parent process.
    you do not understand it.

    Yes, I'm still learning bash as I write code. It comes in handy to know 5+ computer languages and two operating systems.

    If I close the terminal window, then start another it will use the default umask?

  8. #18
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    30,967

    Default Re: security permissions issues - bash

    Quote Originally Posted by lord_valarian View Post
    you do not understand it.

    Yes, I'm still learning bash as I write code. It comes in handy to know 5+ computer languages and two operating systems.

    If I close the terminal window, then start another it will use the default umask?
    This has not much to do with learning bash. It is basic knowledge about how a Unix/Linux like operating system works. While I have published some basic knowledge here on the forums in the Dutch section with the goal to provide information to those native Dutch speakers who feel they have problems to understand computer technical English, I do not think it useful to translate this information back into English. I assume there is more then enough information available on the internet about Unix (and thus Linux) basic functionality. So search for yourself and try to get a thourough bottom layer of it upon which you can then build further, e.g. by using a programming language.

    Following my own preferred sequence that I have in my Dutch articles, subjects are:
    • The Kernel
    • Processes
    • Process environment (like PATH, DISPLAY, LANG and it also includes umask)

    Already now you should be able to understand what means "if I close the terminal window" with respect to processes involved and what you can expect from "start another".

    There is no clue to answer "yes" or "no" to your question when you do not understand why it is so.
    Henk van Velden

  9. #19
    Join Date
    Jun 2008
    Location
    East of Podunk
    Posts
    33,257
    Blog Entries
    15

    Default Re: security permissions issues - bash

    Hi
    @OP, if you need files and directories to be specific permissions/ownership don't script it, create a permissions file down in /etc/permissions.d for your script and use chkstat....
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  10. #20

    Default Re: security permissions issues - bash

    Quote Originally Posted by malcolmlewis View Post
    Hi
    @OP, if you need files and directories to be specific permissions/ownership don't script it, create a permissions file down in /etc/permissions.d for your script and use chkstat....
    Is chkstat a opensuse command? I'v made the script to be very general to any linux install.


    Code:
    Checking permissions and ownerships - using the permissions files
            /etc/permissions.d/scanvirus_permissions.cfg
    setting /var/log/VirusVault/VirusScanLog.txt to root:root 0700. (wrong permissions 0600)
    setting /var/log/VirusVault/scanvirus.cfg to root:root 0700. (wrong permissions 0600)
    Somehow only the text files are being not set properly.

    Code:
    #chmod u=rwx,g=,o= [folder/file]
    umask 077
    
    #export TERM=vt100
    
    #create VirusVault and VirusFound folder if not present
    if [[ ! -d "/var/log/VirusVault" ]] || [[ ! -d "/var/log/VirusVault/VirusFound" ]]; then
         printf "Creating folders VirusVault and VirusFound\n"
         mkdir -p /var/log/VirusVault/VirusFound
    fi
    
    #create VirusScanLog file if not present
    if [[ ! -f "/var/log/VirusVault/VirusScanLog.txt" ]]; then
         printf "creating VirusScanLog\n"
         printf "..... Virus Scan Log .....\n" > "/var/log/VirusVault/VirusScanLog.txt"
         printf "_____________________________________________________________________\n\n" >> "/var/log/VirusVault/VirusScanLog.txt"
    fi
    
    #create configuration file if not present
    if [[ ! -f "/var/log/VirusVault/scanvirus.cfg" ]]; then
         printf "creating scanvirus configuration\n"
         cat > /var/log/VirusVault/scanvirus.cfg <<EOL
    ______________________________scanvirus configuration______________________________
    Date[space]Time or Time[space]Date
    date +'%Y-%m-%d %I:%M:%S%P'
    DateTimeStamp= %Y-%m-%d %I:%M:%S%P
    ___________________________________________________________________________________
    ExcludedScanFolders= dev etc kdeinit5__0 proc tmp srv sys var .snapshots
    ___________________________________________________________________________________
    Bash Suspend Command
    1= 'systemctl suspend' - openSUSE, Ubuntu, Fedora, Arch, Debian, etc
    2= 'pm-suspend' - Void, Gentoo, Devuan etc - pm-utils power management suite
    SuspendCommand= 1
    ___________________________________________________________________________________
    EOL
    fi
    
    #create security permissions file if not present
    if [[ ! -f "/etc/permissions.d/scanvirus_permissions.cfg" ]]; then
         printf "creating scanvirus security permissions\n"
         cat > /etc/permissions.d/scanvirus_permissions.cfg <<EOL
         /var/log/VirusVault                root:root   0700
         /var/log/VirusVault/VirusFound     root:root   0700
         /var/log/VirusVault/VirusScanLog.txt     root:root   0700
         /var/log/VirusVault/scanvirus.cfg        root:root   0700
    EOL
    fi
    
    #check configuration file permissions
         printf "checking file permissions\n"
         chkstat --set /etc/permissions.d/scanvirus_permissions.cfg
         #exit

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •