Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: security permissions issues - bash

  1. #1

    Question security permissions issues - bash

    I need to know about this security setup. The old setup allows any user to view 'VirusVault' files. So, I added setup code to change the permissions on existing files and setup security when folders are created. I need a basic question answered. Can a user access any text files set with 'chmod644' within 'VirusVault'?

    I tried it myself, but I can't be sure.


    drwx------ 1 root root 78 May 15 22:08 /var/log/VirusVault

    drwx------ 1 root root 36 May 15 22:08 /var/log/VirusVault/VirusFound

    If I need to post the code clip, I can.

  2. #2
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    20,930
    Blog Entries
    14

    Default Re: security permissions issues - bash

    Quote Originally Posted by lord_valarian View Post
    I need to know about this security setup. The old setup allows any user to view 'VirusVault' files. So, I added setup code to change the permissions on existing files and setup security when folders are created. I need a basic question answered. Can a user access any text files set with 'chmod644' within 'VirusVault'?

    I tried it myself, but I can't be sure.


    drwx------ 1 root root 78 May 15 22:08 /var/log/VirusVault

    drwx------ 1 root root 36 May 15 22:08 /var/log/VirusVault/VirusFound

    If I need to post the code clip, I can.
    As you can see the folders are only accessible by root. No other user, not for the world. I hence don't see the use of 644 ( rw-r--r-- ) fot then files.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  3. #3

    Default Re: security permissions issues - bash

    Quote Originally Posted by Knurpht View Post
    As you can see the folders are only accessible by root. No other user, not for the world. I hence don't see the use of 644 ( rw-r--r-- ) fot then files.

    -rw-r--r-- 1 root root 688 May 15 21:29 scanvirus.cfg

    Superuser mode. Normal output for command.

    #cat /var/log/VirusVault/scanvirus.cfg


    Normal user mode

    Code:
    cat /var/log/VirusVault/scanvirus.cfg
    cat: /var/log/VirusVault/scanvirus.cfg: Permission denied
    Locked out. The correct security.


    Can you take a look at this code? Using a command in a string from user input file can be a security issue. I believe I fixed the problem. There shouldn't be any issues with it.

    Code:
    #disable control-d
    trap '' SIGQUIT
    #disable control-z
    trap '' SIGTSTP
    
    
    #######################
    # scanvirus main code #
    #######################
    
    # if not in superuser mode
    if [[ $EUID -ne 0 ]]; then
       printf "--- superuser/root only ---\n"
       exit 1
    fi
     
    # if not in superuser root
    #if [[ "$USER" != 'root' ]]; then
    #   printf "superuser root only: su -\n"
    #   exit 1
    #fi
     
     
    # if clamscan not installed 
    clamscan --help > /dev/null 2>&1
    if [[ $? == 127 ]]; then
       echo "clamscan not installed" 1>&2
       exit 1
    fi
    
    # if clamscan not installed 
    udisksctl --help > /dev/null 2>&1
    if [[ $? == 127 ]]; then
       echo "udisks2 not installed" 1>&2
       exit 1
    fi
     
    #export TERM=vt100
    
    #Virus Vault Directory Check
    
    #create var directory if not present
    #if [[ -d "/var" ]]; then
    #    printf ""
    #else
    #    printf "creating var directory\n"
    #    mkdir var
    #fi
    
    #create log directory if not present
    #if [[ -d "/var/log" ]]; then
    #    printf ""
    #else
    #    printf "creating log directory\n"
    #    mkdir /var/log
    #fi
    
    #create VirusVault folder if not present
    if [[ -d "/var/log/VirusVault" ]]; then
         printf ""
    else
         printf "creating VirusVault\n"
         mkdir /var/log/VirusVault
         chmod u=rwx,g=,o= /var/log/VirusVault
    fi
    
    #check VirusVault folder permissions
    shopt -s lastpipe;ls -ld /var/log/VirusVault | read Temp_VVPermissions;shopt -u lastpipe
    if [[ "$Temp_VVPermissions" != 'drwx------ '* ]]; then
         printf "Setting VirusVault Permissions\n"
         chmod u=rwx,g=,o= /var/log/VirusVault
    fi
    
    #create VirusFound folder if not present
    if [[ -d "/var/log/VirusVault/VirusFound" ]]; then
         printf ""
    else
         printf "creating VirusFound\n"
         mkdir /var/log/VirusVault/VirusFound
         chmod u=rwx,g=,o= /var/log/VirusVault/VirusFound
    fi
    
    #check VirusFound folder permissions
    shopt -s lastpipe;ls -ld /var/log/VirusVault/VirusFound | read Temp_VVPermissions;shopt -u lastpipe
    if [[ "$Temp_VVPermissions" != 'drwx------ '* ]]; then
         printf "Setting VirusFound Permissions\n"
         chmod u=rwx,g=,o= /var/log/VirusVault/VirusFound
    fi
    
    #create VirusScanLog file if not present
    if [[ -f "/var/log/VirusVault/VirusScanLog.txt" ]]; then
         printf ""
    else
         printf "creating VirusScanLog\n"
         printf "\n..... Virus Scan Log .....\n" > "/var/log/VirusVault/VirusScanLog.txt"
         printf "_____________________________________________________________________\n\n" >> "/var/log/VirusVault/VirusScanLog.txt"
         chmod u=rw,g=,o= /var/log/VirusVault/VirusScanLog.txt
    fi
    
    #check VirusScanLog file permissions
    shopt -s lastpipe;ls -l /var/log/VirusVault/VirusScanLog.txt | read Temp_VVPermissions;shopt -u lastpipe
    if [[ "$Temp_VVPermissions" != '-rw------- '* ]]; then
         printf "Setting VirusScanLog Permissions\n"
         chmod u=rw,g=,o= /var/log/VirusVault/VirusScanLog.txt
    fi
    
    #create configuration file if not present
    if [[ -f "/var/log/VirusVault/scanvirus.cfg" ]]; then
         printf ""
    else
         printf "creating scanvirus configuration\n"
         cat > /var/log/VirusVault/scanvirus.cfg <<EOL
    ______________________________scanvirus configuration______________________________
    Date[space]Time or Time[space]Date
    date +'%Y-%m-%d %I:%M:%S%P'
    DateTimeStamp= %Y-%m-%d %I:%M:%S%P
    ___________________________________________________________________________________
    ExcludedScanFolders= dev etc kdeinit5__0 proc tmp srv sys .snapshots
    ___________________________________________________________________________________
    Bash Suspend Command
    1= 'systemctl suspend' - openSUSE, Ubuntu, Fedora, Arch, Debian, etc
    2= 'pm-suspend' - Void, Gentoo, Devuan etc - pm-utils power management suite
    SuspendCommand= 1
    ___________________________________________________________________________________
    EOL
              chmod u=rw,g=,o= /var/log/VirusVault/scanvirus.cfg
    fi
    
    #check configuration file permissions
    shopt -s lastpipe;ls -l /var/log/VirusVault/scanvirus.cfg | read Temp_VVPermissions;shopt -u lastpipe
    if [[ "$Temp_VVPermissions" != '-rw------- '* ]]; then
         printf "Setting configuration file permissions\n"
         chmod u=rw,g=,o= /var/log/VirusVault/scanvirus.cfg
    fi
    
         #read configuration file lines into array
         while read -r line
         do
              #check for varible lines
              if [[ "$line" == 'DateTimeStamp='* ]];then
                   #remove all past ';'
                   #printf "%s\n" "$line"
                   DTS_tmp1=${line#DateTimeStamp= *}
                   #printf "%s\n" "$DTS_tmp1"
                   DTS_Format=${DTS_tmp1%%;*}
                   #printf "%s\n" "$DTS_tmp2"
    
                   #check for valid date and time
                   Date_Time_Stamp=$( date +"$DTS_Format" )
                   if [[ $? != 0 ]]; then
                        echo "----- Date time stamp error -----"
                        exit 1
                   fi
     
              elif [[ "$line" == 'ExcludedScanFolders='* ]];then
                   shopt -s lastpipe;printf "%s" "${line#ExcludedScanFolders= *}" | read -a ExcludedScanFolders;shopt -u lastpipe
              elif [[ "$line" == 'SuspendCommand='* ]];then
                   shopt -s lastpipe;printf "%s" "${line#SuspendCommand= *}" | read SuspendCommand;shopt -u lastpipe
              fi
         done < /var/log/VirusVault/scanvirus.cfg
         
         #printf "%s\n" "$Date_Time_Stamp"
         #printf "%s\n" "${ExcludedScanFolders[@]}"
         #printf "SuspendCommand= %s\n" $SuspendCommand
         #exit 1
    
         Virus_Vault_Folder='/var/log/VirusVault'

  4. #4
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    20,930
    Blog Entries
    14

    Default Re: security permissions issues - bash

    To comment on the script: Absolutely not the way to do it. Sorry.

    You need to learn to not grep the perms from output like rwx-------- etc.
    Once you've made sure only root can run it, otherwise exit, there's no need to check all that
    Also, /var and /var/log are on every linux system, no need to check for their existance

    General advice: First step is learning about definitions of the OS you're working on. Your question re. 644 indicates you miss basic knowledge you need to write a proper script.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  5. #5

    Default Re: security permissions issues - bash

    Quote Originally Posted by Knurpht View Post
    To comment on the script: Absolutely not the way to do it. Sorry.

    You need to learn to not grep the perms from output like rwx-------- etc.
    Once you've made sure only root can run it, otherwise exit, there's no need to check all that
    Also, /var and /var/log are on every linux system, no need to check for their existence

    General advice: First step is learning about definitions of the OS you're working on. Your question re. 644 indicates you miss basic knowledge you need to write a proper script.
    What other way to do it? Using grep is simplest method, the only one i'v found.


    I know what 'chmod 644' means. I was trying to be clear as what the permissions are set to. user=rw group=r other=r. The folder above this file properly blocks access to these files.

    Yes, I took that old code out. That code is likely from when the script was first created. There lots of code old code snips in there.



    If anyone else sees a security issues, please point it out.

  6. #6
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    16,015
    Blog Entries
    3

    Default Re: security permissions issues - bash

    Quote Originally Posted by lord_valarian View Post
    [CODE]
    mkdir /var/log/VirusVault
    chmod u=rwx,g=,o= /var/log/VirusVault
    If I were writing that script, I would probably change those two lines to:
    Code:
        ( umask 077 && mkdir /var/log/VirusVault )
    I haven't looked closely at the rest of the script.
    openSUSE Leap 15.4; KDE Plasma 5.24.4;
    testing Tumbleweed.

  7. #7
    Join Date
    Sep 2012
    Posts
    7,859

    Default Re: security permissions issues - bash

    Quote Originally Posted by lord_valarian View Post
    the only one i'v found.
    Code:
    man 1 stat

  8. #8

    Default Re: security permissions issues - bash

    Quote Originally Posted by arvidjaar View Post
    Code:
    man 1 stat
    I was able to work with that and change the code to this format. Thanks.

    Code:
    #create VirusVault folder if not present
    if [[ ! -d "/var/log/VirusVault" ]]; then
         printf "creating VirusVault\n"
         mkdir /var/log/VirusVault
         chmod u=rwx,g=,o= /var/log/VirusVault
    fi
    
    #check VirusVault folder permissions
    if [[ "$(stat -c '%A' /var/log/VirusVault)" != 'drwx------' ]]; then
         printf "Setting VirusVault Permissions\n"
         chmod u=rwx,g=,o= /var/log/VirusVault
    fi

    Should add checking to see if owner and group name is root? I think it's a good idea.

  9. #9

    Default Re: security permissions issues - bash

    Quote Originally Posted by nrickert View Post
    If I were writing that script, I would probably change those two lines to:
    Code:
        ( umask 077 && mkdir /var/log/VirusVault )
    I haven't looked closely at the rest of the script.
    I'm not sure how that works. I've used '&&' in code frequently, never in that format. Can you show me what that is doing?

  10. #10
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    16,015
    Blog Entries
    3

    Default Re: security permissions issues - bash

    Quote Originally Posted by lord_valarian View Post
    I'm not sure how that works. I've used '&&' in code frequently, never in that format. Can you show me what that is doing?
    In a shell script:
    Code:
    command1  && command2
    just runs "command1" and if that is successful, then it runs "command2".

    In this case, I use parentheses "(" and ")" so that the commands run is a subshell. That is so that the umask command only affects the subshell and does not affect the rest of your script after that line. However, affecting the rest of the script might be harmless or even good in this case. But that would be for you to decide.

    The main point, though, is the use of "umask" to set permissions. The way that you were setting permissions, was to first create the file, and then change to restrictive permissions. That leaves a few milliseconds where the file or directory exists with weak permissions, and maybe a clever hacker could exploit that. Using "umask" makes sure that the file or directory is created with the restrictive permissions, which avoids those few milliseconds.
    openSUSE Leap 15.4; KDE Plasma 5.24.4;
    testing Tumbleweed.

Page 1 of 3 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •