security permissions issues - bash

I need to know about this security setup. The old setup allows any user to view ‘VirusVault’ files. So, I added setup code to change the permissions on existing files and setup security when folders are created. I need a basic question answered. Can a user access any text files set with ‘chmod644’ within ‘VirusVault’?

I tried it myself, but I can’t be sure.

drwx------ 1 root root 78 May 15 22:08 /var/log/VirusVault

drwx------ 1 root root 36 May 15 22:08 /var/log/VirusVault/VirusFound

If I need to post the code clip, I can.

As you can see the folders are only accessible by root. No other user, not for the world. I hence don’t see the use of 644 ( rw-r–r-- ) fot then files.

-rw-r–r-- 1 root root 688 May 15 21:29 scanvirus.cfg

Superuser mode. Normal output for command.

#cat /var/log/VirusVault/scanvirus.cfg

Normal user mode

cat /var/log/VirusVault/scanvirus.cfg
cat: /var/log/VirusVault/scanvirus.cfg: Permission denied


Locked out. The correct security. :slight_smile:

Can you take a look at this code? Using a command in a string from user input file can be a security issue. I believe I fixed the problem. There shouldn’t be any issues with it.

#disable control-d
trap '' SIGQUIT
#disable control-z
trap '' SIGTSTP


#######################
# scanvirus main code #
#######################

# if not in superuser mode
if  $EUID -ne 0 ]]; then
   printf "--- superuser/root only ---
"
   exit 1
fi
 
# if not in superuser root
#if  "$USER" != 'root' ]]; then
#   printf "superuser root only: su -
"
#   exit 1
#fi
 
 
# if clamscan not installed 
clamscan --help > /dev/null 2>&1
if  $? == 127 ]]; then
   echo "clamscan not installed" 1>&2
   exit 1
fi

# if clamscan not installed 
udisksctl --help > /dev/null 2>&1
if  $? == 127 ]]; then
   echo "udisks2 not installed" 1>&2
   exit 1
fi
 
#export TERM=vt100

#Virus Vault Directory Check

#create var directory if not present
#if  -d "/var" ]]; then
#    printf ""
#else
#    printf "creating var directory
"
#    mkdir var
#fi

#create log directory if not present
#if  -d "/var/log" ]]; then
#    printf ""
#else
#    printf "creating log directory
"
#    mkdir /var/log
#fi

#create VirusVault folder if not present
if  -d "/var/log/VirusVault" ]]; then
     printf ""
else
     printf "creating VirusVault
"
     mkdir /var/log/VirusVault
     chmod u=rwx,g=,o= /var/log/VirusVault
fi

#check VirusVault folder permissions
shopt -s lastpipe;ls -ld /var/log/VirusVault | read Temp_VVPermissions;shopt -u lastpipe
if  "$Temp_VVPermissions" != 'drwx------ '* ]]; then
     printf "Setting VirusVault Permissions
"
     chmod u=rwx,g=,o= /var/log/VirusVault
fi

#create VirusFound folder if not present
if  -d "/var/log/VirusVault/VirusFound" ]]; then
     printf ""
else
     printf "creating VirusFound
"
     mkdir /var/log/VirusVault/VirusFound
     chmod u=rwx,g=,o= /var/log/VirusVault/VirusFound
fi

#check VirusFound folder permissions
shopt -s lastpipe;ls -ld /var/log/VirusVault/VirusFound | read Temp_VVPermissions;shopt -u lastpipe
if  "$Temp_VVPermissions" != 'drwx------ '* ]]; then
     printf "Setting VirusFound Permissions
"
     chmod u=rwx,g=,o= /var/log/VirusVault/VirusFound
fi

#create VirusScanLog file if not present
if  -f "/var/log/VirusVault/VirusScanLog.txt" ]]; then
     printf ""
else
     printf "creating VirusScanLog
"
     printf "
..... Virus Scan Log .....
" > "/var/log/VirusVault/VirusScanLog.txt"
     printf "_____________________________________________________________________

" >> "/var/log/VirusVault/VirusScanLog.txt"
     chmod u=rw,g=,o= /var/log/VirusVault/VirusScanLog.txt
fi

#check VirusScanLog file permissions
shopt -s lastpipe;ls -l /var/log/VirusVault/VirusScanLog.txt | read Temp_VVPermissions;shopt -u lastpipe
if  "$Temp_VVPermissions" != '-rw------- '* ]]; then
     printf "Setting VirusScanLog Permissions
"
     chmod u=rw,g=,o= /var/log/VirusVault/VirusScanLog.txt
fi

#create configuration file if not present
if  -f "/var/log/VirusVault/scanvirus.cfg" ]]; then
     printf ""
else
     printf "creating scanvirus configuration
"
     cat > /var/log/VirusVault/scanvirus.cfg <<EOL
______________________________scanvirus configuration______________________________
Date[space]Time or Time[space]Date
date +'%Y-%m-%d %I:%M:%S%P'
DateTimeStamp= %Y-%m-%d %I:%M:%S%P
___________________________________________________________________________________
ExcludedScanFolders= dev etc kdeinit5__0 proc tmp srv sys .snapshots
___________________________________________________________________________________
Bash Suspend Command
1= 'systemctl suspend' - openSUSE, Ubuntu, Fedora, Arch, Debian, etc
2= 'pm-suspend' - Void, Gentoo, Devuan etc - pm-utils power management suite
SuspendCommand= 1
___________________________________________________________________________________
EOL
          chmod u=rw,g=,o= /var/log/VirusVault/scanvirus.cfg
fi

#check configuration file permissions
shopt -s lastpipe;ls -l /var/log/VirusVault/scanvirus.cfg | read Temp_VVPermissions;shopt -u lastpipe
if  "$Temp_VVPermissions" != '-rw------- '* ]]; then
     printf "Setting configuration file permissions
"
     chmod u=rw,g=,o= /var/log/VirusVault/scanvirus.cfg
fi

     #read configuration file lines into array
     while read -r line
     do
          #check for varible lines
          if  "$line" == 'DateTimeStamp='* ]];then
               #remove all past ';'
               #printf "%s
" "$line"
               DTS_tmp1=${line#DateTimeStamp= *}
               #printf "%s
" "$DTS_tmp1"
               DTS_Format=${DTS_tmp1%%;*}
               #printf "%s
" "$DTS_tmp2"

               #check for valid date and time
               Date_Time_Stamp=$( date +"$DTS_Format" )
               if  $? != 0 ]]; then
                    echo "----- Date time stamp error -----"
                    exit 1
               fi
 
          elif  "$line" == 'ExcludedScanFolders='* ]];then
               shopt -s lastpipe;printf "%s" "${line#ExcludedScanFolders= *}" | read -a ExcludedScanFolders;shopt -u lastpipe
          elif  "$line" == 'SuspendCommand='* ]];then
               shopt -s lastpipe;printf "%s" "${line#SuspendCommand= *}" | read SuspendCommand;shopt -u lastpipe
          fi
     done < /var/log/VirusVault/scanvirus.cfg
     
     #printf "%s
" "$Date_Time_Stamp"
     #printf "%s
" "${ExcludedScanFolders@]}"
     #printf "SuspendCommand= %s
" $SuspendCommand
     #exit 1

     Virus_Vault_Folder='/var/log/VirusVault' 


To comment on the script: Absolutely not the way to do it. Sorry.

You need to learn to not grep the perms from output like rwx-------- etc.
Once you’ve made sure only root can run it, otherwise exit, there’s no need to check all that
Also, /var and /var/log are on every linux system, no need to check for their existance

General advice: First step is learning about definitions of the OS you’re working on. Your question re. 644 indicates you miss basic knowledge you need to write a proper script.

What other way to do it? Using grep is simplest method, the only one i’v found.

I know what ‘chmod 644’ means. I was trying to be clear as what the permissions are set to. user=rw group=r other=r. The folder above this file properly blocks access to these files.

Yes, I took that old code out. That code is likely from when the script was first created. There lots of code old code snips in there.

If anyone else sees a security issues, please point it out.

If I were writing that script, I would probably change those two lines to:


    ( umask 077 && mkdir /var/log/VirusVault )

I haven’t looked closely at the rest of the script.

man 1 stat

I was able to work with that and change the code to this format. Thanks. :slight_smile:

#create VirusVault folder if not present
if  ! -d "/var/log/VirusVault" ]]; then
     printf "creating VirusVault
"
     mkdir /var/log/VirusVault
     chmod u=rwx,g=,o= /var/log/VirusVault
fi

#check VirusVault folder permissions
if  "$(stat -c '%A' /var/log/VirusVault)" != 'drwx------' ]]; then
     printf "Setting VirusVault Permissions
"
     chmod u=rwx,g=,o= /var/log/VirusVault
fi

Should add checking to see if owner and group name is root? I think it’s a good idea.

I’m not sure how that works. I’ve used ‘&&’ in code frequently, never in that format. Can you show me what that is doing?

In a shell script:

command1  && command2

just runs “command1” and if that is successful, then it runs “command2”.

In this case, I use parentheses “(” and “)” so that the commands run is a subshell. That is so that the umask command only affects the subshell and does not affect the rest of your script after that line. However, affecting the rest of the script might be harmless or even good in this case. But that would be for you to decide.

The main point, though, is the use of “umask” to set permissions. The way that you were setting permissions, was to first create the file, and then change to restrictive permissions. That leaves a few milliseconds where the file or directory exists with weak permissions, and maybe a clever hacker could exploit that. Using “umask” makes sure that the file or directory is created with the restrictive permissions, which avoids those few milliseconds.

Just some additions:

  • instead of the long chmod command, you can use the numeric notation 700. This means that for the owner it’s rwx ( 2²+2¹+2⁰ = 7 ), and no permissions for group and world. So, owner - group - world needs three bytes. The often seen 644 ( rw-r–r-- ) can be calculated the same way ( 2²+2¹+0 = 6, 2²+0+0 = 4 etc ).
  • you already know that /var/log exists, but if you wouldn’t ‘mkdir -p /var/log/blah’ would not result in an error, but create the entire path ).

I see your point. I’ve adapted that into the code. Also, it creates text files.

#create VirusVault folder if not present
if  ! -d "/var/log/VirusVault" ]]; then
     printf "creating VirusVault
"
     #chmod u=rwx,g=,o= /var/log/VirusVault
     ( umask 077 && mkdir /var/log/VirusVault )
fi

So, this should be put in as well.

#create VirusScanLog file if not present
if  ! -f "/var/log/VirusVault/VirusScanLog.txt" ]]; then
     printf "creating VirusScanLog
"
     #chmod u=rw,g=,o= /var/log/VirusVault/VirusScanLog.txt
     ( umask 077 && touch /var/log/VirusVault/VirusScanLog.txt )

     printf "
..... Virus Scan Log .....
" >> "/var/log/VirusVault/VirusScanLog.txt"
     printf "_____________________________________________________________________

" >> "/var/log/VirusVault/VirusScanLog.txt"
fi

I’m very aware of this method to set permissions, but this is much more readable. :wink:

 chmod u=rwx,g=,o= /var/log/VirusVault/VirusFound

Thanks for the tip. I was able to clip out more code.

#create VirusVault and VirusFound folder if not present
if  ! -d "/var/log/VirusVault" ]] ||  ! -d "/var/log/VirusVault/VirusFound" ]]; then
     printf "Creating folders VirusVault and VirusFound
"
     #chmod u=rwx,g=,o= /var/log/VirusVault
     ( umask 077 && mkdir -p /var/log/VirusVault/VirusFound )
fi

That is a nice solution when you want this umask only for that command, without chaning the umask for the rest of your script.

When one has a rather large/complicated script
and
one wants to have tight permissions set on all the files created in that script

my advice would be to have

umask 077

as one of the first statements in the script.

It would then influence all the file creations in the script regardless if it is done directy or in child processes started from commands in the script. Specialy nice to have when making changes to the script, no need to bother to not forget about using that mkdir again and agin.

It would of course be complete independent and not alter the umask of the parent process of your executing script.

I fixed it, clipping more excess code. So, any umask set will be removed on exit from the script. Thanks for the tip.

That is either a very sloppy remark or you do not understand it.

Every process has a process environment and umask is part of it. There is always an umask in the environment it can not be “removed”.

  • The process environment and thus the umask, is inherited by a child process.
  • Items in the environment, including the umask, can be altered by a child process.
  • When the child process exits, the parent process runs on with it original environment, including the original umask, because nothing from a child process environment is going backwards/upwards to the environment of the parent process.

**you do not understand it.

**Yes, I’m still learning bash as I write code. It comes in handy to know 5+ computer languages and two operating systems. :wink:

If I close the terminal window, then start another it will use the default umask?

This has not much to do with learning bash. It is basic knowledge about how a Unix/Linux like operating system works. While I have published some basic knowledge here on the forums in the Dutch section with the goal to provide information to those native Dutch speakers who feel they have problems to understand computer technical English, I do not think it useful to translate this information back into English. I assume there is more then enough information available on the internet about Unix (and thus Linux) basic functionality. So search for yourself and try to get a thourough bottom layer of it upon which you can then build further, e.g. by using a programming language.

Following my own preferred sequence that I have in my Dutch articles, subjects are:

  • The Kernel
  • Processes
  • Process environment (like PATH, DISPLAY, LANG and it also includes umask)

Already now you should be able to understand what means “if I close the terminal window” with respect to processes involved and what you can expect from “start another”.

There is no clue to answer “yes” or “no” to your question when you do not understand why it is so.

Hi
@OP, if you need files and directories to be specific permissions/ownership don’t script it, create a permissions file down in /etc/permissions.d for your script and use chkstat…

Is chkstat a opensuse command? I’v made the script to be very general to any linux install.

Checking permissions and ownerships - using the permissions files
        /etc/permissions.d/scanvirus_permissions.cfg
setting /var/log/VirusVault/VirusScanLog.txt to root:root 0700. (wrong permissions 0600)
setting /var/log/VirusVault/scanvirus.cfg to root:root 0700. (wrong permissions 0600)

Somehow only the text files are being not set properly.

#chmod u=rwx,g=,o= [folder/file]
umask 077

#export TERM=vt100

#create VirusVault and VirusFound folder if not present
if  ! -d "/var/log/VirusVault" ]] ||  ! -d "/var/log/VirusVault/VirusFound" ]]; then
     printf "Creating folders VirusVault and VirusFound
"
     mkdir -p /var/log/VirusVault/VirusFound
fi

#create VirusScanLog file if not present
if  ! -f "/var/log/VirusVault/VirusScanLog.txt" ]]; then
     printf "creating VirusScanLog
"
     printf "..... Virus Scan Log .....
" > "/var/log/VirusVault/VirusScanLog.txt"
     printf "_____________________________________________________________________

" >> "/var/log/VirusVault/VirusScanLog.txt"
fi

#create configuration file if not present
if  ! -f "/var/log/VirusVault/scanvirus.cfg" ]]; then
     printf "creating scanvirus configuration
"
     cat > /var/log/VirusVault/scanvirus.cfg <<EOL
______________________________scanvirus configuration______________________________
Date[space]Time or Time[space]Date
date +'%Y-%m-%d %I:%M:%S%P'
DateTimeStamp= %Y-%m-%d %I:%M:%S%P
___________________________________________________________________________________
ExcludedScanFolders= dev etc kdeinit5__0 proc tmp srv sys var .snapshots
___________________________________________________________________________________
Bash Suspend Command
1= 'systemctl suspend' - openSUSE, Ubuntu, Fedora, Arch, Debian, etc
2= 'pm-suspend' - Void, Gentoo, Devuan etc - pm-utils power management suite
SuspendCommand= 1
___________________________________________________________________________________
EOL
fi

#create security permissions file if not present
if  ! -f "/etc/permissions.d/scanvirus_permissions.cfg" ]]; then
     printf "creating scanvirus security permissions
"
     cat > /etc/permissions.d/scanvirus_permissions.cfg <<EOL
     /var/log/VirusVault                root:root   0700
     /var/log/VirusVault/VirusFound     root:root   0700
     /var/log/VirusVault/VirusScanLog.txt     root:root   0700
     /var/log/VirusVault/scanvirus.cfg        root:root   0700
EOL
fi

#check configuration file permissions
     printf "checking file permissions
"
     chkstat --set /etc/permissions.d/scanvirus_permissions.cfg
     #exit