mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:03:35 +07:00
fix permission-hardener config parsing issue
This commit is contained in:
parent
40e536a9be
commit
65e3c14643
@ -160,7 +160,7 @@ add_nosuid_statoverride_entry() {
|
||||
local is_match_whitelisted
|
||||
is_match_whitelisted=""
|
||||
for matchwhite_list_entry in $match_white_list ; do
|
||||
if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then
|
||||
if echo "$file_name" | grep -q --fixed-strings "$matchwhite_list_entry" ; then
|
||||
is_match_whitelisted="true"
|
||||
## Stop looping through the match_white_list.
|
||||
break
|
||||
@ -170,7 +170,7 @@ add_nosuid_statoverride_entry() {
|
||||
local is_disable_whitelisted
|
||||
is_disable_whitelisted=""
|
||||
for disablematch_list_entry in $disable_white_list ; do
|
||||
if echo "$file_name" | grep -q "$disablematch_list_entry" ; then
|
||||
if echo "$file_name" | grep -q --fixed-strings "$disablematch_list_entry" ; then
|
||||
is_disable_whitelisted="true"
|
||||
## Stop looping through the disablewhitelist.
|
||||
break
|
||||
@ -273,6 +273,13 @@ set_file_perms() {
|
||||
exit "$exit_code"
|
||||
fi
|
||||
|
||||
echo "line: '$line'"
|
||||
echo "fso: '$fso'"
|
||||
echo "mode_from_config: '$mode_from_config'"
|
||||
echo "owner_from_config: '$owner_from_config'"
|
||||
|
||||
|
||||
|
||||
local fso_without_trailing_slash
|
||||
fso_without_trailing_slash="${fso%/}"
|
||||
|
||||
@ -318,12 +325,12 @@ set_file_perms() {
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! echo "${passwd_file_contents}" | grep -q "^${owner_from_config}:" ; then
|
||||
if ! echo "${passwd_file_contents}" | grep -q --fixed-strings "${owner_from_config}:" ; then
|
||||
echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! echo "${group_file_contents}" | grep -q "^${group_from_config}:" ; then
|
||||
if ! echo "${group_file_contents}" | grep -q --fixed-strings "${group_from_config}:" ; then
|
||||
echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2
|
||||
continue
|
||||
fi
|
||||
@ -386,7 +393,7 @@ set_file_perms() {
|
||||
true "There is an fso entry. Check if owner/group/mode match."
|
||||
local grep_line
|
||||
grep_line="$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash"
|
||||
if echo "$dpkg_statoverride_list_output" | grep -q "$grep_line" ; then
|
||||
if echo "$dpkg_statoverride_list_output" | grep -q --fixed-strings "$grep_line" ; then
|
||||
true "OK The owner/group/mode matches. No further action required."
|
||||
else
|
||||
true "The owner/group/mode do not match, therefore remove and re-add the entry to update it."
|
||||
@ -448,7 +455,7 @@ set_file_perms() {
|
||||
continue
|
||||
fi
|
||||
else
|
||||
if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config" ; then
|
||||
if ! capsh --print | grep --fixed-strings "Bounding set" | grep -q "$capability_from_config" ; then
|
||||
echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2
|
||||
continue
|
||||
fi
|
||||
@ -468,8 +475,10 @@ parse_config_folder() {
|
||||
# 'if getent passwd | grep -q '^root:'; ...' since 'grep' exits after the first match in
|
||||
# this case causing 'getent' to receive SIGPIPE, which then fails the pipeline since
|
||||
# 'set -o pipefail' is set for this script.
|
||||
passwd_file_contents="$(getent passwd)"
|
||||
group_file_contents="$(getent group)"
|
||||
passwd_file_contents=$(getent passwd)
|
||||
passwd_file_contents=$(echo "$passwd_file_contents")
|
||||
group_file_contents=$(getent group)
|
||||
group_file_contents=$(echo "$group_file_contents")
|
||||
|
||||
shopt -s nullglob
|
||||
for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do
|
||||
|
Loading…
Reference in New Issue
Block a user