mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-07-13 09:19:32 +07:00
65 lines
1.8 KiB
Bash
Executable File
65 lines
1.8 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
config_file="/etc/permission-hardening.conf"
|
|
|
|
set_file_perms() {
|
|
while read -r line; do
|
|
[[ "$line" =~ ^#.*$ ]] && continue
|
|
|
|
if ! read -r file mode owner group capability <<< "${line}" ; then
|
|
echo "ERROR: cannot parse line: ${line}"
|
|
continue
|
|
fi
|
|
|
|
if ! [ -e "${file}" ]; then
|
|
echo "ERROR: File '${file}' does not exist!"
|
|
continue
|
|
fi
|
|
|
|
if ! seq -w 000 4777 | grep -qw "${mode}"; then
|
|
echo "ERROR: Mode '${mode}' is invalid!"
|
|
continue
|
|
fi
|
|
|
|
if ! getent passwd | grep -q "^${owner}:"; then
|
|
echo "ERROR: User '${owner}' does not exist!"
|
|
continue
|
|
fi
|
|
|
|
if ! getent group | grep -q "^${group}:"; then
|
|
echo "ERROR: Group '${group}' does not exist!"
|
|
continue
|
|
fi
|
|
|
|
chmod "${mode}" "${file}"
|
|
chown "${owner}:${group}" "${file}"
|
|
|
|
## The permissions should not be reset during upgrades.
|
|
if dpkg-statoverride --list | grep -q "${file%/}"; then
|
|
## If there is an entry for the file, but the owner/group/mode do not
|
|
## match, we remove and re-add the entry to update it.
|
|
if ! dpkg-statoverride --list | grep -q "${owner} ${group} ${mode:1} ${file%/}"; then
|
|
dpkg-statoverride --remove "${file}"
|
|
dpkg-statoverride --add "${owner}" "${group}" "${mode}" "${file}"
|
|
fi
|
|
else
|
|
dpkg-statoverride --add "${owner}" "${group}" "${mode}" "${file}"
|
|
fi
|
|
|
|
if ! [ "${capability}" = "" ]; then
|
|
if [ "${capability}" = "none" ]; then
|
|
setcap -r "${file}"
|
|
else
|
|
if ! capsh --print | grep "Bounding set" | grep -q ${capability}; then
|
|
echo "ERROR: Capability '${capability}' does not exist!"
|
|
continue
|
|
fi
|
|
|
|
setcap "${capability}+ep" "${file}"
|
|
fi
|
|
fi
|
|
done < "${config_file}"
|
|
}
|
|
|
|
set_file_perms
|