tags 370396 patch thanks See attached patch. New config option: admingroup. It also adds one additional check, which is the containing directory of configuration files; if that has +w, there's also a security problem, no?
-- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system
--- /usr/sbin/backupninja.orig 2006-04-08 23:03:53.000000000 +0200
+++ /usr/sbin/backupninja 2006-06-05 02:36:29.827183100 +0200
@@ -130,17 +130,38 @@
#
function check_perms() {
+ set -x
local file=$1
- local perms=`ls -ld $file`
- perms=${perms:4:6}
- if [ "$perms" != "------" ]; then
- echo "Configuration files must not be group or world
writable/readable! Dying on file $file"
- fatal "Configuration files must not be group or world
writable/readable! Dying on file $file"
- fi
- if [ `ls -ld $file | awk '{print $3}'` != "root" ]; then
+ local stat
+ stat=($(stat -L --printf='%a %g %G %u %U' $file))
+ local gperm=${stat[0]:1:1}
+ local wperm=${stat[0]:2:1}
+ local gid=${stat[1]}
+ local group=${stat[2]}
+ local owner=${stat[3]}
+
+ if [ "$owner" != 0 ]; then
echo "Configuration files must be owned by root! Dying on file
$file"
fatal "Configuration files must be owned by root! Dying on file
$file"
fi
+
+ if [ $wperm -gt 0 ]; then
+ echo "Configuration files must not be world writable/readable!
Dying on file $file"
+ fatal "Configuration files must not be world writable/readable!
Dying on file $file"
+ fi
+
+ if [ $gperm -gt 0 ]; then
+ case "$admingroup" in
+ $gid|$group) :;;
+ *)
+ if [ "$gid" != 0 ]; then
+ echo "Configuration files must
writable/readable by group ${stat[2]}! Dying on file $file"
+ fatal "Configuration files must
writable/readable by group ${stat[2]}! Dying on file $file"
+ fi
+ ;;
+ esac
+ fi
+ set +x
}
# simple lowercase function
@@ -403,6 +424,7 @@
setfile $conffile
# get global config options (second param is the default)
+getconf admingroup root
getconf configdirectory /etc/backup.d
getconf scriptdirectory /usr/share/backupninja
getconf reportemail
@@ -461,6 +483,7 @@
for file in $files; do
[ -f "$file" ] || continue
+ check_perms ${file%/*} # check containing dir
check_perms $file
suffix="${file##*.}"
base=`basename $file`
signature.asc
Description: Digital signature (GPG/PGP)
