/usr/lib/tiger/systems/Linux/2/check_umask is in tiger 1:3.2.3-10.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 | #!/bin/sh
#
# tiger - A UN*X security checking system
# Copyright (C) 2003, 2009 Javier Fernandez-Sanguino Pen~a
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Please see the file `COPYING' for the complete copyright notice.
#
# check_umask - 04/15/2003
#
# Checks if there is a umask setting for login shells so that users
# are not (by default) creating files witn insecure permissions.
#
# This check has been separated from check_logfiles since it's a broader check.
# The command requirements have been modified to adjust to what it's really
# needed.
#
# 12/08/2011 - jfs - Fix how UMASK is obtained for login.defs
# (Debian bug 603320)
# 05/21/2009 - jfs - Enhance checks so that different messages are provided
# based on installed shells
# 01/13/2004 - jfs - Fixed syntax error in the previous patch
# 10/19/2003 - jfs - Applied patch from Ryan Bradetich adding 077 umask
# to the valid list.
# 08/09/2003 - jfs - Fixed the script so it does not grok if no valid
# umask entries are available
# 05/01/2003 - jfs - Fixed dependancies
#
#-----------------------------------------------------------------------------
# TODO
# - The script will not work properly if the 'umask' string is present
# in the script but it's not a valid call to the umask setting.
# It will not work properly either if more than 1 occurances of umask are
# present.
# - The script does not handle UMASK definition in /etc/login.defs if defined in
# octal mode
# - The script does not handle umask when it is defined through the pam_umask
# service for all shells
#
#-----------------------------------------------------------------------------
#
TigerInstallDir='.'
#
# Set default base directory.
# Order or preference:
# -B option
# TIGERHOMEDIR environment variable
# TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}
for parm
do
case $parm in
-B) basedir=$2; break;;
esac
done
#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
exit 1
}
. $basedir/config
. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
haveallcmds CUT EXPAND GREP HEAD SED TAIL WC || exit 1
haveallfiles BASEDIR WORKDIR || exit 1
haveallvars TESTLINK HOSTNAME
echo "--CONFIG-- [init003c] $0: Configuration ok..."
exit 0
}
#------------------------------------------------------------------------
echo
echo "# Checking for correct umask settings for user login shells..."
haveallcmds CUT EXPAND GREP HEAD SED TAIL WC || exit 1
haveallfiles BASEDIR WORKDIR || exit 1
#####
# Check to ensure that the umask is set correctly
#####
Foundumask=0
# Files to look for include:
# - /etc/login.defs : used by login (PAM) to set common values across any login shell
# - /etc/profile: used by Bash
# - /etc/bash.bashrc: used by Bash
# - /etc/bashrc: used by Bash
# - /etc/csh.login: used by csh and tcsh
# - /etc/csh.cshrc: used by csh and tcsh
# - /etc/csh/login.d/*: used by csh and tcsh
# First check PAM's default since it applies to all shells
GLOBALFILE="/etc/login.defs"
if [ -r $GLOBALFILE ] ; then
GLOBALUMASK=`$GREP ^UMASK $GLOBALFILE \
| $EXPAND \
| $SED -e"s/\s\+/ /g" \
| $CUT -d" " -f2`
fi
if [ -z "$GLOBALUMASK" ]; then
message WARN misc026w "" "There is no default umask settings for user login shells in $GLOBALFILE"
else
[ "$GLOBALUMASK" != "002" -a "$GLOBALUMASK" != "022" -a "$GLOBALUMASK" != "027" -a "$GLOBALUMASK" != "077" ] &&
message FAIL misc022f '' "The default umask setting in $GLOBALFILE for users is insecure ($GLOBALUMASK)"
fi
check_umask()
{
file=$1
[ ! -r "$file" ] && return 0
Occurance=`$GREP umask $file |$GREP -v ^# | $WC -l`
if [ $Occurance -gt 0 ]; then
Foundumask=1
UMASK=`$GREP umask $file \
| $GREP -v ^\# \
| $EXPAND \
| $HEAD -n 1 \
| $SED -e "s/^.*umask//"\
| $CUT -d" " -f2`
if [ -n "$UMASK" ] ; then
[ "$UMASK" != "002" -a "$UMASK" != "022" -a "$UMASK" != "027" -a "$UMASK" != "077" ] &&
message FAIL misc022f '' "The umask setting in $file for users is insecure ($UMASK)"
else
message WARN misc021w "" "There are no valid umask definitions in $file"
fi
fi
if [ $Occurance -gt 1 ]; then
message WARN misc023w '' "There are more than one umask entry in $file (total of $Occurance umask definitions)"
fi
return $Occurance
}
# Dash
# Note: Dash only reads /etc/profile so analyse this one first
shellname="dash"
Findumask=0
check_umask /etc/profile || Findumask=1
# Warn if dash is installed and no definitions have been found
if [ $Findumask -eq 0 ] && [ -x /bin/dash ] ; then
message WARN misc021w "" "There is no umask definition for the $shellname shell"
fi
# Same with ksh
shellname="ksh"
if [ $Findumask -eq 0 ] && [ -x /bin/ksh ] ; then
message WARN misc021w "" "There is no umask definition for the $shellname shell"
fi
# Bash
shellname="bash"
# Do not reset Findumask here:
# In addition to /etc/profile (tested previously) bash manages other
# configuration files for login shells:
for file in /etc/bash.bashrc /etc/bashrc
do
check_umask $file || Findumask=1
done
# Warn if bash is installed and no definitions have been found
if [ $Findumask -eq 0 ] && [ -x /bin/bash ] ; then
message WARN misc021w "" "There is no umask definition for the $shellname shell"
fi
# Csh/Tcsh
shellname="csh/tcsh"
Findumask=0
for file in /etc/csh.login /etc/csh.cshrc /etc/csh/login.d/*
do
check_umask $file || Findumask=1
done
# Warn if csh/tcsh are installed and no definitions have been found
if [ $Findumask -eq 0 ] && [ -x /bin/csh -o -x /usr/bin/tcsh ] ; then
message WARN misc021w "" "There is no umask definition for the $shellname shell"
fi
|