-
Notifications
You must be signed in to change notification settings - Fork 159
/
Copy pathsetgid
executable file
·40 lines (35 loc) · 1.16 KB
/
setgid
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/bin/bash
## kola:
## exclusive: false
## description: Verify that there are no file/directory with
## SetGID bit set, except the known files and directories.
set -xeuo pipefail
# shellcheck disable=SC1091
. "$KOLA_EXT_DATA/commonlib.sh"
# List of known files and directories with SetGID bit set
# Drop '/usr/libexec/openssh/ssh-keysign' after
# https://src.fedoraproject.org/rpms/openssh/c/b615362fd0b4da657d624571441cb74983de6e3f?branch=rawhide
# is in all OS.
list_setgid_files=(
'/usr/bin/write'
'/usr/libexec/openssh/ssh-keysign'
'/usr/libexec/utempter/utempter'
)
unknown_setgid_files=""
while IFS= read -r -d '' e; do
found="false"
for k in "${list_setgid_files[@]}"; do
if [[ "${k}" == "${e}" ]]; then
found="true"
break
fi
done
if [[ "${found}" == "false" ]]; then
unknown_setgid_files+=" ${e}"
fi
done< <(find /usr /etc -type f -perm /2000 -print0 -o -type d -perm /2000 -print0)
if [[ -n "${unknown_setgid_files}" ]]; then
echo "SetGID:${unknown_setgid_files}"
fatal "found files/directories with SetUID/GID bit set"
fi
ok "no unknown file/directory with SetUID/GID bit set"