xref: /openbmc/openbmc/meta-security/recipes-security/redhat-security/files/find-nodrop-groups.sh (revision eb8dc40360f0cfef56fb6947cc817a547d6d9bc6) 
1#!/bin/sh
2#
3# find-nodrop-groups utility
4# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED.
5# sgrubb@redhat.com
6#
7# This software may be freely redistributed under the terms of the GNU
8# public license.
9#
10# You should have received a copy of the GNU General Public License
11# along with this program; if not, write to the Free Software
12# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
13#
14# This program looks for apps that use setgid(2) without using initgroups(3)
15# or setgroups(2).
16#
17# To save to file: ./find-nodrop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt
18
19libdirs="/lib /lib64 /usr/lib /usr/lib64"
20progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec"
21FOUND=0
22
23# First param is which list to use, second is search pattern
24scan () {
25if [ "$1" = "1" ] ; then
26	dirs=$libdirs
27elif [ "$1" = "2" ] ; then
28	dirs=$progdirs
29elif [ "$1" = "3" ] ; then
30	dirs=$3
31fi
32
33for d in $dirs ; do
34	if [ ! -d $d ] ; then
35		continue
36	fi
37	files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null`
38	for f in $files
39	do
40		syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'`
41		if [ x"$syms" != "x" ] ; then
42			syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'`
43			if [ x"$syms" != "x" ] ; then
44				syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'`
45				if [ x"$syms" = "x" ] ; then
46					if [ $FOUND = 0 ]  ; then
47						printf "%-44s%s\n" "FILE" "PACKAGE"
48					fi
49					syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print`
50					if [ x"$syms" = "x" ] ; then
51						printf "\033[31m%-44s\033[m" $f
52						rpm -qf --queryformat "%{SOURCERPM}" $f
53						echo
54						FOUND=1
55#					else
56#						printf "\033[33m%-44s\033[m" $f
57					fi
58				#rpm -qf --queryformat "%{NAME}-%{VERSION}" $f
59				fi
60			fi
61		fi
62	done
63done
64}
65
66if [ $# -eq 1 ] ; then
67	if [ -d $1 ] ; then
68		scan 3 '*' $1
69	else
70		echo "Input is not a directory"
71		exit 1
72	fi
73else
74	scan 1 '*.so'
75	scan 2 '*'
76fi
77
78if [ $FOUND -eq 0 ] ; then
79        # Nothing to report, just exit
80        echo "No problems found" 1>&2
81        exit 0
82fi
83exit 1
84
85
86