1#!/bin/sh 2# rpm-drop-groups 3# 4# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. 5# sgrubb@redhat.com 6# 7# This software may be freely redistributed under the terms of the GNU 8# public license. 9# 10# You should have received a copy of the GNU General Public License 11# along with this program; if not, write to the Free Software 12# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 13# 14# Given an rpm, it will look at each file to check if it tries to change 15# group and user credentials. If so, it further tries to determine if 16# it also calls setgroups or initgroups. To correctly change groups, the 17# program must drop supplemntal groups. Programs are classified into: n/a 18# meaning no group dropping occurs, yes its done correctly, and no meaning 19# there seems to be a problem. 20# 21# If the --all option is given, it will generate a list of rpms and then 22# summarize the rpm's state. For yes, then all files are in the expected 23# state. Just one program failing can turn the package's summary to no. 24# Re-run passing that package (instead of --all) for the details. 25# 26# To save to file: ./rpm-drop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt 27 28VERSION="0.1" 29 30usage () { 31 echo "rpm-drop-groups [--all|<rpmname>|--version]" 32 exit 0 33} 34 35if [ "$1" = "--help" -o $# -eq 0 ] ; then 36 usage 37fi 38if [ "$1" = "--version" ] ; then 39 echo "rpm-drop-groups $VERSION" 40 exit 0 41fi 42if [ "$1" = "--all" ] ; then 43 MODE="all" 44else 45 MODE="single" 46fi 47 48do_one () { 49if ! rpm -q $1 >/dev/null 2>&1 ; then 50 if [ "$MODE" = "single" ] ; then 51 echo "$1 is not installed" 52 exit 1 53 else 54 echo "not installed" 55 return 56 fi 57fi 58files=`rpm -ql $1` 59 60for f in $files 61do 62 if [ ! -f $f ] ; then 63 continue 64 fi 65 if ! file $f | grep -q 'ELF'; then 66 continue 67 fi 68 69 CORRECT="n/a" 70 syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'` 71 if [ x"$syms" != "x" ] ; then 72 CORRECT="yes" 73 syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'` 74 if [ x"$syms" != "x" ] ; then 75 syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'` 76 if [ x"$syms" = "x" ] ; then 77 syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print` 78 if [ x"$syms" = "x" ] ; then 79 CORRECT="no" 80 fi 81 fi 82 fi 83 fi 84 85 # OK, ready for the output 86 if [ "$MODE" = "single" ] ; then 87 printf "%-60s " $f 88 if [ "$CORRECT" = "yes" ] ; then 89 printf "\033[32m%-7s\033[m " $CORRECT 90 elif [ "$CORRECT" = "no" ] ; then 91 printf "\033[31m%-7s\033[m " $CORRECT 92 else 93 printf "\033[33m%-7s\033[m " $CORRECT 94 fi 95 echo 96 else 97 if [ "$CORRECT" = "no" ] ; then 98 CORRECT_SUM="no" 99 fi 100 fi 101done 102} 103 104if [ "$MODE" = "single" ] ; then 105 printf "%-60s%-7s" "FILE" "CORRECT" 106 echo 107 for i; do 108 do_one $1 109 shift 110 done 111 exit 0 112fi 113 114packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | sort` 115printf "%-50s %-7s" "PACKAGE" "CORRECT" 116echo 117for p in $packages 118do 119 CORRECT_SUM="yes" 120 printf "%-50s " $p 121 do_one $p 122 if [ "$CORRECT_SUM" = "yes" ] ; then 123 printf "\033[32m%-7s\033[m " $CORRECT_SUM 124 else 125 printf "\033[31m%-7s\033[m " $CORRECT_SUM 126 fi 127 echo 128done 129exit 0 130 131 132