add security check on configs

2014-11-22 10:07:33 -06:00 · 2014-11-22 10:07:33 -06:00 · 831da7df6c
commit 831da7df6c
parent 1993b7aca5
2 changed files with 23 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -27,17 +27,17 @@ High level items of interest:
 * Logging via journald, syslog, stdout and a logfile simultaneously
 * Local IP reporting for use with internal DNS entries
 * Caching of the last IP to reduce upstream impact
-* Usable via cron, NetworkManager dispatcher, commandline, etc.
+* Usable via cron, NetworkManager dispatcher, commandline, systemd, etc.

 ## Dependencies

-| Utilities                    | Package    |
-| -----------------------------|------------|
-| logger, kill                 | util-linux |
-| printf, touch, date, cat, rm | coreutils  |
-| bash                         | bash       |
-| ip                           | iproute2   |
-| curl                         | curl       |
+| Utilities                          | Package    |
+| -----------------------------------|------------|
+| logger, kill                       | util-linux |
+| printf, touch, date, stat, cat, rm | coreutils  |
+| bash                               | bash       |
+| ip                                 | iproute2   |
+| curl                               | curl       |


 ## Configuration
--- a/16
+++ b/16
@ -17,7 +17,7 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 #
-## Version: 1.0.1
+## Version: 1.0.2

 ## One of these must exist - '-c <config>' ignores global/local entirely
 CONF_GLOBAL=/etc/petrified.conf
@ -82,6 +82,7 @@ PET_LIP=/var/cache/petrified/lastip.dat
 # printf (coreutils)
 # touch  (coreutils)
 # date   (coreutils)
+# stat   (coreutils)
 # cat    (coreutils)
 # rm     (coreutils)
 # bash   (bash)
@ -136,6 +137,19 @@ logmsg () {
  return
 }

+# Security warning
+statchk () {
+  _CFILE=$1
+  if [[ -f "${_CFILE}" ]] && [[ -r "${_CFILE}" ]]; then
+    if [[ $(stat -c "%a" "${_CFILE}") != 600 ]]; then
+      logmsg "Security warning: ${_CFILE} is readable but not mode 0600"
+    fi
+  fi
+}
+[[ -n "${CONF_GLOBAL}" ]] && statchk "${CONF_GLOBAL}"
+[[ -n "${CONF_LOCAL}" ]] && statchk "${CONF_LOCAL}"
+[[ -n "${CONF_NAMED}" ]] && statchk "${CONF_NAMED}"
+
 # Make sure that PET_PID will work if required
 if (( ${USE_PID} == 1 )); then
  if [[ -z "${PET_PID}" ]]; then