add security check on configs

README.md

@@ -27,14 +27,14 @@ High level items of interest:
 * Logging via journald, syslog, stdout and a logfile simultaneously
 * Local IP reporting for use with internal DNS entries
 * Caching of the last IP to reduce upstream impact
-* Usable via cron, NetworkManager dispatcher, commandline, etc.
+* Usable via cron, NetworkManager dispatcher, commandline, systemd, etc.
 
 ## Dependencies
 
 | Utilities                          | Package    |
-| -----------------------------|------------|
+| -----------------------------------|------------|
 | logger, kill                       | util-linux |
-| printf, touch, date, cat, rm | coreutils  |
+| printf, touch, date, stat, cat, rm | coreutils  |
 | bash                               | bash       |
 | ip                                 | iproute2   |
 | curl                               | curl       |

petrified

@@ -17,7 +17,7 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 #
-## Version: 1.0.1
+## Version: 1.0.2
 
 ## One of these must exist - '-c <config>' ignores global/local entirely
 CONF_GLOBAL=/etc/petrified.conf
@@ -82,6 +82,7 @@ PET_LIP=/var/cache/petrified/lastip.dat
 # printf (coreutils)
 # touch  (coreutils)
 # date   (coreutils)
+# stat   (coreutils)
 # cat    (coreutils)
 # rm     (coreutils)
 # bash   (bash)
@@ -136,6 +137,19 @@ logmsg () {
   return
 }
 
+# Security warning
+statchk () {
+  _CFILE=$1
+  if [[ -f "${_CFILE}" ]] && [[ -r "${_CFILE}" ]]; then
+    if [[ $(stat -c "%a" "${_CFILE}") != 600 ]]; then
+      logmsg "Security warning: ${_CFILE} is readable but not mode 0600"
+    fi
+  fi
+}
+[[ -n "${CONF_GLOBAL}" ]] && statchk "${CONF_GLOBAL}"
+[[ -n "${CONF_LOCAL}" ]] && statchk "${CONF_LOCAL}"
+[[ -n "${CONF_NAMED}" ]] && statchk "${CONF_NAMED}"
+
 # Make sure that PET_PID will work if required
 if (( ${USE_PID} == 1 )); then
   if [[ -z "${PET_PID}" ]]; then