From f66a600dfc78b77d88edf3f780814a6635fa92f4 Mon Sep 17 00:00:00 2001
From: troyengel <troyengel@gmail.com>
Date: Sat, 22 Nov 2014 10:07:33 -0600
Subject: [PATCH] add security check on configs

---
 README.md | 16 ++++++++--------
 petrified | 16 +++++++++++++++-
 2 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index b1aec9b..de97173 100644
--- a/README.md
+++ b/README.md
@@ -27,17 +27,17 @@ High level items of interest:
 * Logging via journald, syslog, stdout and a logfile simultaneously
 * Local IP reporting for use with internal DNS entries
 * Caching of the last IP to reduce upstream impact
-* Usable via cron, NetworkManager dispatcher, commandline, etc.
+* Usable via cron, NetworkManager dispatcher, commandline, systemd, etc.
 
 ## Dependencies
 
-| Utilities                    | Package    |
-| -----------------------------|------------|
-| logger, kill                 | util-linux |
-| printf, touch, date, cat, rm | coreutils  |
-| bash                         | bash       |
-| ip                           | iproute2   |
-| curl                         | curl       |
+| Utilities                          | Package    |
+| -----------------------------------|------------|
+| logger, kill                       | util-linux |
+| printf, touch, date, stat, cat, rm | coreutils  |
+| bash                               | bash       |
+| ip                                 | iproute2   |
+| curl                               | curl       |
 
 
 ## Configuration
diff --git a/petrified b/petrified
index 34f7c9f..f83efc9 100755
--- a/petrified
+++ b/petrified
@@ -17,7 +17,7 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 #
-## Version: 1.0.1
+## Version: 1.0.2
 
 ## One of these must exist - '-c <config>' ignores global/local entirely
 CONF_GLOBAL=/etc/petrified.conf
@@ -82,6 +82,7 @@ PET_LIP=/var/cache/petrified/lastip.dat
 # printf (coreutils)
 # touch  (coreutils)
 # date   (coreutils)
+# stat   (coreutils)
 # cat    (coreutils)
 # rm     (coreutils)
 # bash   (bash)
@@ -136,6 +137,19 @@ logmsg () {
   return
 }
 
+# Security warning
+statchk () {
+  _CFILE=$1
+  if [[ -f "${_CFILE}" ]] && [[ -r "${_CFILE}" ]]; then
+    if [[ $(stat -c "%a" "${_CFILE}") != 600 ]]; then
+      logmsg "Security warning: ${_CFILE} is readable but not mode 0600"
+    fi
+  fi
+}
+[[ -n "${CONF_GLOBAL}" ]] && statchk "${CONF_GLOBAL}"
+[[ -n "${CONF_LOCAL}" ]] && statchk "${CONF_LOCAL}"
+[[ -n "${CONF_NAMED}" ]] && statchk "${CONF_NAMED}"
+
 # Make sure that PET_PID will work if required
 if (( ${USE_PID} == 1 )); then
   if [[ -z "${PET_PID}" ]]; then