tengel/petrified
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

add security check on configs

Browse source
This commit is contained in:
troyengel 2014-11-22 10:07:33 -06:00
parent 3e795e0556
commit f66a600dfc
2 changed files with 23 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

16
README.md
View file

@ -27,17 +27,17 @@ High level items of interest:
* Logging via journald, syslog, stdout and a logfile simultaneously * Logging via journald, syslog, stdout and a logfile simultaneously
* Local IP reporting for use with internal DNS entries * Local IP reporting for use with internal DNS entries
* Caching of the last IP to reduce upstream impact * Caching of the last IP to reduce upstream impact
* Usable via cron, NetworkManager dispatcher, commandline, etc. * Usable via cron, NetworkManager dispatcher, commandline, systemd, etc.
## Dependencies ## Dependencies
| Utilities | Package | | Utilities | Package |
| -----------------------------|------------| | -----------------------------------|------------|
| logger, kill | util-linux | | logger, kill | util-linux |
| printf, touch, date, cat, rm | coreutils | | printf, touch, date, stat, cat, rm | coreutils |
| bash | bash | | bash | bash |
| ip | iproute2 | | ip | iproute2 |
| curl | curl | | curl | curl |
## Configuration ## Configuration

16
petrified
View file

@ -17,7 +17,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
# #
## Version: 1.0.1 ## Version: 1.0.2
## One of these must exist - '-c <config>' ignores global/local entirely ## One of these must exist - '-c <config>' ignores global/local entirely
CONF_GLOBAL=/etc/petrified.conf CONF_GLOBAL=/etc/petrified.conf
@ -82,6 +82,7 @@ PET_LIP=/var/cache/petrified/lastip.dat
# printf (coreutils) # printf (coreutils)
# touch (coreutils) # touch (coreutils)
# date (coreutils) # date (coreutils)
# stat (coreutils)
# cat (coreutils) # cat (coreutils)
# rm (coreutils) # rm (coreutils)
# bash (bash) # bash (bash)
@ -136,6 +137,19 @@ logmsg () {
return return
} }
# Security warning
statchk () {
_CFILE=$1
if [[ -f "${_CFILE}" ]] && [[ -r "${_CFILE}" ]]; then
if [[ $(stat -c "%a" "${_CFILE}") != 600 ]]; then
logmsg "Security warning: ${_CFILE} is readable but not mode 0600"
fi
fi
}
[[ -n "${CONF_GLOBAL}" ]] && statchk "${CONF_GLOBAL}"
[[ -n "${CONF_LOCAL}" ]] && statchk "${CONF_LOCAL}"
[[ -n "${CONF_NAMED}" ]] && statchk "${CONF_NAMED}"
# Make sure that PET_PID will work if required # Make sure that PET_PID will work if required
if (( ${USE_PID} == 1 )); then if (( ${USE_PID} == 1 )); then
if [[ -z "${PET_PID}" ]]; then if [[ -z "${PET_PID}" ]]; then