Re: Insecure world writable files from XFS 1.0.1 ISO installer

[Simon Matter <Simon.Matter@ch.sauter-bc.com>]

Dean Brissinger schrieb:

> At 4:17 PM +0200 8/2/01, Simon Matter wrote:
> >Eric Sandeen schrieb:
> >>
> >>  Simon Matter wrote:
> >>  >
> >>  > When installing from the ISO RH7.1-SGI-XFS-1.0.1, all system config
> >>  > files and directories which are not part of an RPM are installed world
> >>  > writeable (mode 666/777).
> >>
> >>  Which files, for example?  So this does NOT happen with either stock Red
> >>  Hat or XFS 1.0?  Not sure what might be causing this...
> >
> >Sorry for not providing more information.
> >
> >It does NOT happen with XFS 1.0 release. I guess it also does not occur
> >with stock RH installer.
> >My dirty find script looks like that:
> >
> >#!/bin/sh
> >find . -type f -o -type d | while read xxx; do
> >   rpm -qf $xxx > /dev/null
> >   RETVAL=$?
> >   if [ $RETVAL -gt 0 ]; then
> >     find $xxx -perm -022 -exec ls -lad {} \;
> >   fi
> >done
>
> I haven't looked to see if this applies to directories other than
> /etc yet.  But here's a brute force way of patching the problem on

Unfortunately the problem applies to all directories, but for example in /usr
there are just a few files with wrong permissions because usually the problem
applies to config files created at boot time. I tried to figure out which
device files do not belong to an RPM and could also have wrong permissions. I
guess this could be a difficult task because mode 644 is not always the
solution there.

>
> 1.0.1 systems based on an expanded version of the above script.
> Uncomment the chmod commands if you want to actually change the modes
> otherwise it just tells you what it would be doing to your system.
> Use at your own risk and I suggest testing it w/ the comments in
> there before you let it loose.  =)
>
> #!/bin/sh
> find . -type f -o -type d | while read xxx; do
>    rpm -qf $xxx > /dev/null
>    RETVAL=$?
>    if [ $RETVAL -gt 0 ]; then
>      files=`find $xxx -perm -022 -a ! -type l`
>      for file in $files; do
>        if [ -n "$file" ]; then
>          ls -ld $file
>          if [ -e $file -a ! -d $file ]; then
>            echo "Changing mode: chmod 644 $file"; #chmod 644 $file
>          else
>            echo "Changing mode: chmod 755 $file"; #chmod 755 $file
>          fi
>        fi
>      done
>    fi
> done
>
> --
>     . . . . . . . . ooo . . . . ooo . . . . . . . . .
>     .                                               .
>     .    Dean Brissinger - Systems Administrator    .
>     .   Direct: 303-583-0278   Main: 303-444-0094   .
>     .   Fax: 303-583-0246  http://www.vexcel.com/   .
>     .                                               .
>     . . . . . . . oOOo . . A . . oOOo . . . . . . . .
>                           0 0
>                          '````