diff options
| author | Dave Brolley <brolley@redhat.com> | 2009-01-29 15:28:02 -0500 |
|---|---|---|
| committer | Dave Brolley <brolley@redhat.com> | 2009-01-29 15:28:02 -0500 |
| commit | 4d6a58a6e4af720a376699ba7c49ecfa3be88da4 (patch) | |
| tree | 15b0d7e456e1ad40111e56ab533bdfff4f36b624 /stap-client | |
| parent | c5b08ee1ec3c731b85a3891c366527171bc56009 (diff) | |
| download | systemtap-steved-4d6a58a6e4af720a376699ba7c49ecfa3be88da4.tar.gz systemtap-steved-4d6a58a6e4af720a376699ba7c49ecfa3be88da4.tar.xz systemtap-steved-4d6a58a6e4af720a376699ba7c49ecfa3be88da4.zip | |
Improved certificate security for the client/server.
Diffstat (limited to 'stap-client')
| -rwxr-xr-x | stap-client | 58 |
1 files changed, 36 insertions, 22 deletions
diff --git a/stap-client b/stap-client index 93305ff5..d69b6474 100755 --- a/stap-client +++ b/stap-client @@ -843,33 +843,42 @@ function check_db { fi # Check that we can read the directory - if ! test -r $file; then + if ! test -r $dir; then warning "Certificate database '$dir' is not readble" rc=1 fi # Check the access permissions of the directory local perm=0`stat -c "%a" $dir` -# if test $((($perm & 0400) == 0400)) = 0; then -# warning "Certificate database '$dir' must be readable by the owner" -# rc=1 -# fi -# if test $((($perm & 0200) == 0200)) = 0; then -# warning "Certificate database '$dir' must be writeable by the owner" -# rc=1 -# fi -# if test $((($perm & 0100) == 0100)) = 0; then -# warning "Certificate database '$dir' must be searchable by the owner" -# rc=1 -# fi + if test $((($perm & 0400) == 0400)) = 0; then + warning "Certificate database '$dir' should be readable by the owner" + fi + if test $((($perm & 0200) == 0200)) = 0; then + warning "Certificate database '$dir' should be writeable by the owner" + fi + if test $((($perm & 0100) == 0100)) = 0; then + warning "Certificate database '$dir' should be searchable by the owner" + fi + if test $((($perm & 0040) == 0040)) = 0; then + warning "Certificate database '$dir' should be readable by the group" + fi if test $((($perm & 0020) == 0020)) = 1; then warning "Certificate database '$dir' must not be writable by the group" rc=1 fi + if test $((($perm & 0010) == 0010)) = 0; then + warning "Certificate database '$dir' should be searchable by the group" + fi + if test $((($perm & 0004) == 0004)) = 0; then + warning "Certificate database '$dir' should be readable by others" + fi if test $((($perm & 0002) == 0002)) = 1; then warning "Certificate database '$dir' must not be writable by others" rc=1 fi + if test $((($perm & 0001) == 0001)) = 0; then + warning "Certificate database '$dir' should be searchable by others" + fi # Now check the permissions of the critical files. check_db_file $dir/cert8.db || rc=1 @@ -883,7 +892,7 @@ function check_db { # function: check_db_file FILENAME # -# Check the security of the given database directory. +# Check the security of the given database file. function check_db_file { local file=$1 local rc=0 @@ -906,18 +915,19 @@ function check_db_file { # Check the access permissions of the file local perm=0`stat -c "%a" $file` -# if test $((($perm & 0400) == 0400)) = 0; then -# warning "Certificate database file '$file' must be readable by the owner" -# rc=1 -# fi -# if test $((($perm & 0200) == 0200)) = 0; then -# warning "Certificate database file '$file' must be writeable by the owner" -# rc=1 -# fi + if test $((($perm & 0400) == 0400)) = 0; then + warning "Certificate database file '$file' should be readable by the owner" + fi + if test $((($perm & 0200) == 0200)) = 0; then + warning "Certificate database file '$file' should be writeable by the owner" + fi if test $((($perm & 0100) == 0100)) = 1; then warning "Certificate database file '$file' must not be executable by the owner" rc=1 fi + if test $((($perm & 0040) == 0040)) = 0; then + warning "Certificate database file '$file' should be readable by the group" + fi if test $((($perm & 0020) == 0020)) = 1; then warning "Certificate database file '$file' must not be writable by the group" rc=1 @@ -926,6 +936,9 @@ function check_db_file { warning "Certificate database file '$file' must not be executable by the group" rc=1 fi + if test $((($perm & 0004) == 0004)) = 0; then + warning "Certificate database file '$file' should be readable by others" + fi if test $((($perm & 0002) == 0002)) = 1; then warning "Certificate database file '$file' must not be writable by others" rc=1 @@ -937,6 +950,7 @@ function check_db_file { return $rc } + # function: warning [ MESSAGE ] # # Warning error |