Commit | Line | Data |
378cc40b |
1 | #!/usr/bin/perl -P |
2 | |
79072805 |
3 | # $RCSfile: scan_suid,v $$Revision: 4.1 $$Date: 92/08/07 17:20:43 $ |
378cc40b |
4 | |
5 | # Look for new setuid root files. |
6 | |
a687059c |
7 | chdir '/usr/adm/private/memories' || die "Can't cd to memories: $!\n"; |
378cc40b |
8 | |
9 | ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime, |
10 | $blksize,$blocks) = stat('oldsuid'); |
11 | if ($nlink) { |
12 | $lasttime = $mtime; |
13 | $tmp = $ctime - $atime; |
14 | if ($tmp <= 0 || $tmp >= 10) { |
15 | print "WARNING: somebody has read oldsuid!\n"; |
16 | } |
17 | $tmp = $ctime - $mtime; |
18 | if ($tmp <= 0 || $tmp >= 10) { |
19 | print "WARNING: somebody has modified oldsuid!!!\n"; |
20 | } |
21 | } else { |
22 | $lasttime = time - 60 * 60 * 24; # one day ago |
23 | } |
24 | $thistime = time; |
25 | |
26 | #if defined(mc300) || defined(mc500) || defined(mc700) |
27 | open(Find, 'find / -perm -04000 -print |') || |
28 | die "scan_find: can't run find"; |
29 | #else |
30 | open(Find, 'find / \( -fstype nfs -prune \) -o -perm -04000 -ls |') || |
31 | die "scan_find: can't run find"; |
32 | #endif |
33 | |
34 | open(suid, '>newsuid.tmp'); |
35 | |
36 | while (<Find>) { |
37 | |
38 | #if defined(mc300) || defined(mc500) || defined(mc700) |
39 | $x = `/bin/ls -il $_`; |
40 | $_ = $x; |
41 | s/^ *//; |
42 | ($inode,$perm,$links,$owner,$group,$size,$month,$day,$time,$name) |
43 | = split; |
44 | #else |
45 | s/^ *//; |
46 | ($inode,$blocks,$perm,$links,$owner,$group,$size,$month,$day,$time,$name) |
47 | = split; |
48 | #endif |
49 | |
50 | if ($perm =~ /[sS]/ && $owner eq 'root') { |
51 | ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime, |
52 | $blksize,$blocks) = stat($name); |
53 | $foo = sprintf("%10s%3s %-8s %-8s%9s %3s %2s %s %s\n", |
54 | $perm,$links,$owner,$group,$size,$month,$day,$name,$inode); |
55 | print suid $foo; |
56 | if ($ctime > $lasttime) { |
57 | if ($ctime > $thistime) { |
58 | print "Future file: $foo"; |
59 | } |
60 | else { |
61 | $ct .= $foo; |
62 | } |
63 | } |
64 | } |
65 | } |
66 | close(suid); |
67 | |
68 | print `sort +7 -8 newsuid.tmp >newsuid 2>&1`; |
69 | $foo = `/bin/diff oldsuid newsuid 2>&1`; |
70 | print "Differences in suid info:\n",$foo if $foo; |
71 | print `mv oldsuid oldoldsuid 2>&1; mv newsuid oldsuid 2>&1`; |
72 | print `touch oldsuid 2>&1;sleep 2 2>&1;chmod o+w oldsuid 2>&1`; |
73 | print `rm -f newsuid.tmp 2>&1`; |
74 | |
75 | @ct = split(/\n/,$ct); |
76 | $ct = ''; |
77 | $* = 1; |
78 | while ($#ct >= 0) { |
79 | $tmp = shift(@ct); |
80 | unless ($foo =~ "^>.*$tmp\n") { $ct .= "$tmp\n"; } |
81 | } |
82 | |
83 | print "Inode changed since last time:\n",$ct if $ct; |
84 | |