log_file="/opt/share/security-config/log/path_check.log"
exception_file="/usr/share/security-config/test/path_check_test/path_exception.list"
script_list_path="/opt/share/security-config/log/script_file_list"
+path_list=("bin" "sbin" "usr" "etc")
+tmp_path="/tmp/pathtest.sh"
# Check whether this file is one of exception lists.
# args : $1 = file path
function CHECK_EXCEPTION
{
- temp=$(grep $1 <<< cat $exception_file)
+ temp=$(/usr/bin/grep $1 <<< /usr/bin/cat $exception_file)
if [ -n "$temp" ]
then
return 1
# args : $1 = file path
function PATH_CHECK
{
- filtered_line=$(grep "PATH=" $1 | grep "[^a-z A-Z]/bin" | grep "[^a-z A-Z]/sbin" | grep "/usr/bin" | grep "/usr/sbin")
- if [ "$filtered_line" == "" ]
- then
- CHECK_EXCEPTION $1 # exception check
- if [ "$?" == 0 ]
+ /usr/bin/cat $1 | /usr/bin/grep "PATH=" > $tmp_path
+ PATH="/opt:/unexist" # set unallowed directories in PATH variable. This should be reset in the target script.
+ source $tmp_path
+ IFS=':' read -ra path_array <<< "$PATH"
+ PATH="/usr/bin:/bin:/usr/sbin:/sbin"
+ for item in "${path_array[@]}"; do
+ root_dir_item="$(/usr/bin/echo $item | /usr/bin/cut -d '/' -f2)"
+ if [ "$(/usr/bin/echo "${path_list[@]}" | /usr/bin/fgrep --word-regexp "$root_dir_item")" == "" ]
then
- rpm_path=$(/usr/bin/rpm -qf $1)
- echo "$1,""$rpm_path" >> $log_file
+ CHECK_EXCEPTION $1 # exception check
+ if [ "$?" == 0 ]
+ then
+ rpm_path=$(/usr/bin/rpm -qf $1)
+ echo "$1,""$rpm_path" >> $log_file
+ fi
+ return
fi
- fi
+ done
}
# Main Check function : find shell scripts in the system.
find / -type f -executable 2>/dev/null | xargs $utl_path/file | grep "shell script" | cut -d ":" -f1 >> $script_list_path
while read script_file_line
do
- PATH_CHECK $script_file_line
+ PATH_CHECK $script_file_line
done < $script_list_path
}
rm $script_list_path
fi
+rm $tmp_path
/bin/echo "PATH CHECK FINISHED!"
projects / platform / core / security / security-config.git / commitdiff