From: jin-gyu.kim Date: Mon, 26 Aug 2019 09:14:32 +0000 (+0900) Subject: Modify path_check script. X-Git-Tag: submit/tizen/20190827.043624^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=b7814c30fc455b5f037b45c9d15df6c1a090d8d9;p=platform%2Fcore%2Fsecurity%2Fsecurity-config.git Modify path_check script. - Read PATH variable in the target script, and compare with predefined RO directories. - No need to define all predefiend dirs, only partials are also allowed. Change-Id: I0905676c2c3d04c75b5333eceadf6fd439fc25ea --- diff --git a/test/path_check_test/path_check.sh b/test/path_check_test/path_check.sh index 9796627..1370e4c 100644 --- a/test/path_check_test/path_check.sh +++ b/test/path_check_test/path_check.sh @@ -6,12 +6,14 @@ result_file="/opt/share/security-config/result/path_check.result" log_file="/opt/share/security-config/log/path_check.log" exception_file="/usr/share/security-config/test/path_check_test/path_exception.list" script_list_path="/opt/share/security-config/log/script_file_list" +path_list=("bin" "sbin" "usr" "etc") +tmp_path="/tmp/pathtest.sh" # Check whether this file is one of exception lists. # args : $1 = file path function CHECK_EXCEPTION { - temp=$(grep $1 <<< cat $exception_file) + temp=$(/usr/bin/grep $1 <<< /usr/bin/cat $exception_file) if [ -n "$temp" ] then return 1 @@ -23,16 +25,24 @@ function CHECK_EXCEPTION # args : $1 = file path function PATH_CHECK { - filtered_line=$(grep "PATH=" $1 | grep "[^a-z A-Z]/bin" | grep "[^a-z A-Z]/sbin" | grep "/usr/bin" | grep "/usr/sbin") - if [ "$filtered_line" == "" ] - then - CHECK_EXCEPTION $1 # exception check - if [ "$?" == 0 ] + /usr/bin/cat $1 | /usr/bin/grep "PATH=" > $tmp_path + PATH="/opt:/unexist" # set unallowed directories in PATH variable. This should be reset in the target script. + source $tmp_path + IFS=':' read -ra path_array <<< "$PATH" + PATH="/usr/bin:/bin:/usr/sbin:/sbin" + for item in "${path_array[@]}"; do + root_dir_item="$(/usr/bin/echo $item | /usr/bin/cut -d '/' -f2)" + if [ "$(/usr/bin/echo "${path_list[@]}" | /usr/bin/fgrep --word-regexp "$root_dir_item")" == "" ] then - rpm_path=$(/usr/bin/rpm -qf $1) - echo "$1,""$rpm_path" >> $log_file + CHECK_EXCEPTION $1 # exception check + if [ "$?" == 0 ] + then + rpm_path=$(/usr/bin/rpm -qf $1) + echo "$1,""$rpm_path" >> $log_file + fi + return fi - fi + done } # Main Check function : find shell scripts in the system. @@ -41,7 +51,7 @@ function CHECK find / -type f -executable 2>/dev/null | xargs $utl_path/file | grep "shell script" | cut -d ":" -f1 >> $script_list_path while read script_file_line do - PATH_CHECK $script_file_line + PATH_CHECK $script_file_line done < $script_list_path } @@ -74,4 +84,5 @@ then rm $script_list_path fi +rm $tmp_path /bin/echo "PATH CHECK FINISHED!"