-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Initial work for #28. Need further testing
Showing
6 changed files
with
79 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,6 @@ | ||
#Add here binaries in the format example AWK_BIN: | ||
# | ||
#AWK_BIN=`which awk 2>/dev/null` | ||
CUT_BIN=$(which cut 2>/dev/null) | ||
GREP_BIN=$(which grep 2>/dev/null) | ||
TR_BIN=$(which tr 2>/dev/null) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
# ---------------------------------------------------- | ||
# Overrides for security rule of binaries needing to be | ||
# in the following locations: /usr, /sbin, /bin | ||
# | ||
# Override binaries are prefixed with '__' (e.g. '__PYTHON3_BIN') | ||
# same variable name described in etc/binaries.conf. | ||
# | ||
# The full paths MUST BE manually checked/vetted and approved. | ||
# If there are multiple values, separate it with colon. | ||
# | ||
# ---------------------------------------------------- | ||
# Example below to override PYTHON3_BIN and PIP_BIN: | ||
# | ||
#__PYTHON3_BIN="$OPT_DIR/venv/bin/python3:$HOME/AppData/Local/Microsoft/WindowsApps/python3" | ||
#__PIP_BIN="$OPT_DIR/venv/bin/pip:$HOME/AppData/Local/Microsoft/WindowsApps/pip" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
## ----------------------------------------------------------------------------------------- | ||
## Cross-check and ensure binaries are located in either of the following paths: | ||
## * /usr | ||
## * /bin | ||
## * /sbin | ||
## | ||
## and IF path does not start with the above (and IT IS intentional), override it via | ||
## etc/override_binsecurity.conf. Overridden variable should be prefixed with __. | ||
## Example, to override PYTHON3_BIN, define __PYTHON3_BIN. If multiple values are | ||
## expected, delimit it with colon. | ||
## | ||
## For checking specific binary, pass the variable name without '$' | ||
## ----------------------------------------------------------------------------------------- | ||
## | ||
check_required_bin() { | ||
## | ||
## $binlist = Only needed if checking for specific binary. | ||
## Defaults to checking src/etc/binaries.conf | ||
## | ||
local binlist=${1:-"$($GREP_BIN -v ^\# $CONF_DIR/binaries.conf|$CUT_BIN -d'=' -f1)"} | ||
|
||
autoload_functions "found_inarray" | ||
|
||
for each_bin in $binlist; do | ||
if [[ "${!each_bin}" = "" ]]; then | ||
echo "[FATAL ERROR] Required '$each_bin' not installed. Aborting." | ||
exit 1 | ||
## | ||
## NOTE: Ideally, only those NOT MATCHING the pattern should be filtered. | ||
## Can't find a working regex for it though. No-op statement is used instead | ||
## | ||
elif [[ "${!each_bin}" =~ ^(/usr|/bin|/sbin) ]]; then | ||
: | ||
else | ||
## Check if overridden. IF NOT, say so and exit (like below). | ||
## | ||
or_eachbin=__${each_bin} | ||
|
||
or_found=$(found_inarray ${!each_bin} $(echo ${!or_eachbin}|$TR_BIN ":" " ")) | ||
if [[ ${or_found} -ne 1 ]]; then | ||
echo "[FATAL ERROR] Suspicious binary detected for \$${each_bin}: ${!each_bin}" | ||
exit 1 | ||
fi | ||
fi | ||
done | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
### ------------------------------------------------- | ||
### found_inarray: checks if a string is found | ||
### INPUT : $* --> 1st word is the keyword to find | ||
### OUTPUT : 1 - IF FOUND. 0 Otherwise | ||
### ------------------------------------------------- | ||
|
||
found_inarray() { | ||
local var2find=$1 | ||
shift | ||
|
||
echo "$*"|$GREP_BIN -c $var2find | ||
} ## END: found_inarray() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters