mirror of
https://github.com/coreos/fedora-coreos-config.git
synced 2026-02-05 09:45:30 +01:00
43 lines
1.2 KiB
Bash
Executable File
43 lines
1.2 KiB
Bash
Executable File
#!/bin/bash
|
|
## kola:
|
|
## exclusive: false
|
|
## description: Verify that there are no file/directory with
|
|
## SetGID bit set, except the known files and directories.
|
|
|
|
set -xeuo pipefail
|
|
|
|
# shellcheck disable=SC1091
|
|
. "$KOLA_EXT_DATA/commonlib.sh"
|
|
|
|
# List of known files and directories with SetGID bit set
|
|
list_setgid_files=(
|
|
'/usr/bin/write'
|
|
'/usr/libexec/utempter/utempter'
|
|
)
|
|
# Drop '/usr/libexec/openssh/ssh-keysign' after
|
|
# https://src.fedoraproject.org/rpms/openssh/c/b615362fd0b4da657d624571441cb74983de6e3f?branch=rawhide
|
|
# landed in EL9 (it's in Fedora and EL10 already).
|
|
if match_maj_ver "9"; then
|
|
list_setgid_files+=('/usr/libexec/openssh/ssh-keysign')
|
|
fi
|
|
|
|
unknown_setgid_files=""
|
|
while IFS= read -r -d '' e; do
|
|
found="false"
|
|
for k in "${list_setgid_files[@]}"; do
|
|
if [[ "${k}" == "${e}" ]]; then
|
|
found="true"
|
|
break
|
|
fi
|
|
done
|
|
if [[ "${found}" == "false" ]]; then
|
|
unknown_setgid_files+=" ${e}"
|
|
fi
|
|
done< <(find /usr /etc -type f -perm /2000 -print0 -o -type d -perm /2000 -print0)
|
|
|
|
if [[ -n "${unknown_setgid_files}" ]]; then
|
|
echo "SetGID:${unknown_setgid_files}"
|
|
fatal "found files/directories with SetUID/GID bit set"
|
|
fi
|
|
ok "no unknown file/directory with SetUID/GID bit set"
|