Applications
/
ublinux-init
10
0
Fork 1
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '847c39d2d6'
${ noResults }
ublinux-init/ublinux/rc.post.d/42-access-suid-sgid

62 lines
2.6 KiB
Raw Blame History Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

#!/bin/bash
ENABLED=yes
[[ ${ENABLED} == "yes" ]] || exit 0
DEBUGMODE=no
SELF_NAME="42-access-suid-sgid"
unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
SOURCE=${ROOTFS}/usr/lib/ublinux/default; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
debug_mode "$0" "$@"
SYSCONF="${ROOTFS}${SYSCONF}"
SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
exec_access_allowed_suid(){
## Отключить влияние SUID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SUID
if [[ -n ${ACCESS_ALLOWED_SUID[@]} ]]; then
for PATH_WORK_SUID in "${!ACCESS_ALLOWED_SUID[@]}"; do
EXCLUDE_SUID=$(tr [[:space:]],\; $'\n' <<< ${ACCESS_ALLOWED_SUID[${PATH_WORK_SUID}]})
[[ ${PATH_WORK_SUID} == 0 ]] && PATH_WORK_SUID="${ROOTFS}/usr/bin ${ROOTFS}/usr/local/bin ${ROOTFS}/usr/local/sbin ${ROOTFS}/home"
find ${PATH_WORK_SUID} -type f -perm /u=s $(printf "! -name %s " ${EXCLUDE_SUID}) -exec chmod --quiet u-s {} +
# find ${PATH_WORK_SUID} -type f -perm /u=s $(printf " -name %s " ${EXCLUDE_SUID})
done
fi
}
exec_access_allowed_sgid(){
## Отключить влияние SGID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SGID
if [[ -n ${ACCESS_ALLOWED_SGID[@]} ]]; then
for PATH_WORK_SGID in "${!ACCESS_ALLOWED_SGID[@]}"; do
EXCLUDE_SGID=$(tr [[:space:]],\; $'\n' <<< ${ACCESS_ALLOWED_SGID[${PATH_WORK_SGID}]})
[[ ${PATH_WORK_SGID} == 0 ]] && PATH_WORK_SGID="${ROOTFS}/usr/bin ${ROOTFS}/usr/local/bin ${ROOTFS}/usr/local/sbin ${ROOTFS}/home"
find ${PATH_WORK_SGID} -type f -perm /g=s $(printf "! -name %s " ${EXCLUDE_SGID}) -exec chmod --quiet g-s {} +
done
fi
}
################
##### MAIN #####
################
# Если файл подключен как ресурс с функциями, то выйти
return 0 2>/dev/null && return 0
if [[ -z $@ ]]; then
while read -r FUNCTION; do
$"${FUNCTION##* }"
done < <(declare -F | grep "declare -f exec_")
else
FUNCTION=
# for FUNCTION in $@; do
# declare -f ${FUNCTION} &>/dev/null && ${FUNCTION}
# done
while [[ $# -gt 0 ]]; do
[[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; }
shift
done
eval ${FUNCTION#*; }
fi
Reference in new issue View Git Blame Copy Permalink