LFS包管理与Shell脚本

 1Special Parameters
 2    The shell treats several parameters specially.  These parameters may only
 3    be referenced; assignment to them is not allowed.
 4    *      Expands  to the positional parameters, starting from one.  When the
 5    expansion is not within double quotes, each positional parameter expands to
 6    a separate word.  In contexts where it is performed, those words are
 7    subject to further word splitting and pathname expansion.  When the
 8    expansion occurs within double quotes, it expands to a single word with the
 9    value of each parameter separated by the first character  of  the  IFS
10    special  variable. That  is,  "$*"  is equivalent to "$1c$2c...", where c
11    is the first character of the value of the IFS variable. If IFS is unset,
12    the parameters are separated by spaces.  If IFS is null, the parameters are
13    joined without in‐ tervening separators.
14    @      Expands  to  the positional parameters, starting from one.  In
15    contexts where word splitting is performed, this expands each positional
16    parameter to a separate word; if not within double quotes, these words are
17    subject  to word splitting.  In contexts where word splitting is not
18    performed, this expands to a single word with each po‐ sitional parameter
19    separated by a space.  When the expansion occurs within double quotes,
20    each  parameter  ex‐ pands  to a separate word.  That is, "$@" is
21    equivalent to "$1" "$2" ...  If the double-quoted expansion occurs within a
22    word, the expansion of the first parameter is joined with the beginning
23    part of the original word, and the expansion of the last parameter is
24    joined with the last part of the original word.  When there are no posi‐
25    tional parameters, "$@" and $@ expand to nothing (i.e., they are removed).
26    #      Expands to the number of positional parameters in decimal.
27    ?      Expands to the exit status of the most recently executed foreground
28    pipeline.
29    -      Expands to the current option flags as specified upon invocation, by
30    the set builtin command, or those  set  by the shell itself (such as the -i
31    option).
32    $      Expands  to  the process ID of the shell.  In a () subshell, it
33    expands to the process ID of the current shell, not the subshell.
34    !      Expands to the process ID of the job most recently placed into the
35    background, whether executed as an asynchronous command or using the bg
36    builtin (see JOB CONTROL below).
37    0      Expands  to  the  name  of the shell or shell script.  This is set
38    at shell initialization.  If bash is invoked with a file of commands, $0 is
39    set to the name of that file.  If bash is started with the -c option, then
40    $0 is set  to  the  first  argument  after the string to be executed, if
41    one is present.  Otherwise, it is set to the filename used to invoke bash,
42    as given by argument zero.

 1NAME
 2    type - Display information about command type.
 3
 4SYNOPSIS
 5    type [-afptP] name [name ...]
 6
 7DESCRIPTION
 8    Display information about command type.
 9    
10    For each NAME, indicate how it would be interpreted if used as a
11    command name.
12    
13    Options:
14      -a	display all locations containing an executable named NAME;
15    		includes aliases, builtins, and functions, if and only if
16    		the `-p' option is not also used
17      -f	suppress shell function lookup
18      -P	force a PATH search for each NAME, even if it is an alias,
19    		builtin, or function, and returns the name of the disk file
20    		that would be executed
21      -p	returns either the name of the disk file that would be executed,
22    		or nothing if `type -t NAME' would not return `file'
23      -t	output a single word which is one of `alias', `keyword',
24    		`function', `builtin', `file' or `', if NAME is an alias,
25    		shell reserved word, shell function, shell builtin, disk file,
26    		or not found, respectively
27    
28    Arguments:
29      NAME	Command name to be interpreted.
30    
31    Exit Status:
32    Returns success if all of the NAMEs are found; fails if any are not found.
33
34SEE ALSO
35    bash(1)
36
37IMPLEMENTATION
38    GNU bash, version 5.0.17(1)-release (x86_64-redhat-linux-gnu)
39    Copyright (C) 2019 Free Software Foundation, Inc.
40    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

 1#Package user home directories will be located under this directory
 2homebase=/usr/src
 3
 4#Contents of following directory are copied into home directory when creating 
 5#a new package user (existing files will not be overwritten)
 6skel=/etc/pkgusr/skel-package
 7
 8if [ $# -lt 7 ]; then
 9  echo 1>&2 'USAGE: '
10  echo 1>&2 'add_package_user <description> <name> <minuid> <maxuid> \'
11  echo 1>&2 '                              <group> <mingid> <maxgid> [-d <home>]'
12  echo 1>&2
13  echo 1>&2 'If a user account called <name> exists, a message will be printed and'
14  echo 1>&2 'everything will be left as-is. If a user account called <name> does not'
15  echo 1>&2 'exist, one will be created.'
16  echo 1>&2 'The account'"'"'s primary group will be <group> and the /etc/passwd'
17  echo 1>&2 'description field will be set to <description>. If a group called <group>'
18  echo 1>&2 'does not already exist, one will be created.'
19  echo 1>&2 'The new account will get the "install" group as a supplementary group. If'
20  echo 1>&2 'a group named "install" does not exist, one will be created.'
21  echo 1>&2
22  echo 1>&2 '<description> needs to be a valid string for the /etc/passwd description'
23  echo 1>&2 '  field. This means, among other things, that it must not contain ":".'
24  echo 1>&2 '  Don'"'"'t forget to properly quote <description> if it contains spaces or'
25  echo 1>&2 '  other characters interpreted by the shell!'
26  echo 1>&2
27  echo 1>&2 '<minuid>(incl.) and <maxuid>(excl.) determine the numeric range from which'
28  echo 1>&2 '  the new account'"'"'s UID will be picked in the following way:'
29  echo 1>&2
30  echo 1>&2 '  1. If the range contains no unused UID => Exit with error.'
31  echo 1>&2 '  2. If <maxuid>-1 is still unused, find the greatest UID from the range'
32  echo 1>&2 '     that is used and pick the number after that.'
33  echo 1>&2 '  3. If <maxuid>-1 is in use, pick the first unused number from the range.'
34  echo 1>&2
35  echo 1>&2 '<mingid>(incl.) and <maxgid>(excl.) determine the numeric range from which'
36  echo 1>&2 '  to pick the GID for group <group> and/or group "install", if it needs to be'
37  echo 1>&2 '  created. The process for picking the GID is the same as that for the UID.'
38  echo 1>&2 ''
39  echo 1>&2 '<home> specifies the new user'"'"'s home directory. If it is not provided,'
40  echo 1>&2 '  it will default to '"$homebase/<name> ."
41  echo 1>&2 '  If the home directory does not exist yet it will be created, otherwise'
42  echo 1>&2 '  the existing directory will be recursively chown'"'"'ed to the new user.'
43  echo 1>&2 '  The home directory will be populated with a copy of the contents of'
44  echo 1>&2 "  $skel, but pre-existing files in the home directory"
45  echo 1>&2 '  will not be overwritten. Note that symlinks will be copied as symlinks!'
46  echo 1>&2 ''
47  exit 1
48fi
49
50grpfile=/etc/group
51passwd=/etc/passwd
52
53description=$1
54name=$2
55minuid=$3
56maxuid=$4
57gname=$5
58mingid=$6
59maxgid=$7

 1home=$homebase/$name
 2
 3set -- "$@" _eNd_OF_lisT_
 4while [ "$1" != "_eNd_OF_lisT_" ]; do
 5  case "$1" in
 6    -d) shift 1
 7        if [ "$1" = "_eNd_OF_lisT_" ]; then
 8          echo 1>&2 "-d directory name missing!"
 9          exit 1
10        fi
11        home="$1"
12        shift 1
13        ;;
14    *) temp="$1" 
15       shift 1
16       set -- "$@" "$temp"
17       ;;
18  esac     
19done
20shift 1 #throw away _eNd_OF_lisT_

1if [ $UID -ne 0 ]; then echo Please run this script as root. ; exit 1; fi
2
3#test if user already exists
4grep "^$name:.*" $passwd
5if [ $? -eq 0 ]; then 
6  echo 'Package user does already exist! Do su '$name' to do maintenance work.'
7  exit 1
8fi 

 1error=0
 2expr ${minuid} + 1 2>/dev/null 1>&2 || error=1
 3expr ${maxuid} + 1 2>/dev/null 1>&2 || error=1
 4expr ${mingid} + 1 2>/dev/null 1>&2 || error=1
 5expr ${maxgid} + 1 2>/dev/null 1>&2 || error=1
 6
 7if [ $error -eq 1 ]; then
 8  echo Error: Illegal numeric value!
 9  exit 1
10fi
11
12if [ $minuid -ge $maxuid ]; then
13  echo 'Error: minuid must be less than maxuid !' 
14  exit 1
15fi
16
17if [ $mingid -ge $maxgid ]; then
18  echo 'Error: mingid must be less than maxgid !' 
19  exit 1
20fi
21
22uidlist=`cut -d : -f 3 $passwd | sort -n`
23
24#find last used UID within range
25u=0
26for i in $uidlist
27do
28  if [ $i -ge $maxuid ]; then break; fi
29  if [ $i -ge $minuid ]; then u=$i; fi 
30done
31
32#if no UID from the range is used, pick the first, otherwise pick the one
33#immediately following the last UID in use.
34if [ $u -eq 0 ]; then u=$minuid; else u=`expr $u + 1`; fi
35
36#if the UID determined above is >= maxuid (i.e. illegal)
37#then we look for the first unused uid in the range.
38if [ $u -ge $maxuid ]; then
39  u=$minuid
40  for i in $uidlist
41  do
42    if [ $u -eq $i ]; then u=`expr $u + 1` ; fi
43    if [ $i -ge $maxuid ]; then break; fi
44  done  
45
46  if [ $u -ge $maxuid ]; then
47    echo Error: UID range is full!
48    exit 1
49  fi
50fi
51
52echo Will create user $name with uid: $u
53
54unset uidlist

 1#execute the following for gname and "install" to get gids for those 2 groups
 2
 3g=0
 4creategroup=0
 5for group in install $gname
 6do
 7  oldg=$g #save gid from previous run
 8  createinstall=$creategroup
 9  creategroup=0
10 
11  #test if group already exists and extract gid if so
12  g=`grep ^${group}:.\* $grpfile | cut -d : -f 3 -`
13
14  #if group does not exist, then check range for a free gid
15  if [ z$g = z ]; then 
16    creategroup=1
17    
18    gidlist=`cut -d : -f 3 $grpfile | sort -n`
19
20    #find last used GID within range
21    g=0
22    for i in $gidlist
23    do
24      if [ $i -ge $maxgid ]; then break; fi
25      if [ $i -ge $mingid ]; then g=$i; fi
26    done
27
28    #if no GID from the range is used, pick the first, otherwise pick the one
29    #immediately following the last GID in use.
30    if [ $g -eq 0 ]; then g=$mingid; else g=`expr $g + 1`; fi
31    
32    #don't reuse gid from previous run 
33    if [ $g -eq $oldg ]; then g=`expr $g + 1`; fi
34
35    #if the GID determined above is >= maxgid (i.e. illegal)
36    #then we look for the first unused gid in the range.
37    if [ $g -ge $maxgid ]; then
38      g=$mingid
39      for i in $gidlist
40      do
41        if [ $g -eq $i ]; then g=`expr $g + 1` ; fi
42        if [ $g -eq $oldg ]; then g=`expr $g + 1` ; fi
43        if [ $i -ge $maxgid ]; then break; fi
44      done  
45
46      if [ $g -ge $maxgid ]; then
47        echo Error: GID range is full!
48        exit 1
49      fi
50    fi
51  fi
52done
53
54unset gidlist

 1if [ $createinstall -eq 1 ]; then
 2  echo Creating group install with gid $oldg
 3  groupadd -g $oldg install || exit 1
 4else
 5  echo Group install has gid $oldg
 6fi
 7if [ $creategroup -eq 1 ]; then
 8  echo Creating group $gname with gid $g
 9  groupadd -g $g $gname || exit 1
10else 
11  echo Group $gname has gid $g
12fi
13
14useradd -c "${description}" -d ${home} -g ${gname} -G install \
15        -s /bin/bash -u ${u} ${name}  || exit 1
16
17mkdir -p $home || exit 1
18
19yes n|cp -ai -R ${skel}/{[^.],.[^.],..?}* ${home} 2>/dev/null >/dev/null
20
21cd ${home}
22chown --recursive ${u}:${g} .
23
24exit 0

 1if [ $# -eq 1 ]; then
 2  set -- "$1" "$1" "$1"
 3fi
 4
 5if [ $# -ne 3 ]; then
 6  echo 1>&2
 7  echo 1>&2 'USAGE 1: install_package <description> <name> <group>'
 8  echo 1>&2 'USAGE 2: install_package <name>'
 9  echo 1>&2
10  echo 1>&2 'Creates a new package user called <name> with primary group <group>'
11  echo 1>&2 'and description <description>.'
12  echo 1>&2 'If the user account has been created successfully, `su - <name>'"'"' will be'
13  echo 1>&2 'executed so that you can start working with the new account right away.'
14  echo 1>&2
15  echo 1>&2 '<description> needs to be a valid string for the /etc/passwd description'
16  echo 1>&2 '  field. This means, among other things, that it must not contain ":".'
17  echo 1>&2 '  Don'"'"'t forget to properly quote <description> if it contains spaces or'
18  echo 1>&2 '  other characters interpreted by the shell!'
19  echo 1>&2
20  echo 1>&2 'This script leaves the actual creation of the new account to the'
21  echo 1>&2 'add_package_user script. Check out its documentation for details.'
22  echo 1>&2
23  echo 1>&2 'When called with just one argument, that argument will be used as'
24  echo 1>&2 '<name>, <description> and <group>'
25  exit 1
26fi
27
28if [ $UID -ne 0 ]; then echo Please run this script as root. ; exit 1; fi
29add_package_user "${1}" $2 10000 20000 $3 10000 20000 || exit 1
30su - $2

 1#The following list should contain the mount points of all filesystems
 2#that are to be scanned as a space-separated list within parentheses. 
 3#/ will usually be in this list and if you have /usr
 4#on a separate partition, it will also be in this list. Other non-special
 5#filesystems where package users could own files should also be put in this
 6#list.
 7#Mount points whose filesystems are special, such as procfs or sysfs must
 8#not be in this list. While a simple find on those special filesystems should 
 9#be harmless, operations such as "-exec grep something" are NOT SAFE and may 
10#have HARMFUL SIDE-EFFECTS, especially when performed as root. 
11fs_to_scan=(/)
12
13#Files with a path prefix found in the following list are ignored.
14#This list will usually contain the parent directory of your package users'
15#home directories, because normally you don't want to scan those. You can
16#also add other directories that will never contain package user files, such
17#as /home. This reduces scan time.
18#NOTE: The LFS-6.0 book uses a ramfs mounted on /dev and with that setup
19#/dev does not need to be in the prune list. But since there is no requirement
20#that /dev have its on filesystem it's better to prune it explicitly.
21prune_prefixes=(/home /usr/src /dev /tools) #NO TRAILING SLASHES!!!!
22
23if [ $# -lt 1 -o "$1" = "--help" ]; then
24  echo 1>&2
25  echo 1>&2 'USAGE: '"${0##*/}"' <user_or_group_name> [<find-commands>]'
26  echo 1>&2
27  echo 1>&2 '  If <find-commands> contains no action other than -prune, -print will be'
28  echo 1>&2 '    executed for all matching files.'
29  echo 1>&2 '  Entries will be matched if group and/or user equals <user_or_group_name>'
30  echo 1>&2 '    (numeric UID/GID allowed).'
31  echo 1>&2 '  All matching entries will be acted on, including device special files, so'
32  echo 1>&2 '    you should be extra careful with the <find-commands> you provide!'
33  echo 1>&2
34  exit 1
35fi

1#suppress ugly debug output from shell
2trap ':' SIGPIPE

 1ugname="$1"
 2shift 1  #remove user_or_group_name from argument list
 3
 4# Recent versions of find issue a warning if "-depth" is listed after a
 5# non-option argument. To prevent this warning if -depth is passed to
 6# this script, we pick up the "-depth" argument here to move it to the
 7# front later on.
 8depth=""
 9if [ "_$1" = "_-depth" ]; then
10  depth=-depth
11  shift 1
12fi
13
14ugmatcher=(-false)
15#test if find accepts ugname as a user, and append to ugmatcher if it does
16if find / -maxdepth 0 -user "$ugname" >/dev/null 2>&1 ; then
17  ugmatcher[${#ugmatcher[@]}]="-or"
18  ugmatcher[${#ugmatcher[@]}]="-user"
19  ugmatcher[${#ugmatcher[@]}]="$ugname"
20fi
21#test if find accepts ugname as a group, and append to ugmatcher if it does
22if find / -maxdepth 0 -group "$ugname" >/dev/null 2>&1 ; then
23  ugmatcher[${#ugmatcher[@]}]="-or"
24  ugmatcher[${#ugmatcher[@]}]="-group"
25  ugmatcher[${#ugmatcher[@]}]="$ugname"
26fi
27
28#if find accepted ugname as neither user nor group, then exit
29if [ "${#ugmatcher[@]}" = 1 ]; then
30  echo 1>&2 'find does not accept `'"$ugname'"' as group or user name'
31  exit 1
32fi
33
34#construct find commands that match the prune_prefixes. Each prefix will be
35#matched as -path <prefix> -or -path <prefix>/*
36#so that the directory itself and all subdirectories are matched.
37y=(\( -false)
38for ((i=0; $i<${#prune_prefixes[@]}; i=$i+1)) 
39do
40  y[${#y[@]}]='-or'
41  y[${#y[@]}]=-path
42  y[${#y[@]}]="${prune_prefixes[$i]}"
43  y[${#y[@]}]='-or'
44  y[${#y[@]}]=-path
45  y[${#y[@]}]="${prune_prefixes[$i]}/*"
46done
47y[${#y[@]}]=')'
48
49#In the following find command, the part
50# -not ( ( "${y[@]}" -prune ) -or "${y[@]}" )
51#is responsible for preventing the files that match prune_prefixes from
52#being processed. The 2nd "${y[@]}" may seem redundant, but it isn't, because
53#-prune has no effect and is always false when -depth is used.
54#The -true before "$@" ensures that -depth can be passed as only parameter.
55find "${fs_to_scan[@]}" $depth -xdev -noleaf \
56     -not \( \( "${y[@]}" -prune \) -or "${y[@]}" \) \
57     -and \( "${ugmatcher[@]}" \) -and \( -true "$@" \)

 1rqdmap in ~
 2[ 19:06:35 ]   if find / -maxdepth 0 -user rqdmap; then echo OK; else echo fail; fi
 3OK
 4rqdmap in ~
 5[ 19:06:38 ]   if find / -maxdepth 0 -user root; then echo OK; else echo fail; fi
 6/
 7OK
 8rqdmap in ~
 9[ 19:06:43 ]   if find / -maxdepth 0 -user whoIsrqdmpa; then echo OK; else echo fail; fi
10find: ‘whoIsrqdmpa’ is not the name of a known user
11fail

 1if [ $# != 1 -o "$1" = '--help' ]; then
 2  echo 1>&2 'USAGE: uninstall_package <package-name>'
 3  exit 1
 4fi
 5echo
 6echo '# If package '"$1"' has setuid root binaries, then you need to be'
 7echo '# root for the following to work.'
 8echo '# Otherwise, you can do it as user '"$1"'.'
 9echo
10echo 'forall_direntries_from "'"$1"'" -depth \( -type d -exec echo rmdir {} \; \) -or \( -not -type d -exec echo rm -f {} \; \)'
11echo
12echo '# After successfully deleting all files, you may want to remove the'
13echo '# package user '"$1"'. But remember that if you do that you need to'
14echo '# remove or change ownership of '"$(eval echo ~"$1")"'. Unless you are'
15echo '# certain that you will never re-install '"$1"', it is probably better to'
16echo '# just keep the package user '"$1"' and its home directory around.'
17echo '# Anyway, if you want to delete the account, you can use the following'
18echo '# command:'
19echo 
20echo 'userdel "'"$1"'"'
21echo
22echo '# If your /etc/login.defs has USERGROUPS_ENAB set to "yes" (the default),'
23echo '# then userdel will automatically delete the package user'"'"'s group if'
24echo '# its name is identical to the user name. Otherwise, if you want to delete'
25echo '# the package user'"'"'s group, you will need to use the `groupdel'"'"' command.'
26echo

  1#!/bin/bash
  2
  3#The following list should contain the mount points of all filesystems
  4#that are to be scanned as a space-separated list within parentheses. 
  5#/ will usually be in this list and if you have /usr
  6#on a separate partition, it will also be in this list. Other non-special
  7#filesystems where suspicious files could be located should also be put in 
  8#this list.
  9#Mount points whose filesystems are special, such as procfs or sysfs should
 10#not be in this list. 
 11fs_to_scan=(/)
 12
 13#Files with a path prefix found in the following list are ignored.
 14#DO !!!!NOT!!! PUT /usr/src OR WHATEVER THE HOME DIRECTORY prefix is for your
 15#package users into this list!!! You DO want to scan those directories in
 16#order to spot e.g. world-writable tarballs and other abominations that
 17#may have crept in.
 18#Ideally, this list should be empty.
 19prune_prefixes=() #NO TRAILING SLASHES!!!
 20
 21#If the following variable is set to "yes", then files that contain
 22#control characters or other non-printable characters (except for space)
 23#will be reported as suspicious. 
 24#This test slows down the search considerably!
 25enable_illchars=yes
 26
 27
 28#suppress ugly debug output from shell
 29trap ':' SIGPIPE
 30
 31#"-false" as 1st argument is used when called by list_suspicious_files_from
 32if [ $# -ge 1 -a "$1" != "-false" ]; then
 33  echo 1>&2 
 34  echo 1>&2 "USAGE: ${0##*/}"
 35  echo 1>&2 
 36  echo 1>&2 '  Outputs a categorized list of files and directories with properties'
 37  echo 1>&2 '  that could mean trouble and should be investigated.'
 38  echo 1>&2
 39  exit 1
 40fi
 41
 42
 43usergroupmatch=(-true)
 44if [ "$1" = "-false" ]; then
 45  usergroupmatch=(\( "$@" \))
 46fi
 47
 48#construct find commands that match the prune_prefixes. Each prefix will be
 49#matched as -path <prefix> -or -path <prefix>/*
 50#so that the directory itself and all subdirectories are matched.
 51y=(\( -false)
 52for ((i=0; $i<${#prune_prefixes[@]}; i=$i+1)) 
 53do
 54  y[${#y[@]}]='-or'
 55  y[${#y[@]}]=-path
 56  y[${#y[@]}]="${prune_prefixes[$i]}"
 57  y[${#y[@]}]='-or'
 58  y[${#y[@]}]=-path
 59  y[${#y[@]}]="${prune_prefixes[$i]}/*"
 60done
 61y[${#y[@]}]=')'
 62
 63illchars=( $'\x1'  $'\x2'  $'\x3'  $'\x4'  $'\x5'  $'\x6'  $'\x7'  $'\x8'  
 64  $'\x9'  $'\xA'  $'\xB'  $'\xC'  $'\xD'  $'\xE'  $'\xF'  $'\x10'  $'\x11' 
 65  $'\x12'  $'\x13'  $'\x14'  $'\x15'  $'\x16'  $'\x17'  $'\x18'  $'\x19'  
 66  $'\x1A'  $'\x1B'  $'\x1C'  $'\x1D'  $'\x1E'  $'\x1F'  $'\x7f' $'\x80' 
 67  $'\x81'  $'\x82'  $'\x83'  $'\x84'  $'\x85'  $'\x86'  $'\x87'  $'\x88'  
 68  $'\x89'  $'\x8A'  $'\x8B'  $'\x8C'  $'\x8D'  $'\x8E'  $'\x8F'  $'\x90'  
 69  $'\x91'  $'\x92'  $'\x93'  $'\x94'  $'\x95'  $'\x96'  $'\x97'  $'\x98'  
 70  $'\x99'  $'\x9A'  $'\x9B'  $'\x9C'  $'\x9D'  $'\x9E'  $'\x9F' ) 
 71
 72
 73if [ "$enable_illchars" = yes ]; then
 74
 75  illname=(\( -false)
 76  for ((i=0; $i<${#illchars[@]}; i=$i+1)) 
 77  do
 78    #handle bash \x7f error
 79    if [ "*${illchars[$i]}*" = "**" ]; then
 80      illchars[$i]=$'\x80'  #'
 81    fi
 82    illname[${#illname[@]}]='-or'
 83    illname[${#illname[@]}]=-name
 84    illname[${#illname[@]}]="*${illchars[$i]}*"
 85  done
 86  illname[${#illname[@]}]=')'
 87
 88  illlink=(\( -false)
 89  for ((i=0; $i<${#illchars[@]}; i=$i+1)) 
 90  do
 91    illlink[${#illlink[@]}]='-or'
 92    illlink[${#illlink[@]}]=-lname
 93    illlink[${#illlink[@]}]="*${illchars[$i]}*"
 94  done
 95  illlink[${#illlink[@]}]=')'
 96else #if [ "$enable_illchars" = no ]
 97  illlink=(-false)
 98  illname=(-false)
 99fi
100
101# $1=section heading
102# $2=inode message
103report()
104{
105  echo -printf "increment_code_here"
106  echo -printf 
107  echo "1 ${1}\\n" | sed 's/ /\\040/g'
108  echo -printf "insert_code_here"
109  
110  if [ -n "$2" ]; then
111    echo -printf 
112    echo "2 %i 1 ${2}\\n" | sed 's/ /\\040/g'
113    echo -printf "insert_code_here"
114    echo -printf 
115    echo "2 %i 2 " | sed 's/ /\\040/g'
116  else
117    echo -printf "2\\040" 
118  fi
119  
120  echo -exec ls -T 0 -ladQ {} \;
121}
122
123
124filegoodperm=(\( -perm 644 -or -perm 755 -or -perm 555 -or -perm 444 -or -perm 600 -or -perm 700 -or -perm 640 \))
125dirgoodperm=(\( -perm 755 -or -perm 555 -or -perm 700 -or -perm 750 \))
126
127good=( \( 
128          -not \( -not -type d -links +1 \)
129          -not -nouser -not -nogroup 
130          -not \( "${illname[@]}" \) 
131          -not \( "${illlink[@]}" \) 
132       \) 
133       -and
134\(
135      \( -type f -not -group install "${filegoodperm[@]}" \) 
136  -or \( -type d -not -group install "${dirgoodperm[@]}" \)
137  -or \( -type d -group install \( -perm 1775 \) \)
138  -or \( -type d -group root -user root -path "/tmp" \( -perm 1777 \) \)
139  -or \( -type d -group root -user root -path "/var/tmp" \( -perm 1777 \) \)
140  -or \( -not -type d -not -type f -not -type l -path "/dev/*" \)
141  -or \( -type l \( -xtype b -or -xtype c -or -xtype d -or -xtype p -or -xtype f \) \)
142\)
143)
144
145bad=(
146    \( "${illname[@]}" $(report  "NON-PRINTABLE CHAR IN NAME")  \)
147 OP \( "${illlink[@]}" $(report  "NON-PRINTABLE-CHAR IN LINK-TARGET")  \)
148 OP \( -type f -perm -4000 $(report  "SETUID FILES")  \)
149 OP \( -type f -perm -2000 $(report  "SETGID FILES")  \)
150 OP \( -type f -perm -1000 $(report  "STICKY FILES")  \)
151 OP \( -type d -perm -2000 $(report  "GROUP-KEEPING DIRECTORIES")  \)
152 OP \( -type d -not -group install -perm -1000  $(report  "STICKY DIRECTORIES")  \)
153 OP \( -type f -perm -g+w  $(report  "GROUP-WRITABLE FILES")  \)
154 OP \( -type f -perm -o+w  $(report  "WORLD-WRITABLE FILES")  \)
155 OP \( -type d -perm -g+w  $(report  "GROUP-WRITABLE DIRECTORIES")  \)
156 OP \( -type d -perm -o+w  $(report  "WORLD-WRITABLE DIRECTORIES")  \)
157 OP \( -not \( -type f -or -type l -or -type d \) -not -path "/dev/*"  $(report  "SPECIAL FILES OUTSIDE /dev")  \)
158 OP \( -type d -group install -not -perm 1755  $(report  "INSTALL DIRECTORIES WITH UNUSUAL PERMISSIONS")  \)
159 OP \( -type f -group install $(report  "FILES ASSIGNED TO GROUP INSTALL")  \)
160 OP \( -type l -not \( -xtype b -or -xtype c -or -xtype d -or -xtype p -or -xtype f \) $(report  "SYMLINKS POSSIBLY BROKEN OR LOOP")  \)
161 OP \( -not -type d -links +1 $(report "HARDLINKED FILES" "Inode %i is shared by %n files, including") \)
162 OP \( -nouser  $(report  "THINGS HAVING UID WITH NO ASSIGNED USER NAME")  \)
163 OP \( -nogroup  $(report  "THINGS HAVING GID WITH NO ASSIGNED GROUP NAME")  \)
164 OP \( -type f -not -group install -not "${filegoodperm[@]}"  $(report  "FILES WITH UNUSUAL PERMISSIONS")  \)
165 OP \( -type d -not -group install -not "${dirgoodperm[@]}"  $(report  "DIRECTORIES WITH UNUSUAL PERMISSIONS")  \)
166)
167
168#insert unique codes for the messages
169code=100
170for ((i=0; $i<${#bad[@]}; i=$i+1)) 
171do
172  if [ "${bad[$i]}" = "increment_code_here" ]; then
173    code=$(($code + 1))
174    bad[$i]=$code
175  elif [ "${bad[$i]}" = "insert_code_here" ]; then
176    bad[$i]=$code
177  fi
178done
179
180allbad=()  #all bad matches are reported
181onebad=()  #only the first bad match is reported
182for ((i=0; $i<${#bad[@]}; i=$i+1)) 
183do
184  if [ "${bad[$i]}" = "OP" ]; then
185    allbad[$i]=","
186    onebad[$i]="-or"
187  else
188    allbad[$i]="${bad[$i]}"
189    onebad[$i]="${bad[$i]}"
190  fi
191done
192
193#Add a default case to onebad.
194#This should never be hit, because the explicit cases should catch all
195#files, but just in case I've missed something, this will catch it.
196onebad=("${onebad[@]}" -or  $(report  "WEIRD SHIT") )
197
198#make allbad always return false
199allbad=("${allbad[@]}" , -false)
200
201cmd=( "${usergroupmatch[@]}" -and
202     \( \( "${good[@]}" \) -or \( "${allbad[@]}" \) -or \( "${onebad[@]}" \) \)
203    )
204
205#In the following find command, the part
206# -not ( ( "${y[@]}" -prune ) -or "${y[@]}" )
207#is responsible for preventing the files that match prune_prefixes from
208#being processed. The 2nd "${y[@]}" may seem redundant, but it isn't, because
209#-prune has no effect and is always false when -depth is used.
210find "${fs_to_scan[@]}" -xdev -noleaf \
211     -not \( \( "${y[@]}" -prune \) -or "${y[@]}" \) \
212     -and \( "${cmd[@]}" \) | 
213sed 's/^\(...2\) \([0-9]\+ 2 \)\?\([^ ]\+\) \+[^ ]\+ \+\([^ ]\+\) \+\([^ ]\+\) \+[^"]\+\(".\+\)/\1 \2\3 \6  \4:\5/' |
214sort -u | 
215sed 's/^...1 /\'$'\n''/;s/^...2 [0-9]\+ 1 /\'$'\n''  /;s/^...2 [0-9]\+ 2 /    /;s/^...2 /  /'

 1#!/bin/bash
 2# Copyright (c) 2004 Matthias S. Benkmann <article AT winterdrache DOT de>
 3# You may do everything with this code except misrepresent its origin.
 4# PROVIDED `AS IS' WITH ABSOLUTELY NO WARRANTY OF ANY KIND!
 5
 6if [ $# != 1 -o "$1" = "--help" ]; then
 7  echo 1>&2
 8  echo 1>&2 'USAGE: '"${0##*/}"' <user_or_group>'
 9  echo 1>&2
10  echo 1>&2 '  Outputs a categorized list of files and directories with properties'
11  echo 1>&2 '  that could mean trouble and should be investigated.'
12  echo 1>&2 '  Suspicious objects will be reported only if group and/or user equals'
13  echo 1>&2 '  <user_or_group> (numeric UID/GID allowed).'
14  echo 1>&2 '  This script calls `'"${0%_*}'"' for the real work.'
15  echo 1>&2
16  exit 1
17fi
18
19ugname="$1"
20
21ugmatcher=(-false)
22#test if find accepts ugname as a user, and append to ugmatcher if it does
23if find / -maxdepth 0 -user "$ugname" >/dev/null 2>&1 ; then
24  ugmatcher[${#ugmatcher[@]}]="-or"
25  ugmatcher[${#ugmatcher[@]}]="-user"
26  ugmatcher[${#ugmatcher[@]}]="$ugname"
27fi
28#test if find accepts ugname as a group, and append to ugmatcher if it does
29if find / -maxdepth 0 -group "$ugname" >/dev/null 2>&1 ; then
30  ugmatcher[${#ugmatcher[@]}]="-or"
31  ugmatcher[${#ugmatcher[@]}]="-group"
32  ugmatcher[${#ugmatcher[@]}]="$ugname"
33fi
34
35#if find accepted ugname as neither user nor group, then exit
36if [ "${#ugmatcher[@]}" = 1 ]; then
37  echo 1>&2 'find does not accept `'"$ugname'"' as group or user name'
38  exit 1
39fi
40
41"${0%_*}" "${ugmatcher[@]}"