From e63b77647b4affaaa93b8c9c32dec2cc6c00d888 Mon Sep 17 00:00:00 2001 From: Rob Date: Mon, 29 Jun 2009 10:40:24 +0200 Subject: [PATCH] Added lstat information and ? + --Status + manual --- signduterre.py | 45 +++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/signduterre.py b/signduterre.py index a0fddd0..4bb6d82 100755 --- a/signduterre.py +++ b/signduterre.py @@ -8,8 +8,8 @@ Usage: signduterre.py [options] FILE1 FILE2 ... Options: -h, --help show this help message and exit - -s HEX, --salt=HEX Enter salt in hexadecimal. If not given, a salt will be - suggested + -s HEX, --salt=HEX Enter salt in hexadecimal. If not given, a salt will + be suggested -p TEXT, --passphrase=TEXT Enter passphrase in cleartext -c FILE, --check-file=FILE @@ -18,6 +18,9 @@ Options: Use names from input-file (one filename per line) -u USER, --user=USER Execute $(cmd) as USER, default 'nobody' (root/sudo only) + -S, --Status For each file, add a line with unvarying file status + information: st_mode, st_ino, st_dev, st_uid, st_gid, + and st_size (like the '?' prefix, default False) -t, --total-only Only print the total hash, must be checked BEFORE running --detail (default True) -d, --detailed-view Print hashes of individual files, must be checked @@ -27,6 +30,7 @@ Options: -m, --manual Print the manual and exit -r, --release-notes Print the release notes and exit -l, --license Print license text and exit + -v, --verbose Print more information FILE1 FILE2 ... Names and paths of one or more files to be checked. Any name starting with a '$', eg, $PATH, will be @@ -42,6 +46,11 @@ in the distribution version. The -n or --no-execute option explicitely supress the interpretation of $arg arguments. +Meta information from lstat on files is signed when the filename is preceded by a '?'. '?./signduterre.py' will +extract (st_mode, st_ino, st_dev, st_uid, st_gid, st_size) and hash a line of these data (visible with --verbose). +The --Status option will automatically add such a line in front of every file. Note that '?' works on directories. +'?/' produces a hash of, eg,: lstat(/) = [st_mode=041775, st_ino=2, st_dev=234881026, st_uid=0, st_gid=80, st_size=1360] + Signature-du-Terroir A very simple security application to test for the integrity of files and "states" in a computer installation. @@ -188,6 +197,9 @@ parser.add_option("-i", "--input-file", parser.add_option("-u", "--user", dest="user", default="nobody", metavar="USER", help="Execute $(cmd) as USER, default 'nobody' (root/sudo only)") +parser.add_option("-S", "--Status", + dest="status", default=False, action="store_true", + help="For each file, add a line with unvarying file status information: st_mode, st_ino, st_dev, st_uid, st_gid, and st_size (like the '?' prefix, default False)") parser.add_option("-t", "--total-only", dest="total", default=False, action="store_true", help="Only print the total hash, must be checked BEFORE running --detail (default True)") @@ -209,6 +221,9 @@ parser.add_option("-r", "--release-notes", parser.add_option("-l", "--license", dest="license", default=False, action="store_true", help="Print license text and exit") +parser.add_option("-v", "--verbose", + dest="verbose", default=False, action="store_true", + help="Print more information") (options, check_filenames) = parser.parse_args(); # Print license @@ -228,6 +243,8 @@ if options.releasenotes: my_salt = options.salt; my_passphrase = options.passphrase; my_check = options.check; +my_status = options.status; +my_verbose = options.verbose; execute = options.execute; noexecute = options.noexecute; input_file = options.input; @@ -254,6 +271,14 @@ if input_file: # Clean up filename current_filename = re.sub('[^\w\-\.\/\$\{\(\)\}]', '', line); check_filenames.append(current_filename); + +if my_status: + stat_list = []; + for x in check_filenames: + if not x.startswith(('?', '$')): + stat_list.append('?'+x); + stat_list.append(x); + check_filenames = stat_list; # Construct the passphrase hash passphrase = hashlib.sha256(); @@ -343,17 +368,29 @@ for filename in check_filenames: if not sys.stdout.isatty(): print error_message; exit(1); # Commands $(command) - match = re.search('^\$([\(\{]?)([^\)]+)[\)\}]?$', filename); + match = re.search('^\$([\(\{]?)([^\)\}]+)[\)\}]?$', filename); if match != None: if match.group(1) == '(': current_command = not_allowed_chars.sub(" ", match.group(2)); + if my_verbose: + print "# "+ user_change+"bash --restricted -c \'"+current_command+"\'"; (status, b) = commands.getstatusoutput(user_change+"bash --restricted -c \'"+current_command+"\'"); if status != 0: print >> sys.stderr, '$('+current_command+')'+"\n"+b; exit(status); else: - b = os.environ['PATH']; + current_var = not_allowed_chars.sub(" ", match.group(2)); + if my_verbose: + print "# echo $"+ current_var; + b = os.environ[current_var]; + filehash.update(b); + # lstat() meta information + elif filename.startswith('?'): + filestat = os.lstat(filename.lstrip('?')); + b = 'lstat('+filename.lstrip('?')+') = [st_mode='+str(oct(filestat.st_mode))+', st_ino='+str(filestat.st_ino)+', st_dev='+str(filestat.st_dev)+', st_uid='+str(filestat.st_uid)+', st_gid='+str(filestat.st_gid)+', st_size='+str(filestat.st_size)+']'; filehash.update(b); + if my_verbose: + print "# "+ b; # Use file else: # open and read the file -- 2.11.4.GIT