[LON-CAPA-cvs] cvs: doc /loncapafiles sanitycheck.piml

harris41 lon-capa-cvs@mail.lon-capa.org
Sun, 22 Sep 2002 08:23:26 -0000 

harris41		Sun Sep 22 04:23:26 2002 EDT

  Modified files:              
    /doc/loncapafiles	sanitycheck.piml 
  Log:
  Checking against, and recommending a fix, for a fairly significant security
  hole.
  
  
Index: doc/loncapafiles/sanitycheck.piml
diff -u doc/loncapafiles/sanitycheck.piml:1.5 doc/loncapafiles/sanitycheck.piml:1.6
--- doc/loncapafiles/sanitycheck.piml:1.5	Sat Aug 17 14:59:48 2002
+++ doc/loncapafiles/sanitycheck.piml	Sun Sep 22 04:23:26 2002
@@ -3,7 +3,7 @@
 <!-- sanitycheck.piml -->
 <!-- Scott Harrison -->
 
-<!-- $Id: sanitycheck.piml,v 1.5 2002/08/17 18:59:48 harris41 Exp $ -->
+<!-- $Id: sanitycheck.piml,v 1.6 2002/09/22 08:23:26 harris41 Exp $ -->
 
 <!--
 
@@ -32,6 +32,55 @@
 <piml>
 <targetroot>/</targetroot>
 <files>
+<file>
+<target dist='default'>/var/lib/mysql/mysql.sock</target>
+<perlscript mode='fg'>
+unless
+    (-e '<TARGET />') # Does file exist?
+  {
+    print("**** ERROR **** Missing <TARGET />\n");
+  }
+else # It exists, so look at the file metadata more closely.
+  {
+    my @s = stat('<TARGET />');
+    my $uid = $s[4];
+    my $mode = $s[2];
+    my $web_uid = getpwnam('www');
+    my $smode = sprintf("%04o",$mode & 07777);
+
+    if ($uid ne $web_uid) # If file owned by someone else other than www.
+      {
+	print('**** ERROR **** <TARGET /> should be owned by'.
+	      ' www.'."\n".'Try these commands to make things right:'."\n".
+	      'chown www:www /var/lib/mysql/mysql.sock'."\n".
+	      'chmod a-rwx,u+rwx /var/lib/mysql/mysql.sock'."\n");
+      }
+    else # Check permissions on the file to make sure it is private to apache2.
+      {
+	$smode =~ /^.(.)..$/;
+	my $wflag = $1;
+	if ($wflag != 7)
+	  {
+	    print('**** ERROR **** '.
+	      '<TARGET /> should be user "rwx" (by'.
+	      ' www).'."\n".'Try these commands to make things right:'."\n".
+	      'chown www:www /var/lib/mysql/mysql.sock'."\n".
+	      'chmod a-rwx,u+rwx /var/lib/mysql/mysql.sock'."\n");
+	  }
+	$smode=~/^..(..)$/;
+	$wflag=$1;
+	if ($wflag ne "00")
+	  {
+	    print('**** ERROR **** '.
+	      '<TARGET /> should not be group or everybody accessible'.
+	      '.'."\n".'Try these commands to make things right:'."\n".
+	      'chown www:www /var/lib/mysql/mysql.sock'."\n".
+	      'chmod a-rwx,u+rwx /var/lib/mysql/mysql.sock'."\n");
+	  }
+      }
+  }
+</perlscript>
+</file>
 <file>
 <target dist='default'>/etc/httpd/conf/loncapa.conf</target>
 <perlscript mode='fg'>