#!/bin/ksh # # little shell script that changes permissions of various files to be a # bit more secure. # # Easy to add more: The format of the "description" line is: # # perm# IGNORED user group file # # Note that what's _really_ used is the 1st permission entry; the # 'ls -l' permission listing is simply for visual identification... # A perm#, user or group field of "NoDo" prevents that parameter from # being changed. # PATH=/bin IFS=" " print { while read line; do # # break down into sep. arguments. Handle wildcards correctly (i.e. # read $5 without globbing but glob later on) # IFS=" " set -f set $line set +f # # now change the files as required. I'm pretty stupid so I just # check to see if the file exists. If it does, then I attempt # to change the modes, etc. as described... # for file in $5; do if [[ -a $file ]]; then was=$(ls -lLd $file) print " Was: $was" if [[ $4 != 'NoDo' ]]; then chgrp $4 $file fi if [[ $3 != 'NoDo' ]]; then chown $3 $file fi if [[ $1 != 'NoDo' ]]; then chmod $1 $file fi now=$(ls -lLd $file) print " Now: $now\n" else print "*** I don't see \"$file\" ***\n" fi done done } << EOF 4755 -rwsr-xr-x root sys /bin/ps 2755 -rwxr-sr-x root sys /bin/pstat 755 -rwxr-xr-x root bin /etc/ncheck 755 drwxr-xr-x root sys /etc/fs 511 -r-x--x--x root root /etc/suid_exec 644 -rw-r--r-- root sys /etc/ps_data 644 -rw-r--r-- root sys /etc/dumpdates 755 -rwxr-xr-x root sys /etc/pac 644 -rw-r--r-- root sys /etc/state 644 -rw-r--r-- root sys /etc/rmtab 644 -rw-r--r-- root sys /etc/syslog.pid 644 -rw-r--r-- root sys /etc/FileIDs 644 -rw-r--r-- root bin /lib/librmt.a 644 -rw-r--r-- root adm /usr/adm/errfile 2755 -rwxr-sr-x root sys /usr/bin/lav 755 -rwxr-xr-x root bin /usr/bin/X11/xterm 4755 -rwsr-xr-x nobody nobody /usr/etc/in.fingerd 2755 -rwxr-sr-x root sys /usr/etc/ncstats 2755 -rwxr-sr-x root sys /usr/etc/nfsstat 755 -rwxr-xr-x root bin /usr/etc/rpcinfo 755 -rwxr-xr-x root bin /usr/ucb/rdist 755 -rwxr-xr-x root bin /usr/ucb/lptest 755 -rwxr-xr-x root bin /usr/lib/lpf 755 -rwxr-xr-x root bin /usr/lib/necf 755 -rwxr-xr-x root sys /usr/lib/sa/sadc 750 -rwxr-x--- adm adm /usr/lib/acct/diskusg o-rwx ---------- NoDo NoDo /usr/lib/acct/* o-rwx ---------- NoDo NoDo /usr/lib/cron/* 755 drwxr-xr-w root root / 755 drwxr-xr-w root bin /bin 755 drwxr-xr-w root sys /dev 640 -rw-r----- root sys /dev/kmem 640 -rw-r----- root sys /dev/mem 640 -rw-r----- root sys /dev/swap 755 drwxr-xr-w root sys /etc 755 drwxr-xr-w root bin /lib 755 drwxr-xr-w root bin /mac 755 drwxr-xr-w root bin /usr 755 drwxr-xr-x root adm /usr/adm 755 drwxr-xr-x root bin /usr/bin 755 drwxr-xr-x root sys /usr/etc 755 drwxr-xr-x root bin /usr/lib 755 drwxr-xr-x root bin /usr/local 755 drwxr-xr-w root bin /usr/mac 775 drwxrwxr-x root mail /usr/mail 755 drwxr-xr-x root bin /usr/ucb 755 drwxr-xr-x root bin /usr/local/bin 755 drwxr-xr-x root sys /usr/local/etc 755 drwxr-xr-x root bin /usr/local/lib 755 drwxr-xr-x root bin /usr/local/mac 755 drwxr-xr-w root bin /usr2 755 drwxr-xr-x root bin /usr2/bin 755 drwxr-xr-x root sys /usr2/etc 755 drwxr-xr-x root bin /usr2/lib 755 drwxr-xr-w root bin /usr2/mac 644 -rw-r--r-- root bin /lib/*.a 644 -rw-r--r-- root bin /usr/lib/*.a 644 -rw-r--r-- root bin /usr/local/lib/*.a EOF exit