Overview

File tests_binary_rpath of Package lynis

#!/bin/bash

#################################################################################
#
# Author: Thomas Biege <thomas@suse.de>
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Verifies if a binary contains an insecure RPATH variable.
#
#################################################################################
#
# TODO:
#
################################################################################
#
    InsertSection "Binary integrity"
    report "[Software]"
#
#################################################################################
#
    # Test        : BINARY-1000
    # Description : Verifies if a binary contains an insecure RPATH variable.
    Register --test-no BINARY-1000 --weight L --network NO --description "Verifies if a binary contains an insecure RPATH variable."
    if [ ${SKIPTEST} -eq 0 ]; then
        Display --indent 2 --text "- Starting binary RPATH check..."
        logtext "Test: Checking binary integrity of RPATH"

	RPNOTOK=0
	FILENUM=0
	HPBAD=0
	for FILE in $(find / -xdev -type f \( -perm -0100 -o -perm -0010 -o -perm -0001 \) 2>/dev/null)
	do
		((FILENUM++))
		for RPATH_VAL in $(objdump -p "$FILE" 2>/dev/null | egrep -w '(RPATH|RUNPATH)' | awk '{ print $2 ":"}')
		do
			if [ "${RPATH_VAL:0:7}" = "\$ORIGIN" ]; then continue; fi
			while [ -n "$RPATH_VAL" ]
			do
				RPATH_VAL_NXT=${RPATH_VAL%%:*}
				RPATH_VAL=${RPATH_VAL##$RPATH_VAL_NXT:}
				test -d "$RPATH_VAL_NXT" && RPATH_VAL_NXT=$(cd ${RPATH_VAL_NXT//#\/\//\/}; pwd -P)

				case ":$RPATH_VAL_NXT" in
					:/usr/lib*)
						;;
					:/lib*)
						;;
					:/opt/*/lib*)
						;;
					:/usr/X11R6/lib*)
						;;
					:/usr/local/lib*)
						;;
					*)
						((HPBAD--))
						RPNOTOK=1;
						Display --indent 4 --text "${FILE}" --text "RPATH \"$RPATH_VAL_NXT\" on $FILE is not allowed" --result WARNING --color RED
				esac
			done
		done
	done
	if [ $RPNOTOK == 0 ]; then
		Display --indent 4 --text "No bad RPATH usage found in $FILENUM executables" --result OK --color GREEN
	fi
	AddHP $HPBAD 0

    fi
#
#################################################################################
#

wait_for_keypress
openSUSE Build Service is sponsored by
Places