| OLD | NEW |
| 1 # Copyright (c) 2009 The Chromium OS Authors. All rights reserved. | 1 # Copyright (c) 2009 The Chromium OS Authors. All rights reserved. |
| 2 # Use of this source code is governed by a BSD-style license that can be | 2 # Use of this source code is governed by a BSD-style license that can be |
| 3 # found in the LICENSE file. | 3 # found in the LICENSE file. |
| 4 | 4 |
| 5 # Parent file must include memento_updater_logging.sh | 5 # Parent file must include memento_updater_logging.sh |
| 6 # This file cannot be run by itself, it must be included. | 6 # This file cannot be run by itself, it must be included. |
| 7 | 7 |
| 8 OVERRIDE_IS_SECURE="YES" | 8 # Return the value for a given key in the override lsb-release file. |
| 9 FACTORY_OVERRIDE_IS_SECURE="YES" | 9 # If no value is found, checks in the standard lsb-release file. |
| 10 | |
| 11 # Return the value for a given key in the override lsb-release file if the | |
| 12 # file is secure. If no value is found, checks in the standard lsb-release | |
| 13 # file. | |
| 14 findLSBValue() | 10 findLSBValue() |
| 15 { | 11 { |
| 16 if [ "$FACTORY_OVERRIDE_IS_SECURE" = "YES" ] | 12 # Check factory lsb file. |
| 17 then | 13 value=$(grep ^$1 $FACTORY_LSB_FILE | cut -d = -f 2-) |
| 18 # Check factory lsb file. | |
| 19 value=$(grep ^$1 $FACTORY_LSB_FILE | cut -d = -f 2-) | |
| 20 fi | |
| 21 | 14 |
| 22 if [ -z "$value" ] | 15 if [ -z "$value" ] |
| 23 then | 16 then |
| 24 value=$(grep ^$1 /etc/lsb-release | cut -d = -f 2-) | 17 value=$(grep ^$1 /etc/lsb-release | cut -d = -f 2-) |
| 25 fi | 18 fi |
| 26 | 19 |
| 27 # Don't remove this echo, this is not for test purpose | 20 # Don't remove this echo, this is not for test purpose |
| 28 echo $value | 21 echo $value |
| 29 } | 22 } |
| 30 | 23 |
| 31 # Returns 0 if the file or folder is owned by root and not writable | |
| 32 # by group/other. Returns 1 otherwise. | |
| 33 checkRootPermission() | |
| 34 { | |
| 35 if [ -z "$1" ] | |
| 36 then | |
| 37 log Path is missing, unable to check permissions | |
| 38 return 1 | |
| 39 fi | |
| 40 # Verifying root owner for the passed in value ($1) | |
| 41 OWNER=$(stat -c '%U:%G' "$1") | |
| 42 | |
| 43 if [ "$OWNER" != "root:root" ] | |
| 44 then | |
| 45 return 1 | |
| 46 else | |
| 47 # File has root:root permission so now we will check write permission | |
| 48 # on the file. | |
| 49 PERMISSION=$(stat -c '%A' "$1") | |
| 50 # PERMISSION would be something like -rw-r--r--, so we are parsing | |
| 51 # w bits for owner, group and others. | |
| 52 GROUP_WRITE=$(echo "$PERMISSION" | cut -b 6) | |
| 53 OTHER_WRITE=$(echo "$PERMISSION" | cut -b 9) | |
| 54 | |
| 55 # Except owner, nobody should have write permission. (owner has to be root) | |
| 56 if [ "$GROUP_WRITE" != '-' -o "$OTHER_WRITE" != '-' ] | |
| 57 then | |
| 58 return 1 | |
| 59 fi | |
| 60 fi | |
| 61 return 0 | |
| 62 } | |
| 63 | |
| 64 FACTORY_STATEFUL_VAR=/mnt/stateful_partition/dev_image | |
| 65 FACTORY_STATEFUL_ETC=/mnt/stateful_partition/dev_image/etc | |
| 66 FACTORY_LSB_FILE=/mnt/stateful_partition/dev_image/etc/lsb-factory | 24 FACTORY_LSB_FILE=/mnt/stateful_partition/dev_image/etc/lsb-factory |
| 67 | |
| 68 FACTORY_LIST_TO_CHECK=" | |
| 69 $FACTORY_STATEFUL_VAR | |
| 70 $FACTORY_STATEFUL_ETC | |
| 71 $FACTORY_LSB_FILE | |
| 72 " | |
| 73 | |
| 74 for FILE_NAME in $FACTORY_LIST_TO_CHECK | |
| 75 do | |
| 76 if ! checkRootPermission "$FILE_NAME" | |
| 77 then | |
| 78 log non-root can write to $FILE_NAME, thus ignoring $FACTORY_LSB_FILE | |
| 79 # If we find there is security hole, we set this flag | |
| 80 FACTORY_OVERRIDE_IS_SECURE=NO | |
| 81 fi | |
| 82 done | |
| 83 | |
| OLD | NEW |