2011-01-06 14:04:33 +01:00
|
|
|
#!/usr/bin/env bash
|
2014-01-10 10:42:40 +01:00
|
|
|
# Author: Oliver Ladner <oli@lugh.ch>
|
|
|
|
|
# License: LGPL
|
|
|
|
|
#
|
2011-01-06 14:04:33 +01:00
|
|
|
# Checks the webroot for files being owned by www daemon and
|
|
|
|
|
# writable at the same time. This is only needed by some files
|
|
|
|
|
# so we'll check with a whitelist.
|
|
|
|
|
# Requires bash 3.2
|
|
|
|
|
|
2011-01-10 10:07:38 +01:00
|
|
|
WWWROOT=/var/www/
|
2011-01-06 14:04:33 +01:00
|
|
|
WWWUSER=www-data
|
2014-01-10 10:38:55 +01:00
|
|
|
WHITELIST="(
|
2011-01-10 10:07:38 +01:00
|
|
|
foo.example.org/cache|\
|
2014-01-10 10:38:55 +01:00
|
|
|
/cache/foo|\
|
|
|
|
|
blah/tmpfile.txt
|
|
|
|
|
sitemap.xml*|
|
2011-01-06 14:04:33 +01:00
|
|
|
)"
|
|
|
|
|
listcount=0
|
|
|
|
|
whitelist_matches=0
|
|
|
|
|
|
|
|
|
|
while IFS="" read -r matchedentry; do
|
|
|
|
|
if [[ "$matchedentry" =~ $WHITELIST ]]; then
|
|
|
|
|
whitelist_matches=$((whitelist_matches+1))
|
|
|
|
|
else
|
|
|
|
|
echo -e "$matchedentry\r"
|
|
|
|
|
listcount=$((listcount+1))
|
|
|
|
|
fi
|
2014-01-10 10:38:55 +01:00
|
|
|
done < <(find "$WWWROOT" ! -type l -perm /u+w -user $WWWUSER -o -perm /g+w -group $WWWUSER)
|
2011-01-06 14:04:33 +01:00
|
|
|
|
|
|
|
|
if [ $listcount -gt 0 ]; then
|
|
|
|
|
echo "Finished: $listcount items are writable by '$WWWUSER' ($whitelist_matches whitelisted)."
|
|
|
|
|
else
|
|
|
|
|
echo "No writable items found ($whitelist_matches whitelisted)."
|
|
|
|
|
fi
|
|
|
|
|
|
