-
Notifications
You must be signed in to change notification settings - Fork 11
/
chkstk
executable file
·125 lines (115 loc) · 2.66 KB
/
chkstk
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#!/bin/sh
# chkstk
#
# Copyright (c) 2011-2013 Steve Grubb. ALL RIGHTS RESERVED.
#
# This software may be freely redistributed under the terms of the GNU
# public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# Given an rpm, it will look at each file to check that its compiled with
# the intended flags to make it more secure. This tests for stack protector.
#
# If the --all option is given, it will generate a list of rpms and then
# summarize the rpm's state. For yes, then all files are in the expected
# state. Just one file not compiled with the right flags can turn the
# answer to no. Re-run passing that package (instead of --all) for the details.
VERSION="0.5.2"
usage () {
echo "chksec [--version|--all|<rpmname>...]"
if [ $EUID != 0 ] ; then
echo "You might need to be root to read some files"
fi
exit 0
}
if [ "$1" = "--help" -o $# -eq 0 ] ; then
usage
fi
if [ "$1" = "--all" ] ; then
MODE="all"
else
MODE="single"
fi
do_one () {
if ! rpm -q $1 >/dev/null 2>&1 ; then
if [ "$MODE" = "single" ] ; then
echo "$1 is not installed"
exit 1
else
echo "not installed"
return
fi
fi
files=`rpm -ql $1`
# Prevent garbled output when doing --all.
skip_current=0
source ./is_elf
for f in $files
do
if [ ! -f "$f" ] ; then
continue
fi
# Some packages have files with ~ in them. This avoids it.
if ! echo "$f" | grep '^/' >/dev/null ; then
continue
fi
if [ ! -r "$f" ] && [ $EUID != 0 ] ; then
if [ $MODE = "single" ] ; then
echo "Please re-test $f as the root user"
else
# Don't print results.
skip_current=1
echo "Please re-test $1 as the root user"
fi
continue
fi
if ! is_elf "$f" ; then
continue
fi
STACK="no"
if readelf -sW "$f" 2>/dev/null | grep -q '__stack_chk_fail'; then
STACK="yes"
fi
# OK, ready for the output
if [ "$MODE" = "single" ] ; then
printf "%-56s %-7s " "$f" "$STACK"
echo
else
if [ "$STACK" = "no" ] ; then
STACK_SUM="no"
fi
fi
done
}
if [ "$MODE" = "single" ] ; then
printf "%-56s %-10s" "FILE" "STACK"
echo
f=$(basename $1)
# Strip the .rpm extension, if present.
do_one ${f%%.rpm}
exit 0
fi
# Skip the kernel as its special
packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | grep -Ev 'kernel.|debuginfo.|.noarch|gpg-pubkey' | sort`
printf "%-50s %-5s" "PACKAGE" "STACK"
echo
for p in $packages
do
STACK_SUM="yes"
printf "%-50s " $p
do_one $p
if [[ $skip_current -eq 1 ]] ; then
continue
fi
if [ "$STACK_SUM" = "yes" ] ; then
printf "%-5s " "$STACK_SUM"
else
printf "%-5s " "$STACK_SUM"
fi
echo
done
exit 0