Homedir ownership security

Scours the /home filesystem, checks that each file in /home/$user is owned by $user, and generates a report based on security policy violations.

I wrote this for a security-cleanup project at work, but maybe someone else can find it useful as well.

#!/usr/local/bin/perl -w

use strict;

# Grab a list of directories in /home.
my (@users) = </home/*>;
foreach (@users) { $_ =~ s/\/home\/(.*)$/$1/; }

# Print a header.
print STDERR "\n Generating report (this may take a while)...\n\n";
printf " %-60s   %5s   %s\n", 'Offending file', 'UID', 'User owned by'
+;
print "-"x86 . "\n";

# Run through each directory (/home/$usr), checking that all files are
# owned by the correct owner ($usr).
foreach my $usr (@users) {
   my @files = </home/$usr/*>;
   foreach my $fil (@files) {
      if ((-d $fil) && !(-l $fil)) { push @files, <$fil/*>; }
      my $fuid = (stat($fil))[4];
      if ((defined $fuid) && (getpwnam($usr)) && ($fuid ne getpwnam($u
+sr))) {
         if (-l $fil) { last; }  # Skip symlinks.
         printf " %-60s  %6s   %s\n", $fil, $fuid, getpwuid($fuid);
      }
   }
}

print "\n";

# Perldoc.

=head1 NAME

B<hosr> - Homedir ownership security report

=head1 DESCRIPTION

B<hosr> scours the /home filesystem, checks that each file in
/home/$user is owned by $user, and generates a report based
on security policy violations.

=head1 AUTHOR/CVS

$Id: hosr,v 1.1 2003/01/27 21:42:22 schnesa Exp $

=cut
[download]

Comment on Homedir ownership security Download Code

Replies are listed 'Best First'.
Re: Homedir ownership security by Aristotle (Chancellor) on Jan 28, 2003 at 00:38 UTC
Update: now tested. #!/usr/local/perl -w use strict; use File::Find::Rule; use constant FMT => " %5s %-10s %-60s\n"; my @userdir = do { opendir my $dh, "/home"; grep +($_ ne '.' and $_ ne '..' and -d "/home/$_"), readdir $dh; }; my %uid = map { (getpwnam $_)[0,2] } @userdir; my $i = 0; my @offending = map { File::Find::Rule ->exec(sub { $i++ % 80 or print STDERR '.'; 1 }) ->not_uid($uid{$_}) ->in("/home/$_"); } keys %uid; print STDERR "\n"; printf FMT, 'UID', 'User', 'Offending file'; print "-" x 80 . "\n"; my %uname = reverse %uid; for (@offending) { my $fuid = +(stat)[4]; warn "Can't stat $_\n", next if not defined $fuid; $uname{$fuid} = getpwuid($fuid) unless exists $uname{$fuid}; printf FMT, $fuid, $uname{$fuid}, $_; } [download] File::Find::Rule rocks. Makeshifts last the longest.	[reply] [d/l]

Replies are listed 'Best First'.

Re: Homedir ownership security
by Aristotle (Chancellor) on Jan 28, 2003 at 00:38 UTC

Update:

#!/usr/local/perl -w
use strict;
use File::Find::Rule;

use constant FMT => " %5s  %-10s  %-60s\n";

my @userdir = do {
    opendir my $dh, "/home";
    grep +($_ ne '.' and $_ ne '..' and -d "/home/$_"), readdir $dh;
};

my %uid = map { (getpwnam $_)[0,2] } @userdir;

my $i = 0;

my @offending = map {
    File::Find::Rule
        ->exec(sub { $i++ % 80 or print STDERR '.'; 1 })
        ->not_uid($uid{$_})
        ->in("/home/$_");
} keys %uid;

print STDERR "\n";

printf FMT, 'UID', 'User', 'Offending file';
print "-" x 80 . "\n";

my %uname = reverse %uid;

for (@offending) {
    my $fuid = +(stat)[4];
    warn "Can't stat $_\n", next if not defined $fuid;
    $uname{$fuid} = getpwuid($fuid)
        unless exists $uname{$fuid};
    printf FMT, $fuid, $uname{$fuid}, $_;
}
[download]

File::Find::Rule

Makeshifts last the longest.

[reply]
[d/l]