env_audit.c

项目描述: Env_audit is a program that ferrets out everything it can about the environment. It looks for

			tptr = ttyname(i);
			if (tptr)
			{
				fprintf(f, "character device\n");
				fprintf(f, 
				"The tty connected to this descriptor is: %s\n",
				tptr);
			}
			else
			{
				fprintf(f, "character device, inode: %ld\n", 
						st.st_ino);
				find_inode(i, leaked); 
			}
		}
		else if (S_ISBLK(st.st_mode))
		{
			fprintf(f, "block device, inode: %ld\n", 
					st.st_ino);
			find_inode(i, leaked); 
		}
		else if (S_ISFIFO(st.st_mode))
		{
			if (st.st_nlink == 0)
				fprintf(f, "pipe\n");
			else
			{
				fprintf(f, "fifo, inode: %ld, device: %d\n", 
					st.st_ino, (int)st.st_dev);
				find_inode(i, leaked);
			}
		}
		else if (S_ISLNK(st.st_mode))
			fprintf(f, "symbolic link\n");
		else if (S_ISSOCK(st.st_mode))
		{
			xsockaddr localaddr, peeraddr;
			int llen, plen, port;
			struct sock_opts *sptr;
			char addr[INET6_ADDRSTRLEN];

			llen = sizeof(localaddr);
			plen = sizeof(peeraddr);
			fprintf(f, "socket\n");
			getsockname(i, &localaddr.sa, &llen);
			getpeername(i, &peeraddr.sa, &plen);
			
			if (localaddr.sa.sa_family == AF_INET)
			{
				inet_ntop(AF_INET, &localaddr.sa_in.sin_addr,
					addr, sizeof(addr));
				port = ntohs(localaddr.sa_in.sin_port);
			}
			else if (localaddr.sa.sa_family == AF_INET6)
			{
				inet_ntop(AF_INET6, &localaddr.sa_in6.sin6_addr,
					addr, sizeof(addr));
				port = ntohs(localaddr.sa_in6.sin6_port);
			}
			else if (localaddr.sa.sa_family == AF_UNIX)
			{
				port = 0;
				strcpy(addr, "Unix Domain");
			}
			else
			{
				strcpy(addr, "UNKNOWN");
				port = 0;
			}
			fprintf(f,"Address Family: %s\n", 
				lookup_family(localaddr.sa.sa_family));
			fprintf(f,"Local address: %s\n", addr);
			if (port)
			{
				if (port < 1024)
				{	// Look up service name
					struct servent *serv = 
						getservbyport(htons(port), 
							NULL);
					if (serv)
					    fprintf(f,"Local Port: %d, %s\n", 
						port, serv->s_name);
					else
					    fprintf(f,"Local Port: %d\n", port);
					endservent();
					fprintf(f,
						  "NOTICE - connected to a "
						  "privileged port\n");
				}
				else
					fprintf(f,"Local Port: %d\n", port);
			}
			if (peeraddr.sa.sa_family == AF_INET)
			{
				inet_ntop(AF_INET, &peeraddr.sa_in.sin_addr,
					addr, sizeof(addr));
				port = ntohs(peeraddr.sa_in.sin_port);
			}
			else if (peeraddr.sa.sa_family == AF_INET6)
			{
				inet_ntop(AF_INET6, &peeraddr.sa_in6.sin6_addr,
					addr, sizeof(addr));
				port = ntohs(peeraddr.sa_in6.sin6_port);
			}
			else if (peeraddr.sa.sa_family == AF_UNIX)
			{
				port = 0;
				strcpy(addr, "Unix Domain");
			}
			else
			{
				strcpy(addr, "UNKNOWN");
				port = 0;
			}
			fprintf(f,"Peer address: %s\n", addr);
			if (port)
			{
				if (port < 1024)
				{	// Look up service name
					struct servent *serv = 
						getservbyport(htons(port), 
							NULL);
					if (serv)
					    fprintf(f,"Peer Port: %d, %s\n", 
						port, serv->s_name);
					else
					    fprintf(f,"Peer Port: %d\n", port);
					endservent();
					fprintf(f,
						  "NOTICE - connected to a "
						  "privileged port\n");
				}
				else
					fprintf(f,"Peer Port: %d\n", port);
			}
			fprintf(f, "Socket options:\n");
			for (sptr = sock_opts; sptr->opt_str; sptr++)
			{
#ifdef IPV6_ADDRFORM
				if ((sptr->opt_name == IPV6_ADDRFORM) &&
					(localaddr.sa.sa_family != AF_INET6))
					continue;
#endif
#ifdef IPV6_IPV6ONLY
				if ((sptr->opt_name == IPV6_IPV6ONLY) &&
					(localaddr.sa.sa_family != AF_INET6))
					continue;
#endif
				fprintf(f, "\t%s: ", sptr->opt_str);
				if (sptr->opt_val_str == NULL)
					fprintf(f, "undefined\n");
				else
				{
					union val value;
					int len = sizeof(val);
					if (getsockopt(i, sptr->opt_level, 
							sptr->opt_name, 
							&value, &len) 
							== -1)
						fprintf(f, 
							"getsockopt error.\n");
					else
						fprintf(f, "%s\n", 
							(*sptr->opt_val_str)
							(&value, len));
				}
			}
		}
#ifdef S_ISDOOR
		else if (S_ISDOOR(st.st_mode))
		{
			struct door_info info;

			fprintf(f, "door ipc\n");
			if (door_info(i, &info) == 0)
			{
				fprintf(f, "door server pid: %d\n", 
					info.di_target);
				fprintf(f, "door attributes: ");
				if (info.di_attributes & DOOR_LOCAL)
					fprintf(f, "DOOR_LOCAL ");
				if (info.di_attributes & DOOR_UNREF)
					fprintf(f, "DOOR_UNREF ");
				if (info.di_attributes & DOOR_UNREF_MULTI)
					fprintf(f, "DOOR_UNREF_MULTI ");
				if (info.di_attributes & DOOR_IS_UNREF)
					fprintf(f, "DOOR_IS_UNREF ");
				if (info.di_attributes & DOOR_REVOKED)
					fprintf(f, "DOOR_REVOKED ");
				if (info.di_attributes & DOOR_PRIVATE)
					fprintf(f, "DOOR_PRIVATE ");
				fprintf(f, "\n");
			}
		}
#endif
		else 
			fprintf(f, "unknown\n");
		val = fcntl(i, F_GETOWN, 0);
		if (val > 0)
			fprintf(f,
				"Process ID that receives SIGIO & SIGURG :%d\n",
				val);
		val = fcntl(i, F_GETFL, 0);
		am = val & O_ACCMODE;
		fprintf(f, "File descriptor is ");
		if (am == O_RDONLY)
			fprintf(f, "read only");
		else if (am == O_WRONLY)
			fprintf(f, "write only");
		else if (am == O_RDWR)
			fprintf(f, "read and write");
		else
			fprintf(f, "unknown access mode");
		if (val & O_APPEND)
			fprintf(f, ", append");
		if (val & O_NONBLOCK)
			fprintf(f, ", non-blocking");
#ifdef O_SYNC
		if (val & O_SYNC)
			fprintf(f, ", synchronous writes");
#endif
		fprintf(f, "\n");
		// Note: if the effective id is 0 or the same as the
		// file's owner, we can change this file's mode. We
		// don't actually do it since that could be destructive.
		// We just go through the normal chacks and output the results
		// This could be really bad if root owns the file
		// since it could be made setuid.
		if (geteuid() == 0 || geteuid() == st.st_uid || 
				getegid() == 0 || getegid() == st.st_gid)
			fprintf(f, "WARNING - application can execute a "
				"fchmod on this descriptor\n");
		if (isastream(i))
			output_stream(i);
		fflush(f);
	}
	fprintf(f, "\n---\n");
	fprintf(f, "Audit Complete\n\n");
	fclose(f);
	return 0;
}

static char strres[128];
static char *str_flag(const union val *ptr, int len)
{
	if (len != sizeof(int))
		snprintf(strres, 128, "size (%d) not sizeof(int)", len);
	else
		snprintf(strres, 128, "%s", (ptr->i_val == 0) ? "off" : "on");
	return strres;
}

static char *str_int(const union val *ptr, int len)
{
	if (len != sizeof(int))
		snprintf(strres, 128, "size (%d) not sizeof(int)", len);
	else
		snprintf(strres, 128, "%d", ptr->i_val);
	return strres;
}

static char *str_linger(const union val *ptr, int len)
{
	if (ptr->linger_val.l_onoff == 0)
		snprintf(strres, 128, "off");
	else
		snprintf(strres, 128, "%d seconds", ptr->linger_val.l_linger);
	return strres;
}

static char *str_timeval(const union val *ptr, int len)
{
	snprintf(strres, 128, "%d seconds and %d microseconds", 
			(int)ptr->timeval_val.tv_sec, 
			(int)ptr->timeval_val.tv_usec);
	return strres;
}

#ifdef SO_PEERCRED
static char *str_cred(const union val *ptr, int len)
{
	snprintf(strres, 128, "peer uid %d, peer gid %d", 
			(int)ptr->peercred.uid, 
			(int)ptr->peercred.gid);
	return strres;
}
#endif

static void pr_limits(const char *name, int resource)
{
	struct rlimit limit;

	if (getrlimit(resource, &limit) < 0)
	{
		fprintf(f, "getrlimit error for %s\n", name);
		return;
	}
	fprintf(f, "%-14s  ", name);
	if (limit.rlim_cur == RLIM_INFINITY)
		fprintf(f, "(infinity)  ");
	else
		fprintf(f, "%10ld  ", limit.rlim_cur);
	if (limit.rlim_max == RLIM_INFINITY)
		fprintf(f, "(infinity)\n");
	else
		fprintf(f, "%10ld\n", limit.rlim_max);
}

static char unknown[] = "UNKNOWN", id[33];
static char *lookup_uid(int uid)
{
	struct passwd *pass;

	pass = getpwuid(uid);
	if (pass == NULL)
		return unknown;
	strncpy(id, pass->pw_name, 32);
	id[32] = 0;
	endpwent();
	return id;
}

static char *lookup_grp(int gid)
{
	struct group *gp;

	gp = getgrgid(gid);
	if (gp == NULL)
		return unknown;
	strncpy(id, gp->gr_name, 32);
	id[32] = 0;
	endgrent();
	return id;
}

static const char *lookup_family(int type)
{
	const char *ret_val;
	static char buf[64];
	
	switch (type)
	{
	case AF_INET:
		ret_val = "AF_INET";
		break;
	case AF_INET6:
		ret_val = "AF_INET6";
		break;
	case AF_UNIX:
		ret_val = "AF_UNIX";
		break;
	default:
		sprintf(buf, "UNKNOWN #%d\n", type);
		ret_val = buf;
		break;
	}
	return ret_val;
}

static void output_stream(int fd)
{
	struct str_list list;
	int idx, nmods;

	if ( (nmods = ioctl(fd, I_LIST, (void *)0)) >= 0)
	{
		fprintf(f, "The descriptor is also a stream\n");
		fprintf(f, " num of stream modules: %d\n", nmods);

		/* allocate space for modules */
		list.sl_modlist = calloc(nmods, sizeof(struct str_mlist));
		if (list.sl_modlist)
		{
			list.sl_nmods = nmods;

			/* fetch the module names */
			if (ioctl(fd, I_LIST, &list) >= 0)
			{
				for (idx=0; idx<=nmods; idx++)
					fprintf( f, 
					   "  %s: %s\n", 
					   (idx == nmods) ? "driver" : "module",
					   list.sl_modlist++
					);
			}
		}
	}
}

static char *fullpath;
static char *find_inode(int d, int leaked)
{
	fullpath = malloc(PATH_MAX+1);
	if (fullpath == 0)
		return NULL;
	memset(found_file, 0, PATH_MAX);

	snprintf(fullpath, PATH_MAX, "/proc/%d/fd/%d", getpid(), d);
	if (readlink(fullpath, found_file, PATH_MAX) >= 0)
		found_file[PATH_MAX] = 0;
        free(fullpath);
										        if (found_file[0] == 0)
        {
                fprintf(f, "Could not find exact descriptor.\n");
                return NULL;
        }
        else
	{
		int offset = 0;
		if (found_file[1] == '/')
			offset = 1;
                if (leaked == 1)
                        fprintf(f, "The leaked descriptor is: %s\n",
                                   found_file+offset);
                else if (leaked == 0)
                        fprintf(f, "The descriptor is: %s\n",
                                   found_file+offset);
                return found_file+offset;
        }
}