tiger-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Tiger-devel] FW: Help for something - FAA OKC

From: Javier Fernandez-Sanguino
Subject: Re: [Tiger-devel] FW: Help for something - FAA OKC
Date: Tue, 15 Feb 2005 01:50:52 +0100
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041217 
Banks, Ralph wrote:


 I need to confirm if you product can help my customer.
Well, the Tiger tool cannot perform the listing you want, although it could be adapted to do it (since some of the code is already there). See below. 


I gone till friday but I was wondering if you could query some of your
experts for a tool that can get unix group information such as what
groups who is in the group and what directories that group has access
to, permissions.

We can do this with Unix commands but it seems to eat cpu cycles and
slows processing.
The only way to do this (in any Unix system I know of, unless using MAC controls like RSBAC or SElinux) is to go retrieve the first bits of information from the group and passwords databases and then go through the full filesystem in order to review what directories has a group access to.
Don't know, maybe something like this could do the trick (there are some caveats, however). The following could be run in the system (reniced if it's too CPU intensive) and a similar thing could be coded in C 


------------------------------------------------------------------------
#!/bin/sh

# Sample script to list users that have access to directories
# based on the ownership and directory configuration

STARTDIR=/home

getpermit() {
   ls -ld $1 |
   awk '{
      for(i=2;i<11;i++){
         c = substr($1, i, 1);
         if(c == "-" || c == "S")
             printf("0 ");
         else
             printf("1 ");
      }
      printf("\n");
   }'
}

# TODO: This does not take into account that access might be
# overriden by parent directory

find $STARTDIR -type d -printf "%m %U %G %p\n"  |
while read mode uid gid dir; do
        umod=`getpermit $dir | awk '{ print $1$2$3 }' `
        gmod=`getpermit $dir | awk '{ print $4$5$6 }' `
        omod=`getpermit $dir | awk '{ print $7$8$9 }' `
        echo  "Permissions for $dir:"
        cat /etc/passwd | awk -F : '{ print $1" "$3; }' |
        while read cuser cuid ; do
                found=0
                if [ "$uid" = "$cuid" ] ; then
                        echo -e "\t$cuser (mode: $umod) <owner>"
                        found=1
                elif [ "$gmod" != "000" ] ; then
                        id -G $user |
                        while read cgid; do
                        if [ "$cgid" = "$gid" ] ; then
echo -e "\t$cuser (mode: $gmod) <group $gid>" 
                                found=1
                        fi
                        done

                fi
# TODO: this is not necessarily true, if (all) access to the parent dir
# is prohibited this is prohibited
                if [ "$found" -eq 0 ] && [ "$omod" != "000" ] ; then
                        echo -e "\t$cuser (mode: $omod) <other>"
                fi
        done
done
------------------------------------------------------------------------
reply via email to
[Prev in Thread] Current Thread [Next in Thread]