#!/bin/sh
#
#     tiger - A UN*X security checking system
#     Copyright (C) 1993 Douglas Lee Schales, David K. Hess, David R. Safford
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2, or (at your option)
#    any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#     Please see the file `COPYING' for the complete copyright notice.
#
# check_lilo:  checks permissions on boot loader config files
#		grub.conf and lilo.conf
# 10.26.2001
# Paul Telford <paul_telford@hp.com>
# 04.25.2002  Javier Fernandez-Sanguino <jfs@computer.org>
# Expanded to check also if there are passwords in the boot loader
# 07/25/2002 jfs       
# Changed TigerInstallDir to .
# Changed -e to -r and 'find' to 'access' in the error msg.
# 10/19/2003 jfs - Applied patch from Ryan Bradetich to work in SuSE systems.
# 11/18/2003 jfs - Fixed typo (Debian bug #221470)
# 01/15/2004 jfs - Fixed dependancies
# 12/27/2004 jfs - Fixed grub.conf naming (Debian bug #286641)
# 03/21/2005 jfs   Only run if running on the x86 architecture
#                  (Debian bug #288737)
# 06/22/2007 jfs   Run if on amd64 (Debian bug #412669)
#
#-----------------------------------------------------------------------------
#
TigerInstallDir='.'

#
# Set default base directory.
# Order or preference:
#      -B option
#      TIGERHOMEDIR environment variable
#      TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}

for parm
do
   case $parm in
   -B) basedir=$2; break;;
   esac
done
#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
  echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
  exit 1
}
. $basedir/config

. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
  haveallcmds GREP RM UNAME EGREP || exit 1
  haveallfiles BASEDIR WORKDIR || exit 1
  
  echo "--CONFIG-- [init003c] $0: Configuration ok..."
  exit 0
}
#------------------------------------------------------------------------
haveallcmds GREP RM UNAME EGREP || exit 1
haveallfiles BASEDIR WORKDIR || exit 1

machine=`$UNAME -m`
# Only applies to the x86 or amd64 architectures:
[ -z "`echo $machine | $EGREP 'i.86$|^x86_64$'`" ] && exit 0

echo
echo "# Checking boot loader file permissions..."
found="N"

file=/etc/lilo.conf
if [ -r $file ]
then

	found="Y"
	getpermit $file |
	   while read filename rowner rgroup rur ruw rux rgr rgw rgx ror row rox rsuid rsgid rstk
	do

	if [ $rgr -eq 1 -o $rgw -eq 1 -o $rgx -eq 1 ]
	then
                message WARN boot01 "" "The configuration file lilo.conf has group permissions"
	fi
	if [ $ror -eq 1 -o $row -eq 1 -o $rox -eq 1 ]
	then
                message FAIL boot01 "" "The configuration file lilo.conf has other permissions"
        fi

	done

	# Lilo password checks
	if [ -n "`$GREP ^restricted $file`" ] ; then
            if [ -z "`$GREP ^password $file`" ] ; then
                message WARN boot05 "" "The bootloader is restricted but does not seem to have a password configured."
	    fi 
	else
                message WARN boot04 "" "The bootloader lilo is not configured with a password"
	fi

fi

if [ -r /etc/grub.conf ] ; then
   # SuSE uses /etc/grub.conf.
   file=/etc/grub.conf
elif [ -r  /boot/grub/menu.lst ] ; then
   # Debian uses /boot/grub/menu.lst
   file=/boot/grub/menu.lst
else
   # for other Linux systems
   file=/boot/grub/grub.conf
fi 

if [ -r "$file" ]
then

	found="Y"
	getpermit $file |
	   while read filename rowner rgroup rur ruw rux rgr rgw rgx ror row rox rsuid rsgid rstk
	do

	if [ $rgr -eq 1 -o $rgw -eq 1 -o $rgx -eq 1 ]
	then
                message WARN boot02 "" "The configuration file $file has group permissions.  Should be 0600"
	fi
	if [ $ror -eq 1 -o $row -eq 1 -o $rox -eq 1 ]
	then
                message FAIL boot02 "" "The configuration file $file has world permissions.  Should be 0600"
        fi

	done
	# GRUB password checks
        if [ -z "`$GREP ^password $file`" ] ; then
                message WARN boot06 "" "The Grub bootloader does not have a password configured."
	fi 
fi

[ "$found" != 'Y' ] && {
	message WARN boot03w "" "Could not access LILO's or Grub's configuration file"
}

exit 0
