-
Notifications
You must be signed in to change notification settings - Fork 2
/
harden
executable file
·145 lines (116 loc) · 2.59 KB
/
harden
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
#
# License
#
# GNU Affero General Public License Version 3.0, https://www.gnu.org/licenses/agpl-3.0.en.html
#
usage(){
cat <<EOF
$0 [-x] -d <dynamically linked> -f <files and dirs> -r <files to remove> -u user <files to chown to user> -c <chmod to be world writable>"
-x Activates debugging
-d Files are considered dynamically linked
All library dependencies are resolved using ldd and necessary file are included
-f Files and directories to include. Don't forget the license files
-r Files to be removed before copying, especially log files
-u User:Group files should be chowned to, access right will be set to rw for the user
-c chmod go+rw to all the files in this section
The container needs a usable version of sh, ldd, sed, rm and uniq
License is GNU Affero General Public License Version 3.0, https://www.gnu.org/licenses/agpl-3.0.en.html
EOF
}
create_dir(){
HARDEN=/tmp/harden
mkdir -p $HARDEN
for i in $*
do
DIR=$HARDEN/$(dirname $i)
mkdir -p "$DIR"
[ -d $HARDEN/"$i" ] || cp -a "$i" $HARDEN/$i
done
}
next_section(){
[ $# -gt 0 ] && [ `echo $1 | head -c 1` != '-' ] && return 0
return 1
}
ldd_filter(){
sed 's+\t*++' |\
sed 's+.*=>\ ++' |\
sed 's+\ .*$++'
}
link_filter(){
for f in $(find "$1")
do
echo $f
if [ -L $f ]
then
LINK=$(readlink $f)
if [ `echo $LINK | head -c 1` = '/' ]
then
echo $LINK
else
echo $(dirname $f)/$(readlink $f)
fi
fi
done
}
extract(){
while [ $# -ne 0 ]
do
case $1 in
-x) # enable debugging
set -x
shift
;;
-d) # dynamically linked executables
shift
while next_section $*
do
for f in $(ldd "$1" | ldd_filter) $1
do
link_filter $f
done
shift
done
;;
-f) # files and links
shift
while next_section $*
do
link_filter $1
shift
done
;;
-r) # files to remove
shift
while next_section $*
do
rm $1
shift
done
;;
-u) # change owner and grant access
shift
OWNER=$1
shift
while next_section $*
do
chown $OWNER $1
chmod -R +rw $1
shift
done
;;
-c) # make world writeable
shift
while next_section $*
do
chmod -R go+rw $1
shift
done
;;
*) # error, show usage
usage
exit 1
;;
esac
done | uniq | sed 's+^/++'
}
create_dir $(extract $*)