Skip to content

Instantly share code, notes, and snippets.

@ModElephant

ModElephant/bash_audit.sh

Last active Dec 15, 2019
Embed
What would you like to do?
#!/bin/bash
# Run this script in your bash profile to audit PATHs and check for potential PATH interceptions.
# This isn't perfect but it's better than nothing. See here for a full discussion:
# http://modelephant.net/?p=95
# N.B. All paths to external binaries are full paths to the macOS ones and are protected by SIP.
# This protects against PATH interception in this script
# set -x
function log() {
# echo $1
return
}
function error() {
>&2 /usr/bin/printf "\033[1;31m $1 \033[0m"
}
function check_file() {
check_permissions $1
check_owner $1
}
function check_permissions() {
if [ ! -f $1 -a ! -d $1 ]; then
log "File or directory $1 doesn't exist"
return
fi
if [[ -w $1 ]]; then
error "$1 is writable by current user"
else
log "Profile $1 has good permissions"
fi
}
function check_owner() {
if [ ! -f $1 ]; then
log "File or directory $1 doesn't exist"
return
fi
OWNER=`/usr/bin/stat -f "%Su" $1`
if [[ $OWNER -ne "root" ]]; then
error "$1 is owned by $OWNER instead of root"
else
log "Profile $1 has the correct owner"
fi
}
# Check profiles are owned by root and not writable by current user. The root part matters because
# a malicious process could delete a file owned by root, rewrite it then mark it not writable. It
# would then be owned the the current user.
check_file /etc/profile
check_file ~/.bash_profile
check_file ~/.bash_login
check_file ~/.profile
# Check all paths are also owned by root and unwritable
export IFS=":"
for path in $PATH; do
check_file "$path"
done
TMP_FILE=`/usr/bin/mktemp`
/usr/bin/plutil -extract Shell xml1 -o $TMP_FILE ~/Library/Preferences/com.apple.Terminal.plist
# Yuck! Cheap and dirty. Might switch to python
BASH_LINE=`/bin/cat $TMP_FILE | /usr/bin/grep "<string>/bin/bash</string>"`
if [[ -z "${BASH_LINE[0]}" ]]; then
error "Wrong shell configured!"
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.