Skip to content

Instantly share code, notes, and snippets.

@ModElephant

ModElephant/bash_audit.sh

Last active Dec 15, 2019
Embed
What would you like to do?
#!/bin/bash
# Run this script in your bash profile to audit PATHs and check for potential PATH interceptions.
# This isn't perfect but it's better than nothing. See here for a full discussion:
# http://modelephant.net/?p=95
# N.B. All paths to external binaries are full paths to the macOS ones and are protected by SIP.
# This protects against PATH interception in this script
# set -x
function log() {
# echo $1
return
}
function error() {
>&2 /usr/bin/printf "\033[1;31m $1 \033[0m"
}
function check_file() {
check_permissions $1
check_owner $1
}
function check_permissions() {
if [ ! -f $1 -a ! -d $1 ]; then
log "File or directory $1 doesn't exist"
return
fi
if [[ -w $1 ]]; then
error "$1 is writable by current user"
else
log "Profile $1 has good permissions"
fi
}
function check_owner() {
if [ ! -f $1 ]; then
log "File or directory $1 doesn't exist"
return
fi
OWNER=`/usr/bin/stat -f "%Su" $1`
if [[ $OWNER -ne "root" ]]; then
error "$1 is owned by $OWNER instead of root"
else
log "Profile $1 has the correct owner"
fi
}
# Check profiles are owned by root and not writable by current user. The root part matters because
# a malicious process could delete a file owned by root, rewrite it then mark it not writable. It
# would then be owned the the current user.
check_file /etc/profile
check_file ~/.bash_profile
check_file ~/.bash_login
check_file ~/.profile
# Check all paths are also owned by root and unwritable
export IFS=":"
for path in $PATH; do
check_file "$path"
done
TMP_FILE=`/usr/bin/mktemp`
/usr/bin/plutil -extract Shell xml1 -o $TMP_FILE ~/Library/Preferences/com.apple.Terminal.plist
# Yuck! Cheap and dirty. Might switch to python
BASH_LINE=`/bin/cat $TMP_FILE | /usr/bin/grep "<string>/bin/bash</string>"`
if [[ -z "${BASH_LINE[0]}" ]]; then
error "Wrong shell configured!"
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment