#!/usr/share/ucs-test/runner bash
# shellcheck shell=bash
## desc: Checking for filesystem permissions
## tags:
##  - basic
## bugs: [25162]
## exposure: safe

# shellcheck source=../../lib/base.sh
. "$TESTLIBPATH/base.sh" || exit 137

# /var/spool/postfix/private should only be accessible by postfix:root. If not, the world-writable
# files within the directory are exposed to arbitrary users:
check_perm -d /var/spool/postfix/private 0700 postfix root || RETVAL=110

# /var/spool/postfix/public should only be accessible by postfix:postdrop. If not, the world-writable
# files within the directory are exposed to arbitrary users:
check_perm -d /var/spool/postfix/public 02710 postfix postdrop || RETVAL=110

# /var/run/samba/winbindd_privileged/ should only be accessible by root:winbindd_priv
# If not, the world-writable pipe within the directory is exposed to arbitrary users:
check_perm -d /var/run/samba/winbindd_privileged 0750 root winbindd_priv || RETVAL=110

check_perm -e /var/run/acpid.socket 0666 root root || RETVAL=110

echo "***Searching for files and directories with write permissions for other:"
tmpfile="$(mktemp "/tmp/ucs-test-find-XXXXXXX")"
find / \
	\( \
		-type l \
		-o -type s \
		-o -path /proc \
		-o -path /sys \
		-o -path /dev \
		-o -path /var/cache/common-lisp-controller \
		-o -path /var/run/acpid.socket \
		-o -path /var/lib/univention-client-root/dev \
		-o -path /var/lib/univention-client-root/ramdisk \
		-o -path /var/spool/postfix/private \
		-o -path /var/spool/postfix/public \
		-o -path /var/spool/postfix/dev \
		-o -path /var/run/postgresql \
		-o -path /var/lib/collectd/rrd \
		-o -path /var/lib/docker/overlay2 \
		-o -path "*__pycache__*" \
	\) -prune \
	-o -perm /o+w \
	! \( -type d -perm /+t \) \
	! \( \
		-path "/tmp/.gdm_socket" \
		-o -path "/tmp/.winbindd/pipe" \
		-o -path "/run/cloud-init/hook-hotplug-cmd" \
		-o -path "/run/umc-web-server.pid.lock" \
		-o -path "/run/umc-server.pid.lock" \
		-o -path "/run/*.MainThread-*" \
		-o -path "/var/lib/php" \
		-o -path "/lock" \
		-o -path "/var/run/clamav/clamd.ctl" \
		-o -path "/var/run/gdm_socket" \
		-o -path "/var/run/libvirt/libvirt-sock-ro" \
		-o -path "/var/run/samba/winbindd_privileged/pipe" \
		-o -path "/var/run/saslauthd/mux" \
		-o -path "/var/spool/hylafax/dev/null" \
		-o -path "/var/spool/hylafax/FIFO.faxCAPI" \
		-o -path "/var/spool/hylafax/tmp" \
		-o -path "/var/spool/samba" \
	\) -print0 > "$tmpfile"
if [ -s "$tmpfile" ]
then
    RETVAL=110
    xargs -0 ls -lad <"$tmpfile"
fi
rm -f "$tmpfile"
exit $RETVAL

# Docs
#
# "/proc/*" "/dev/*"                         : Generated by kernel
# "/var/lib/univention-client-root/dev/*"    : Generated by kernel on thin clients
# "/var/spool/postfix/dev/log"               : chroot Syslog
# "/var/spool/postfix/private/*"             : See test case above
# "/var/spool/postfix/public/*"              : See test case above
# "/var/lock" "/var/tmp" "/tmp"              : System directories for lock files or temp files of applications
# "/var/run/clamav/clamd.ctl"                : Standard daemon control/communication socket
# "/var/run/avahi-daemon/socket"             : Standard daemon control/communication socket
# "/var/run/dbus/system_bus_socket"          : Standard daemon control/communication socket
# "/var/run/nscd/socket"                     : Standard daemon control/communication socket
# "/var/run/saslauthd/mux"                   : Standard daemon control/communication socket
# "/tmp/.X11-unix/*" "/tmp/.ICE-unix"        : Standard daemon control/communication socket
# "/tmp/.X11-unix" "/tmp/.gdm_socket"        : Standard daemon control/communication socket
# "/var/lib/php"                             : PHP session path, needs to be writable by all web apps
# "/var/spool/samba"                         : Samba printing spooler path
# "/var/lib/univention-client-root/ramdisk/*": RAM disk on thin client
# "/var/run/postgresql"                      : PostgreSQL spool directory
# "/var/spool/hylafax/dev/null"              : Hylafax's /dev/null
# "/var/spool/hylafax/tmp"                   : Temporary files for Hylafax
# "/tmp/.winbindd/pipe"                      : Commication socket of winbind
# "/var/spool/hylafax/FIFO.faxCAPI"          : Communication pipe for Hylafax
# "/var/run/samba/winbindd_privileged/pipe"  : See test case above
# "/var/run/gdm_socket"                      : Generated by GDM, unused (unless DynamicXServers=true)
# "/var/run/acpid.socket"                    : Socket to listen for ACPI-Events. See acpid(8)
# "/var/run/libvirt/libvirt-sock-ro"         : Socket for libvirt read-only connections

# vim: set ft=sh :
