-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
/
suid_bin.cpp
131 lines (108 loc) · 2.9 KB
/
suid_bin.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
/**
* Copyright (c) 2014-present, Facebook, Inc.
* All rights reserved.
*
* This source code is licensed in accordance with the terms specified in
* the LICENSE file found in the root directory of this source tree.
*/
#include <pwd.h>
#include <grp.h>
#include <sys/stat.h>
#include <boost/filesystem.hpp>
#include <osquery/filesystem/filesystem.h>
#include <osquery/logger.h>
#include <osquery/tables.h>
namespace fs = boost::filesystem;
namespace osquery {
namespace tables {
std::vector<std::string> kBinarySearchPaths = {
"/bin", "/sbin", "/usr/bin", "/usr/sbin",
"/usr/local/bin", "/usr/local/sbin", "/tmp",
};
Status genBin(const fs::path& path, int perms, QueryData& results) {
struct stat info;
// store user and group
if (stat(path.c_str(), &info) != 0) {
return Status(1, "stat failed");
}
// store path
Row r;
r["path"] = path.string();
struct passwd* pw = getpwuid(info.st_uid);
struct group* gr = getgrgid(info.st_gid);
// get user name + group
std::string user;
if (pw != nullptr) {
user = std::string(pw->pw_name);
} else {
user = std::to_string(info.st_uid);
}
std::string group;
if (gr != nullptr) {
group = std::string(gr->gr_name);
} else {
group = std::to_string(info.st_gid);
}
r["username"] = user;
r["groupname"] = group;
r["permissions"] = "";
if ((perms & 04000) == 04000) {
r["permissions"] += "S";
}
if ((perms & 02000) == 02000) {
r["permissions"] += "G";
}
results.push_back(r);
return Status::success();
}
bool isSuidBin(const fs::path& path, int perms) {
if (!fs::is_regular_file(path)) {
return false;
}
if ((perms & 04000) == 04000 || (perms & 02000) == 02000) {
return true;
}
return false;
}
void genSuidBinsFromPath(const std::string& path, QueryData& results) {
if (!pathExists(path).ok()) {
// Creating an iterator on a missing path will except.
return;
}
auto it = fs::recursive_directory_iterator(fs::path(path));
fs::recursive_directory_iterator end;
while (it != end) {
fs::path subpath = *it;
try {
// Do not traverse symlinked directories.
if (fs::is_directory(subpath) && fs::is_symlink(subpath)) {
it.no_push();
}
int perms = it.status().permissions();
if (isSuidBin(subpath, perms)) {
// Only emit suid bins.
genBin(subpath, perms, results);
}
++it;
} catch (fs::filesystem_error& e) {
VLOG(1) << "Cannot read binary from " << subpath;
it.no_push();
// Try to recover, otherwise break.
try {
++it;
} catch (fs::filesystem_error& e) {
break;
}
}
}
}
QueryData genSuidBin(QueryContext& context) {
QueryData results;
// Todo: add hidden column to select on that triggers non-std path searches.
for (const auto& path : kBinarySearchPaths) {
genSuidBinsFromPath(path, results);
}
return results;
}
}
}