Hi guys, I'm try making to script for eliminate files rlogins.
path1='/home/*'
for i in `cat /etc/passwd |awk -F: '{print $6}'`; do
if test "$i" = "$path1"; then
echo $i
cd $i
if [ -f .rhosts ]; then
echo "$i/.rhosts detectado"|mail -s "rhosts" root
rm -f $i/.rhosts
fi
fi
done
I want my script only check users with path in /home/, but the symbol "" is not working.
As I can do to make the command "test" compare the path "$ i" with a path / home / * (ie / home / all users)
doesn't work in quotes. Even if it did, that's probably not where you'd want to put it.
You also have several useless uses of cat and backticks.
You don't need to cd into each and every individual home directory either. And if you do, you should really cd back out after, or you won't be able to cd into anything else under /home/ after. If you're going to use awk, you might as well check for /home inside it too.
awk -v FS=':' '($6 ~ /^\/home/)' < /etc/passwd |
while read USERNAME G G G G H G
do
if [ -f "$H/.rhosts ]
then
echo "$H/.rhosts detectado" | mail -s "rhosts" root
rm -f "$H/.rhosts"
fi
done
*?[0-9] will not glob inside any sort of quotes (or if there is no compatible target, the globbing characters persist). test = does not glob BTW, [ is test is a shell builtin for more advanced shells.
Why not simplify:
for f in /home/*/.rhosts
do
if [ "$f" = "/home/*/.rhosts" ]
then
exit
fi
....
done
A parody of your script but using grep in a pipeline to select lines starting with /home/ . Using "while read" avoids the "for .... in open-ended-list" syntax which is notorious for generating command lines which are too long.
awk -F: '{print $6}' /etc/passwd | grep "^\/home\/" | while read home_dir
do
if [ -f ${home_dir}/.rhosts ]; then
echo "${home_dir}/.rhosts detectado"|mail -s "rhosts" root
rm -f ${home_dir}/.rhosts
fi
done
.shosts for ssh has a similar layout, but I am not sure it does much, since for the good life you need to make and distribute keys, but you might just rename them .shosts or .rhosts_not_allowed.
As prevention, on all accounts, why not put a root owned file readable not writable at the original .rhosts name with a message inside.
What about if root owns it and it is 444 and inside says "# Do not use .rhosts -- SysAdmin" Can the user rename it or change the permissions? My .rhost files were all owned by me, but I do recall permissions were critical.
Of course, everyone can have the same inode.
If you remove it, they can add it back. An ounce of prevention.
There are controls for rlogind, varies by OS, but security auditors have no brain or trust, just a check list, which is why putting a fake one in place as permanent prevention, while much better than daily/hourly scans, is less acceptable in practice.
They should audit for rlogind being removed, and all the r commands like that, forcing use of ssh2, preferably.