[hobbit] need help checking a file status

[Henrik Stoerner]

In <EC70BBBBD43A8B468D2460FE1CFAAA2614885107 at EX1.nibco.com> "Kauffman, Tom" <KauffmanT at nibco.com> writes:

>Well, among other things - the file that went missing was a crontab . . .

>I've built a small perl script to get the data and dump it out to the clien=
>t data stream; hobbit runs it via sudo. I'm also looking at logfetch.c, the=
> hobbit program that does the process. I can see Henrik has thought about t=
>his, because the code to get and drop root permissions is present - bracket=
>ed by ifdefs for 'BIG_SECURITY_HOLE'.

>I need to satisfy myself about the logfetch code, and then I think a recomp=
>ile may be in order.

The BIG_SECURITY_HOLE shows up because logfetch has no way of validating
that it is using a configuration file that hasn't been tampered with. So
if you run logfetch as root, you can feed it a config file listing secret
files that you want to read (like /etc/shadow), and it will happily read them
for you and put the contents into the Hobbit client-message. Not good ...

A custom status-check might be the simplest way of doing what you want.


Henrik