#!/bin/sh
#
#     tiger - A UN*X security checking system
#     Copyright (C) 1993 Douglas Lee Schales, David K. Hess, David R. Safford
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2, or (at your option)
#    any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#     Please see the file `COPYING' for the complete copyright notice.
#
# check_root - 05/30/99
#
# 03/31/2005 jfs  - Fixed call to grep
# 04/03/2004 rbrad - Fixed a bug with the PermitRootLogin ssh check where the
#            check failed if PermitRootLogin was both present and commented out.
# 11/16/2003 jfs Applied patch from Nicolas Franois to work non-interactively
#            even in SuSE (broken in previous patch) This problem has also
#            been reported multiple times in Debian: #218056, #220924
# 10/19/2003 jfs Applied patch from Ryan Bradetich which fixes mesg check
#            in SuSE. Also fixed message on root logins in SSHD
# 09/19/2003 jfs Applied patch from Nicolas Franois in order to properly
#            work non-interactively (MESG complains if not running in a tty)
# 09/03/2003 jfs Use SSHD_CONFIG instead of SSHCONF
# 08/28/2003 jfs Fixed syntax error
# 08/14/2003 jfs Implemented some of ARSC changes done in Tara 3.0.3, 
#            including a bugfix and checks for SSH PermitRootLogin's
#            (although changes have been implemented to allow for OS
#            and site configuration of the SSHD_CONFIG file location)
# 05/26/2003 jfs Fixed calls to test (worked in Linux but not in other OS due
#     to -n not being implicit)
# 07/25/2002 jfs  Changed TigerInstallDir to .
# 05/30/1999  Added feature to check for no console root logins
#
#-----------------------------------------------------------------------------
#
TigerInstallDir='.'

#
# Set default base directory.
# Order or preference:
#      -B option
#      TIGERHOMEDIR environment variable
#      TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}

for parm
do
   case $parm in
   -B) basedir=$2; break;;
   esac
done

#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
  echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
  exit 1
}

. $basedir/config

. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
  haveallcmds AWK GREP CAT GEN_PASSWD_SETS JOIN LS RM || exit 1
  haveallfiles BASEDIR WORKDIR || exit 1
  haveallvars TESTLINK HOSTNAME || exit 1
  
  echo "--CONFIG-- [init003c] $0: Configuration ok..."
  exit 0
}

#------------------------------------------------------------------------
echo
echo "# Performing common access checks for root (in /etc/default/login, /securetty, and /etc/ttytab..."

haveallcmds AWK GREP CAT GEN_PASSWD_SETS JOIN LS RM || exit 1
haveallfiles BASEDIR WORKDIR || exit 1

if [ -f /etc/default/login ]; then
  if [ -z "`$GREP '^CONSOLE' /etc/default/login`" ]; then
     message WARN root001w "" "Remote root login allowed in /etc/default/login."
     echo
  fi
fi

if [ -f /etc/securetty ]; then
  if [ -n "`$GREP '^ttyp' /etc/securetty`" ]; then
     message WARN root001w "" "Remote root login allowed in /etc/securetty"
     echo
  fi
fi   

if [ -f /etc/ttytab ]; then
  if [ -n "`$GREP ' secure' /etc/ttytab | $GREP -v console`" ]; then
     message WARN root001w "" "Remote root login allowed in /etc/ttytab"
     echo
  fi
fi   
if [ -f /etc/security/access.conf ]; then
  if [ -n "`$GREP '^+:root' /etc/security/access.conf`" ]; then
     message WARN root001w "" "Remote root login allowed in /etc/security/access.conf"
     echo
  fi
fi
if [ -f /etc/ftpusers ]; then
  if [ -z "`$GREP '^root' /etc/ftpusers`" ]; then
     message WARN root002w "" "Remote root access allowed in /etc/ftpusers"
     echo
  fi
fi
if [ -f /etc/X11/xdm/Xresources ]; then
  if [ "`$GREP ^xlogin.Login.allowRootLogin /etc/X11/xdm/Xresources | $CUT -d : -f 2`" = "true" ]; then
     message WARN root004w "" "Root access allowed for xdm"
     echo
  fi
fi
if [ -f /etc/X11/gdm/gdm.conf ]; then
  [ "`$GREP ^AllowRoot /etc/X11/gdm/gdm.conf | $CUT -d = -f 2`" = "true" ] || \
  [ "`$GREP ^AllowRemoteRoot /etc/X11/gdm/gdm.conf | $CUT -d = -f 2`" = "true" ] &&
  {
     message WARN root004w "" "Root access allowed for gdm"
     echo
  }
fi

[ -n "$MESG" -a -x "$MESG" ] && {
  tty 2>&1 > /dev/null && {
  if $MESG | $GREP "is y" >/dev/null
  then
    message WARN root003w "" "Root user has message capability turned on."
  fi
  }
}

[ -z "$SSHD_CONFIG" ] && {
if [ -f /usr/local/etc/sshd_config ]; then
  SSHD_CONFIG=/usr/local/etc/sshd_config
elif [ -f /etc/sshd_config ]; then
  SSHD_CONFIG=/etc/sshd_config
elif [ -f /etc/ssh2/sshd2_config ]; then
  SSHD_CONFIG=/etc/ssh2/sshd2_config
elif [ -f /etc/ssh/sshd_config ]; then
  SSHD_CONFIG=/etc/ssh/sshd_config
fi
}

[ -f "$SSHD_CONFIG" ] && {
rootssh=`$GREP PermitRootLogin $SSHD_CONFIG | $GREP -v '^#'`
if [ -n "$rootssh" ]; then
    if [ "`echo $rootssh | $GREP -i yes`" ]; then
      message WARN root001w "" "Remote root login allowed in $SSHD_CONFIG"
    fi
    if [ "`echo $rootssh | $GREP -i nopwd`" ]; then
       message WARN root001w "" "root login without pwd allowed in $SSHD_CONFIG"
    fi
fi
}

exit 0
