parseerror.com / shac

What It Does
shac aims to gather all available permission data on a unix-ish system and report back, in a sane and machine-readable format, whether a certain user has certain permissions on certain files and why or why not. as well as the ubiquitous read, write and execute perms, you can check create and delete. possible uses range from analyzing a permission situation that is confusing by an admin/geek to providing machine-readable output to a calling script for some automated process.
Example
pizza@pizzabox:~/proj/shac$ ./shac -v . VB verbose mode... OK / (o+x) (mnt /dev/hda3) OK /home (o+x) OK /home/pizza (u+x) OK /home/pizza/proj (u+x) (mnt /dev/hdb11) OK /home/pizza/proj/shac (u+r) OK user 'pizza' has perms 'r' on file /home/pizza/proj/shac
Why Would I Want It?
Because UNIX permissions are easy to screw up and hard to get right. Hopefully this gets you to the latter a little quicker and easier.
Getting shac
shac source resides in subversion (svn); svn runs anywhere apache runs, so there is likely a client for your platform. Here's how to fetch the latest sources. svn checkout svn://parseerror.dyndns.org/shac/trunk shac
cd shac
make
make install (as root) or grab a tar.gz archive
Development
shac is written in C. It's just me working on it, any help would be appreciated, even if you just drop me a note letting me know shac compiled and ran on your platform (or didn't, and the error message). Patches of course are appreciated :)
Target Platforms
Development takes place both on Linux and FreeBSD (whichever i happen to be working on at the time), and so it has to run on those two. so far the difference have been minor, mostly regarding acessing mountpoints. I also heard as of rev23 it compiled and ran on OpenBSD 3.5-current, so i expect if it runs on FreeBSD it will run on the BSDs with little or no problems.
Inspiration
I got the idea for this program from michael zalewski's page of fallen ideas. the man is full of good ideas, even if he thinks they're stupid.
Status
Beta. It has all the features, even the cool ones, that I originally envisioned. But it needs testing, lots of testing. I need to build a whole test suite, but I'm unmotivated.
Progress
  • 2006-06-14: take another look at shac, not as bad as i remember it, but some things need work.
  • 2005-09-28: re-imported into a new repository, shac lives again.
  • 2004-09-16(r48): fixed segfault because i was freeing username because it was assigned to optarg instead of making a copy. small changes to COPYING and Makefile
  • 2004-09-10(r46): fixed various small bugs, added 'debug' and 'dujour' targets to the makefile to aid in development. fixed a segfault where a list was getting freed twice
  • 2004-08-25(r36): fixed a bug where i was freeing memory more than once. also updated a few small things.
  • 2004-08-24(r31): more leak fixing, small changes to make code work with splint a little better. added make debug target. Makefiles are scary, need to learn them better.
  • 2004-08-24: fixed some leaks, valgrind is barely complaining now, yay. linux thinks that "/" is mounted read-only, i think my conditional loading of mntpt headers is failing
  • 2004-08-24: added -v, -vv and -vvv verbosity options to control output, much saner now. still needs some tweaking, but not bad.
  • 2004-08-23: merged 24 back into trunk, contains recursive deletable checking, thus making -pd option work for directories. seems to run fine on linux and freebsd. next: i need to change verbosity settings, currently we print all offending files under the directory that you can't delete, which is probably what we want in an -vv or -vvv, not by default. after that, add noexec support for mountpoints and then... well, it's in TODO.txt
Resources