Matt,

veriexecgen duplicates some other UNIX utilities' intelligence.  In the
spirit of "the UNIX philosophy," <http://cbbrowne.com/info/unix.html>,
consider simplifying veriexecgen as follows.  If there are no files on the
veriexecgen command line, let it read a list of files from the standard
input, classifying every file as the flags indicate (default = program,
-f = file, -i = interpreter, -u = untrusted, etc.).  Use veriexecgen
in combination with other simple programs in a pipeline to achieve your
desired ends.  Examples below:

On Mon, Oct 09, 2006 at 12:22:03PM +0100, M J Fleming wrote:
> Attached is a patch that implements a number of new features for veriexecgen.
>  
> The "-F" command-line option instructs veriexecgen(8) to "guess" which
> flags should be written to the fingerprint file for certain files, based on 
> characteristics of that file (its path, permissions, etc).
>  
> For instance, executing,
>  
> "veriexecgen -F"
>  
> instructs veriexecgen to search the default system paths for files.
> This will cause all files that are on a local filesystem and are executable
> to have the flag "PROGRAM" written to the fingerprint file. Any files that
> are not executable will have "FILE" written to the fingerprint file. If any
> of the files on the default system paths are on non-local filesystems,
> the flag "UNTRUSTED" will be appended to the flags for that file.

#!/bin/sh

IFS=:
set -- $PATH
find "$@" -fstype local -type f -perm -0100 | veriexecgen
find "$@" -fstype local -type f ! -perm -0100 | veriexecgen -f
find "$@" ! -fstype local -type f -perm -0100 | veriexecgen -u
find "$@" ! -fstype local -type f ! -perm -0100 | veriexecgen -f -u

(That script is longer to type than 'veriexecgen -F," but it is shorter
than the equivalent C code, and you only have to write it once. :-)

> Of course, a way to make even more intelligent decisions about the flags
> that will be written to the fingerprint file is needed. This patch also provides
> the user with a way to specify (in conjuection with F) that they want 
> veriexecgen to use default values for common library paths, script suffixes
> and interpreter paths (/bin/sh, /bin/ksh, etc).

#!/bin/sh

find /bin/{sh,csh,ksh,tcsh} -type f -perm -0100 | veriexecgen -i

> These are wildcards for pathnames which are compared against the files, they
> can be turned on with command-line options,
> 
> - A default list of interpreter paths (-I)
> - A default list of library paths (-L)
> - A default list of script suffixes  (-S)
>  
> These changes are intended to allow the user to type less and achieve more.
>  
> The command-line options -i, -s, -l also allow the user to specify custom paths
> for interpreters, script suffixes and library paths, respectively. These 
> options allow paths to be specified via globbing, which uses the globbing rules
> based on the user's shell.
> 
> Examples:
> 
> "veriexecgen -i '/usr/pkg/bin/python2.4'" - labels the file 
> 					    /usr/pkg/bin/python2.4 as an
>   				    	    interpreter.

veriexecgen -i /usr/pkg/bin/python2.4

> "veriexecgen -l '/mnt/lib/*'" - labels all files in the directory /mnt/lib
> 				as libraries.

veriexecgen -l /mnt/lib/*

> "veriexecgen -s '*.xxx'" -  Treats as files with a suffix of 'xxx' as scripts.

find . -name '*.xxx' -type f | veriexecgen -s

Dave

-- 
David Young             OJC Technologies
dyoung@ojctech.com      Urbana, IL * (217) 278-3933