Skip to content

File owners, groupowners, permissions should be able to recurse and file_regex #8404

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ggbecker merged 12 commits into from
Mar 24, 2022
Merged

File owners, groupowners, permissions should be able to recurse and file_regex #8404

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
a896175
Prevent breaking file names if they have spaces
yuumasato Mar 22, 2022
5af298b
Add test to check file permissions within dirs
yuumasato Mar 22, 2022
21ef824
Improve template checks to recurse and regex file names
yuumasato Mar 22, 2022
bdc5989
Fix the ownership of the symlink
yuumasato Mar 22, 2022
0e837f6
Bash: Only change ownership of incompliant files
yuumasato Mar 22, 2022
4c71f7e
Ansible: Make file_regex and recurse independent in template
yuumasato Mar 23, 2022
f3d94f8
Ansible: Only change files when they are incompliant
yuumasato Mar 23, 2022
39d19f7
Bash: Make file_regex and recurse independent
yuumasato Mar 23, 2022
c8de6f2
Document file only and directory only behavior
yuumasato Mar 23, 2022
141f72c
Make sure that path pattern_match is achored
yuumasato Mar 23, 2022
0e235b9
Update test to reflect current rule behaviour
yuumasato Mar 23, 2022
98c2821
The mode should be interpreted as string
yuumasato Mar 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions docs/templates/template_reference.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,6 +259,8 @@

- **filepath** - File path to be checked. If the file path ends
with `/` it describes a directory. Can also be a list of paths.
If **file_regex** is not specified, the rule will only check
and remediate directories.

- **filepath_is_regex** - If set to `"true"` the OVAL will
consider the value of **filepath** as a regular expression.
Expand Down Expand Up @@ -294,6 +296,8 @@ they must be of the same length.

- **filepath** - File path to be checked. If the file path ends
with `/` it describes a directory. Can also be a list of paths.
If **file_regex** is not specified, the rule will only check
and remediate directories.

- **filepath_is_regex** - If set to `"true"` the OVAL will
consider the value of **filepath** as a regular expression.
Expand Down Expand Up @@ -329,6 +333,8 @@ they must be of the same length.

- **filepath** - File path to be checked. If the file path ends
with `/` it describes a directory. Can also be a list of paths.
If **file_regex** is not specified, the rule will only check
and remediate directories.

- **filepath_is_regex** - If set to `"true"` the OVAL will
consider the value of **filepath** as a regular expression.
Expand Down
1 change: 1 addition & 0 deletions .../permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,5 +69,6 @@ template:
- /lib64/
- /usr/lib/
- /usr/lib64/
recursive: 'true'
Copy link
Copy Markdown
Contributor

@dodys dodys Mar 23, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this really needed or is it an issue related to PR #8194 ?

Copy link
Copy Markdown
Member Author

@yuumasato yuumasato Mar 23, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is necessary, the check is not going down the directory tree.
Check this test scenario: https://github.com/ComplianceAsCode/content/blob/d5a23b41fad45249f125258225737f96300113fb/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh

Copy link
Copy Markdown
Member Author

@yuumasato yuumasato Mar 23, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we are looking at the same problem, but proposed different solutions, that, at the end, depend on rule interpretation.

When I read the rule description, I interpret that it should go down into all libraries and check files in libraries' directories too, not just the first level.

Copy link
Copy Markdown
Contributor

@dodys dodys Mar 24, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe I'm confused (I'll be honest, it's so many rules touching permissions that I have to re-read it all the time), but this rule specifically has the file_regex, shouldn't it be working recursively as you added to the documentation?
I ran a test and can see that the bash (not sure on ansible though) is correctly going through all the files. Isn't it just a matter of fixing the oval?

Copy link
Copy Markdown
Member Author

@yuumasato yuumasato Mar 24, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but this rule specifically has the file_regex, shouldn't it be working recursively as you added to the documentation?

Hmm, my addition in the documentation is about what will be checked, directories vs files. It doesn't address recursion.
a. If filepath is a directory and file_regex is not specified, the rule will check and remediate the first level of directories in the filepath.
b. If filepath is a directory and file_regex is specified, the rule will check and remediate files in the filepath.

If along with case a., recursion is set, the rule will check directories while recursing down.
If along with case b., recursion is set, the rule will check files while recursing down.

I ran a test and can see that the bash (not sure on ansible though) is correctly going through all the files.

Yes, the remediation is going down the directory tree, but should it happen when I didn't set recursive?

Isn't it just a matter of fixing the oval?

Yes, the OVAL was the part that initially needed fixing, but then I addressed inconsistencies between what the OVAL does and the remediation does.
I think if the check is recursive, the remediation should be too. But if the OVAL isn't recursive, the remediation shouldn't be.

Copy link
Copy Markdown
Contributor

@dodys dodys Mar 24, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, in RHEL /lib is a symlink to /usr/lib. @dodys Do you mean when the symlink itself is missing, or when the path pointed to by the symlink is missing? It seems to me that missing_file_pass will affect the first case, when the symlink itself is absent. I think symlink_test will be needed to check if the file pointed to is missing.

No, my point is that with the mentioned commit id, it started to filter out symlinks in the oval. Therefore, if /lib is a symlink it won't be checked. If it won't be checked than the number of files evaluated is 0 for that test, thus evaluating to false and the whole rule will fail as the oval is set to all_exist. By passing missing_file_pass in the rule, then it changes from all_exist to any_exist and allow the rule to pass. It is a quick fix.

Out of a review item with Matthew I filed #8412. The expected behaviour of the rule around around symlinks is not clear to me.

I don't really remember if most/any of the permissions/ownership/group ownership rules really mention about symlinks. If oval is set to exclude symlinks (as it is right now), then I don't see the point (and feel free to correct me here) of passing -h in the remediation.

Copy link
Copy Markdown
Member Author

@yuumasato yuumasato Mar 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Therefore, if /lib is a symlink it won't be checked. If it won't be checked than the number of files evaluated is 0 for that test, thus evaluating to false and the whole rule will fail as the oval is set to all_exist.

From what I could test with changes in this PR (using --oval-results), in RHEL, even when /lib is a symlink the scanner was able to collect objects.
So actually, could it be that the scanner follows symlinks, but doesn't report them as collected objects, 🤔 ?

Attached is the oval-results file:
rhel7-oval-results.zip

Copy link
Copy Markdown
Member Author

@yuumasato yuumasato Mar 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't really remember if most/any of the permissions/ownership/group ownership rules really mention about symlinks.

I don't think symlinks are mentioned anywhere.

If oval is set to exclude symlinks (as it is right now), then I don't see the point (and feel free to correct me here) of passing -h in the remediation.

I see, it is strange to change the owner of the symlink when the check ignores them.
The intent of the change was to avoid dereferencing erors when the symlink is broken. (I made that commit when I was still not aware of the symlink mess)
With -h it means that chown will not affect the file pointed to, but as the the find command doesn't follow symlinks by default (and -L is not set), the file pointed to by the symlink wouldn't be changed anyway...but now we avoid dereferencing errors!

And I see inconsistency here too.

To better align with the check the remediation should filter out symlinks before doing chown... But then we are not sure if we actually want to filter out the symlinks...

I'm aware that bdc5989 doesn't fix the symlinking situation, it just avoids errors in chwon command with the current behaviour.
This PR was to improve inconsistency with recurse and file_regex and I stumbled upon symlink and chwon inconsistency, 😂

Copy link
Copy Markdown
Contributor

@dodys dodys Mar 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've just checked here my test from yesterday on master,
so /lib and /lib64 are both symlinks to /usr/lib and /usr/lib64 respectively.
One of the rules that I see failing file_ownership_library_dirs will fail for /lib64 as the only file inside it is a .so that is a symlink to a .so under /usr/lib64.
It doesn't fail for /lib as it "finds" some files there, which are actually files under /usr/lib.

It is tricky and I need to dig deeper on those rules, just not having the time lately.
I have to test with your changes, it might be that all this recursive and changes might fix some of the weirdness I saw in the failing tests.

Copy link
Copy Markdown
Member Author

@yuumasato yuumasato Mar 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it is tricky. I had to take some time to wrap my head around what the rules do.

Let us know how the tests on your side go.

file_regex: ^.*$
fileuid: '0'
9 changes: 9 additions & 0 deletions ...ithin_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu

useradd user_test

TESTDIR="/usr/lib/dir/"

mkdir $TESTDIR
touch $TESTDIR/test_me
chown user_test $TESTDIR/test_me
16 changes: 16 additions & 0 deletions ...issions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu

useradd user_test

TESTDIR="/usr/lib/"

# The remediation performs a 'find' followed by a 'chwon'
# While 'find' doesn't follow symlinks by default, 'chown' does follow,
# so 'chown' will try to change owner of a non existent file while 'find'
# pointed out that the symlink has wrong owner.
ln -s $TESTDIR/mising_test_file $TESTDIR/faulty_symlink
chown -h user_test $TESTDIR/faulty_symlink

# The Check ignores symlink, so we need to put a reason to run the remediations
touch $TESTDIR/test_me
chown user_test $TESTDIR/test_me
1 change: 1 addition & 0 deletions ...ermissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,5 +70,6 @@ template:
- /lib64/
- /usr/lib/
- /usr/lib64/
recursive: 'true'
file_regex: ^.*$
filemode: '0755'
1 change: 0 additions & 1 deletion ...ons_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,5 @@

DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
find "$dirPath" -type d -exec chmod go-w '{}' \;
find "$dirPath" -type f -exec chmod go+w '{}' \;
done
17 changes: 13 additions & 4 deletions shared/templates/file_groupowner/ansible.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,32 +5,41 @@
# disruption = low

{{% for path in FILEPATH %}}
{{% if IS_DIRECTORY and FILE_REGEX %}}
{{% if IS_DIRECTORY %}}
{{% if FILE_REGEX %}}

- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}{{% if RECURSIVE %}} recursively{{% endif %}}
Comment thread
Mab879 marked this conversation as resolved.

- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
find:
paths: "{{{ path }}}"
patterns: {{{ FILE_REGEX[loop.index0] }}}
use_regex: yes
{{% if RECURSIVE %}}
recurse: yes
{{% endif %}}
hidden: yes
register: files_found

- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
file:
path: "{{ item.path }}"
group: "{{{ FILEGID }}}"
when: item.gid != {{{ FILEGID }}}
with_items:
- "{{ files_found.files }}"

{{% elif IS_DIRECTORY and RECURSIVE %}}
{{% else %}}

- name: Ensure group owner on {{{ path }}} recursively
- name: Ensure group owner on {{{ path }}}{{% if RECURSIVE %}} recursively{{% endif %}}
file:
path: "{{{ path }}}"
state: directory
{{% if RECURSIVE %}}
recurse: yes
{{% endif %}}
group: "{{{ FILEGID }}}"

{{% endif %}}
{{% else %}}

- name: Test for existence {{{ path }}}
Expand Down
20 changes: 14 additions & 6 deletions shared/templates/file_groupowner/bash.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,25 @@
# complexity = low
# disruption = low

{{%- if RECURSIVE %}}
{{% set FIND_RECURSE_ARGS="" %}}
{{%- else %}}
{{% set FIND_RECURSE_ARGS="-maxdepth 1" %}}
{{%- endif %}}

{{% for path in FILEPATH %}}
{{% if IS_DIRECTORY and FILE_REGEX %}}
readarray -t files < <(find {{{ path }}})
{{%- if IS_DIRECTORY %}}
{{%- if FILE_REGEX %}}
readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} ! -gid {{{ FILEGID }}})
for file in "${files[@]}"; do
if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then
chgrp {{{ FILEGID }}} $file
chgrp -h {{{ FILEGID }}} "$file"
fi
done
{{% elif IS_DIRECTORY and RECURSIVE %}}
find -L {{{ path }}} -type d -exec chgrp {{{ FILEGID }}} {} \;
{{% else %}}
find -L {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type d -exec chgrp {{{ FILEGID }}} {} \;
{{%- endif %}}
{{%- else %}}
chgrp {{{ FILEGID }}} {{{ path }}}
{{% endif %}}
{{%- endif %}}
{{% endfor %}}
10 changes: 5 additions & 5 deletions shared/templates/file_groupowner/oval.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,14 +32,14 @@
</unix:file_state>
<unix:file_object comment="{{{ filepath }}}" id="object_file_groupowner{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">
{{%- if IS_DIRECTORY -%}}
{{%- if FILE_REGEX %}}
{{%- if RECURSIVE %}}
<unix:path operation="pattern match">^{{{ filepath[:-1] }}}</unix:path>
{{%- else %}}
<unix:path>{{{ filepath[:-1] }}}</unix:path>
{{%- endif %}}
{{%- if FILE_REGEX %}}
<unix:filename operation="pattern match">{{{ FILE_REGEX[loop.index0] }}}</unix:filename>
{{%- elif RECURSIVE %}}
<unix:path operation="pattern match">{{{ filepath[:-1] }}}</unix:path>
<unix:filename xsi:nil="true" />
{{%- else %}}
<unix:path>{{{ filepath[:-1] }}}</unix:path>
<unix:filename xsi:nil="true" />
{{%- endif %}}
{{%- else %}}
Expand Down
19 changes: 14 additions & 5 deletions shared/templates/file_owner/ansible.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,32 +5,41 @@
# disruption = low

{{% for path in FILEPATH %}}
{{% if IS_DIRECTORY and FILE_REGEX %}}
{{% if IS_DIRECTORY %}}
{{% if FILE_REGEX %}}

- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}{{% if RECURSIVE %}} recursively{{% endif %}}

- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
find:
Comment thread
Mab879 marked this conversation as resolved.
paths: "{{{ path }}}"
patterns: {{{ FILE_REGEX[loop.index0] }}}
use_regex: yes
{{% if RECURSIVE %}}
recurse: yes
{{% endif %}}
hidden: yes
register: files_found

- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
- name: Ensure owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
file:
path: "{{ item.path }}"
owner: "{{{ FILEUID }}}"
when: item.uid != {{{ FILEUID }}}
with_items:
- "{{ files_found.files }}"

{{% elif IS_DIRECTORY and RECURSIVE %}}
{{% else %}}

- name: Ensure owner on {{{ path }}} recursively
- name: Ensure owner on directory {{{ path }}}{{% if RECURSIVE %}} recursively{{% endif %}}
file:
path: "{{{ path }}}"
state: directory
{{% if RECURSIVE %}}
recurse: yes
{{% endif %}}
owner: "{{{ FILEUID }}}"

{{% endif %}}
{{% else %}}

- name: Test for existence {{{ path }}}
Expand Down
22 changes: 15 additions & 7 deletions shared/templates/file_owner/bash.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,25 @@
# complexity = low
# disruption = low

{{%- if RECURSIVE %}}
{{% set FIND_RECURSE_ARGS="" %}}
{{%- else %}}
{{% set FIND_RECURSE_ARGS="-maxdepth 1" %}}
{{%- endif %}}

{{% for path in FILEPATH %}}
{{% if IS_DIRECTORY and FILE_REGEX %}}
readarray -t files < <(find {{{ path }}})
{{%- if IS_DIRECTORY %}}
{{%- if FILE_REGEX %}}
readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} ! -uid {{{ FILEUID }}})
for file in "${files[@]}"; do
if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then
chown {{{ FILEUID }}} $file
chown -h {{{ FILEUID }}} "$file"
fi
done
{{% elif IS_DIRECTORY and RECURSIVE %}}
find -L {{{ path }}} -type d -exec chown {{{ FILEUID }}} {} \;
{{% else %}}
{{%- else %}}
find -L {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type d -exec chown {{{ FILEUID }}} {} \;
{{%- endif %}}
{{%- else %}}
chown {{{ FILEUID }}} {{{ path }}}
{{% endif %}}
{{%- endif %}}
{{% endfor %}}
10 changes: 5 additions & 5 deletions shared/templates/file_owner/oval.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,14 @@
</unix:file_state>
<unix:file_object comment="{{{ filepath }}}" id="object_file_owner{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">
{{%- if IS_DIRECTORY -%}}
{{%- if FILE_REGEX %}}
{{%- if RECURSIVE %}}
<unix:path operation="pattern match">^{{{ filepath[:-1] }}}</unix:path>
{{%- else %}}
<unix:path>{{{ filepath[:-1] }}}</unix:path>
{{%- endif %}}
{{%- if FILE_REGEX %}}
<unix:filename operation="pattern match">{{{ FILE_REGEX[loop.index0] }}}</unix:filename>
{{%- elif RECURSIVE %}}
<unix:path operation="pattern match">{{{ filepath[:-1] }}}</unix:path>
<unix:filename xsi:nil="true" />
{{%- else %}}
<unix:path>{{{ filepath[:-1] }}}</unix:path>
<unix:filename xsi:nil="true" />
{{%- endif %}}
{{%- else %}}
Expand Down
17 changes: 13 additions & 4 deletions shared/templates/file_permissions/ansible.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,32 +5,41 @@
# disruption = low

{{% for path in FILEPATH %}}
{{% if IS_DIRECTORY and FILE_REGEX %}}
{{% if IS_DIRECTORY %}}
{{% if FILE_REGEX %}}

- name: Find {{{ path }}} file(s){{% if RECURSIVE %}} recursively{{% endif %}}

- name: Find {{{ path }}} file(s)
find:
paths: "{{{ path }}}"
patterns: {{{ FILE_REGEX[loop.index0] }}}
use_regex: yes
{{% if RECURSIVE %}}
recurse: yes
{{% endif %}}
hidden: yes
register: files_found

- name: Set permissions for {{{ path }}} file(s)
file:
path: "{{ item.path }}"
mode: "{{{ FILEMODE }}}"
when: item.mode != '{{{ FILEMODE}}}'
with_items:
- "{{ files_found.files }}"

{{% elif IS_DIRECTORY and RECURSIVE %}}
{{% else %}}

- name: Set permissions for {{{ path }}} recursively
- name: Set permissions for {{{ path }}}{{% if RECURSIVE %}} recursively{{% endif %}}
file:
path: "{{{ path }}}"
state: directory
{{% if RECURSIVE %}}
recurse: yes
{{% endif %}}
mode: "{{{ FILEMODE }}}"

{{% endif %}}
{{% else %}}

- name: Test for existence {{{ path }}}
Expand Down
22 changes: 15 additions & 7 deletions shared/templates/file_permissions/bash.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,25 @@
# complexity = low
# disruption = low

{{%- if RECURSIVE %}}
{{% set FIND_RECURSE_ARGS="" %}}
{{%- else %}}
{{% set FIND_RECURSE_ARGS="-maxdepth 1" %}}
{{%- endif %}}

{{% for path in FILEPATH %}}
{{% if IS_DIRECTORY and FILE_REGEX %}}
readarray -t files < <(find {{{ path }}})
{{%- if IS_DIRECTORY %}}
{{%- if FILE_REGEX %}}
readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}})
for file in "${files[@]}"; do
if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then
chmod {{{ FILEMODE }}} $file
chmod {{{ FILEMODE }}} "$file"
fi
done
{{% elif IS_DIRECTORY and RECURSIVE %}}
find -L {{{ path }}} -type d -exec chmod {{{ FILEMODE }}} {} \;
{{% else %}}
{{%- else %}}
find -L {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type d -exec chmod {{{ FILEMODE }}} {} \;
{{%- endif %}}
{{%- else %}}
chmod {{{ FILEMODE }}} {{{ path }}}
{{% endif %}}
{{%- endif %}}
{{% endfor %}}
10 changes: 5 additions & 5 deletions shared/templates/file_permissions/oval.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,14 +45,14 @@
<unix:file_object comment="{{{ filepath }}}" id="object_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">

{{%- if IS_DIRECTORY %}}
{{%- if FILE_REGEX %}}
{{%- if RECURSIVE %}}
<unix:path operation="pattern match">^{{{ filepath[:-1] }}}</unix:path>
{{%- else %}}
<unix:path>{{{ filepath[:-1] }}}</unix:path>
{{%- endif %}}
{{%- if FILE_REGEX %}}
<unix:filename operation="pattern match">{{{ FILE_REGEX[loop.index0] }}}</unix:filename>
{{%- elif RECURSIVE %}}
<unix:path operation="pattern match">{{{ filepath[:-1] }}}</unix:path>
<unix:filename xsi:nil="true" />
{{%- else %}}
<unix:path>{{{ filepath[:-1] }}}</unix:path>
<unix:filename xsi:nil="true" />
{{%- endif %}}
{{%- else %}}
Expand Down