From 6dd56a4f480dd73f28f267a6ae177fe87087ec9f Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 24 Mar 2022 19:10:51 +0100 Subject: [PATCH 1/3] When 'file_regex' is set do not operate on symlinks The remediations should remediate regular files. No symlinks or the files they are pointing to should be changed. There are symlinks in `/lib/.buid-id/' that point to installed binaries. For example (the IDs will vary): '/lib/.build-id/a4/67cb9c8fa7306d41b96a820b0178f3a9c66055' -> '../../../../usr/bin/passwd' '/lib/.build-id/a4/8e8ae0d029dbbc1c1b0bb0fcea424860a6c412' -> '../../../../usr/bin/sudo' '/lib/.build-id/a4/2c53d4543f5c0bb8db47d65e4b766d12f3b7bd' -> '../../../../usr/lib64/python3.9/lib-dynload/_lsprof.cpython-39-x86_64-linux-gnu.so' --- shared/templates/file_groupowner/bash.template | 4 ++-- shared/templates/file_owner/bash.template | 4 ++-- shared/templates/file_permissions/bash.template | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/shared/templates/file_groupowner/bash.template b/shared/templates/file_groupowner/bash.template index f27d098e3ec2..b13c95e6b307 100644 --- a/shared/templates/file_groupowner/bash.template +++ b/shared/templates/file_groupowner/bash.template @@ -13,10 +13,10 @@ {{% for path in FILEPATH %}} {{%- if IS_DIRECTORY %}} {{%- if FILE_REGEX %}} -readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} ! -gid {{{ FILEGID }}}) +readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type f ! -gid {{{ FILEGID }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chgrp -h {{{ FILEGID }}} "$file" + chgrp {{{ FILEGID }}} "$file" fi done {{% else %}} diff --git a/shared/templates/file_owner/bash.template b/shared/templates/file_owner/bash.template index 07dc5f66997b..f2d2366d5850 100644 --- a/shared/templates/file_owner/bash.template +++ b/shared/templates/file_owner/bash.template @@ -13,10 +13,10 @@ {{% for path in FILEPATH %}} {{%- if IS_DIRECTORY %}} {{%- if FILE_REGEX %}} -readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} ! -uid {{{ FILEUID }}}) +readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type f ! -uid {{{ FILEUID }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chown -h {{{ FILEUID }}} "$file" + chown {{{ FILEUID }}} "$file" fi done {{%- else %}} diff --git a/shared/templates/file_permissions/bash.template b/shared/templates/file_permissions/bash.template index 78e8a4557c3a..16096959c7cd 100644 --- a/shared/templates/file_permissions/bash.template +++ b/shared/templates/file_permissions/bash.template @@ -13,7 +13,7 @@ {{% for path in FILEPATH %}} {{%- if IS_DIRECTORY %}} {{%- if FILE_REGEX %}} -readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}}) +readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type f) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chmod {{{ FILEMODE }}} "$file" From 04027f381b42a7726aa4ac6a57dda8975dcf0bf8 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 24 Mar 2022 19:16:05 +0100 Subject: [PATCH 2/3] Prevent breaking the paths with spaces --- shared/templates/file_groupowner/bash.template | 2 +- shared/templates/file_owner/bash.template | 2 +- shared/templates/file_permissions/bash.template | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/shared/templates/file_groupowner/bash.template b/shared/templates/file_groupowner/bash.template index b13c95e6b307..a7133d28c632 100644 --- a/shared/templates/file_groupowner/bash.template +++ b/shared/templates/file_groupowner/bash.template @@ -15,7 +15,7 @@ {{%- if FILE_REGEX %}} readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type f ! -gid {{{ FILEGID }}}) for file in "${files[@]}"; do - if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then + if basename "$file" | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chgrp {{{ FILEGID }}} "$file" fi done diff --git a/shared/templates/file_owner/bash.template b/shared/templates/file_owner/bash.template index f2d2366d5850..83a53b9d2432 100644 --- a/shared/templates/file_owner/bash.template +++ b/shared/templates/file_owner/bash.template @@ -15,7 +15,7 @@ {{%- if FILE_REGEX %}} readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type f ! -uid {{{ FILEUID }}}) for file in "${files[@]}"; do - if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then + if basename "$file" | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chown {{{ FILEUID }}} "$file" fi done diff --git a/shared/templates/file_permissions/bash.template b/shared/templates/file_permissions/bash.template index 16096959c7cd..75f238530261 100644 --- a/shared/templates/file_permissions/bash.template +++ b/shared/templates/file_permissions/bash.template @@ -15,7 +15,7 @@ {{%- if FILE_REGEX %}} readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type f) for file in "${files[@]}"; do - if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then + if basename "$file" | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then chmod {{{ FILEMODE }}} "$file" fi done From c5feb7579776917e5ad0615c92ea31eafbe86758 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 24 Mar 2022 19:41:19 +0100 Subject: [PATCH 3/3] Update test scenario to align with OVAL behavior This test sets expectation on behavior of the rule. Symlinks are ignored, even when they have incompliant owner, and point to nowhere. --- .../tests/incorrect_symlink.fail.sh | 16 ---------------- .../tests/incorrect_symlink.pass.sh | 9 +++++++++ 2 files changed, 9 insertions(+), 16 deletions(-) delete mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh create mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.pass.sh diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh deleted file mode 100644 index 174a855fae84..000000000000 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh +++ /dev/null @@ -1,16 +0,0 @@ -# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu - -useradd user_test - -TESTDIR="/usr/lib/" - -# The remediation performs a 'find' followed by a 'chwon' -# While 'find' doesn't follow symlinks by default, 'chown' does follow, -# so 'chown' will try to change owner of a non existent file while 'find' -# pointed out that the symlink has wrong owner. -ln -s $TESTDIR/mising_test_file $TESTDIR/faulty_symlink -chown -h user_test $TESTDIR/faulty_symlink - -# The Check ignores symlink, so we need to put a reason to run the remediations -touch $TESTDIR/test_me -chown user_test $TESTDIR/test_me diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.pass.sh new file mode 100644 index 000000000000..51bc6fe2d717 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.pass.sh @@ -0,0 +1,9 @@ +# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu + +useradd user_test + +TESTDIR="/usr/lib/" + +# The check ignores this symlink and results in pass +ln -s $TESTDIR/mising_test_file $TESTDIR/faulty_symlink +chown -h user_test $TESTDIR/faulty_symlink