From 3bf26b7cab3c86caa74550e567ea36a3be3861a7 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 13 May 2022 15:46:30 +0200 Subject: [PATCH] Update rule to allow special bits in library dirs Rule file_permissions_library_dirs is about preventing group-writable or world-writable files in the library dirs. The Suid bits and the stick bit don't need to be stripped. The default mode of file_permissions is to allow stricter permissions, so this change will make the template ignore the special bits and remove only the 'w' bits from group and others. --- .../file_permissions_library_dirs/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml index e3125098abba..0a4d00d59766 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml @@ -66,7 +66,7 @@ template: - /usr/lib64/ recursive: 'true' file_regex: ^.*$ - filemode: '0755' + filemode: '7755' fixtext: |- Configure the library files to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any library file with a mode more permissive than 755.