search

dev-sec / puppet-os-hardening

This puppet module provides numerous security-related configurations, providing all-round base protection.
http://dev-sec.io/
Apache License 2.0
280 stars 101 forks source link

Using relative file modes can result very wrong in some cases #222

Closed igalic closed 3 years ago

igalic commented 5 years ago

Describe the bug

Let's assume someone ("accidentally") set a funky mode for /etc/crontab, such as 5777. Since our code sets the mode relatively:

  ensure_resources ('file',
  { '/etc/crontab' => {
      ensure       => file,
      mode         => 'og-rwx',
      owner        => 'root',
      group        => 'root',
    }
  })

This can lead to unexpected or at least unwanted results.

Expected behavior I want the file modes to be deterministic, no matter what their (wrongly) pre-configured state.

Actual behavior

% ls -l /etc/crontab
-rwsrwxrwt. 1 root root 722 Nov 16  2017 /etc/crontab

After applying

class { 'os_hardening::minimize_access':
  manage_cron_permissions = true,
}

our crontab now like this:

% ls -l /etc/crontab
-rws-----T. 1 root root 722 Nov 16  2017 /etc/crontab

which is still wrong.

OS / Environment

Red Hat Enterprise Linux Server 7.6

Puppet Version

5.5.16
mcgege commented 4 years ago

@igalic Thanks for reporting this ... indeed the current solution cannot fix all misconfigurations, but I doubt this can be solved easily. For this to work you would have to define a sane file mode for all relevant files on all supported distributions ... we could limit this (for now) to /etc/crontab, but what about the rest of files / directories we manage?