From: Peter Müller Date: Sat, 30 Apr 2022 10:05:44 +0000 (+0000) Subject: Do not permit world-readability of /etc/sudoers.d/ X-Git-Tag: v2.27-core170~215 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a260900c8d160192adc96234bb8a125f69b28c30;p=ipfire-2.x.git Do not permit world-readability of /etc/sudoers.d/ Lynis (rightly) complains about this directory and its contents being world-readable on current IPFire installations. Since there is no necessity for this, we might as well chmod them to 750 / 640. Signed-off-by: Peter Müller Reviewed-by: Adolf Belka --- diff --git a/lfs/logwatch b/lfs/logwatch index 26da2c62ef..8631f4541d 100644 --- a/lfs/logwatch +++ b/lfs/logwatch @@ -106,8 +106,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) ln -vsf /usr/share/logwatch/default.conf /etc/logwatch/conf -mkdir -p /etc/sudoers.d - chmod -v 755 /etc/sudoers.d - install -v -m 644 $(DIR_SRC)/config/logwatch/sudoers/logwatch-mdadm \ + chmod -v 750 /etc/sudoers.d + install -v -m 640 $(DIR_SRC)/config/logwatch/sudoers/logwatch-mdadm \ /etc/sudoers.d/logwatch-mdadm @rm -rf $(DIR_APP) diff --git a/lfs/setup b/lfs/setup index 5779406ef0..82286d6a09 100644 --- a/lfs/setup +++ b/lfs/setup @@ -58,5 +58,9 @@ $(TARGET) : --with-config-root="$(CONFIG_ROOT)" cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install + + # Fix file permissions of /etc/sudoers.d/setup + chmod 640 /etc/sudoers.d/setup + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index c44f2b5f58..63566c1a7a 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -113,7 +113,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(call INSTALL_INITSCRIPTS,$(SERVICES)) # Install sudoers include file - install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/sudoers \ + install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers \ /etc/sudoers.d/zabbix # Install include file for backup