From a260900c8d160192adc96234bb8a125f69b28c30 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Sat, 30 Apr 2022 10:05:44 +0000 Subject: [PATCH] Do not permit world-readability of /etc/sudoers.d/ MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Lynis (rightly) complains about this directory and its contents being world-readable on current IPFire installations. Since there is no necessity for this, we might as well chmod them to 750 / 640. Signed-off-by: Peter Müller Reviewed-by: Adolf Belka --- lfs/logwatch | 4 ++-- lfs/setup | 4 ++++ lfs/zabbix_agentd | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/lfs/logwatch b/lfs/logwatch index 26da2c62ef..8631f4541d 100644 --- a/lfs/logwatch +++ b/lfs/logwatch @@ -106,8 +106,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) ln -vsf /usr/share/logwatch/default.conf /etc/logwatch/conf -mkdir -p /etc/sudoers.d - chmod -v 755 /etc/sudoers.d - install -v -m 644 $(DIR_SRC)/config/logwatch/sudoers/logwatch-mdadm \ + chmod -v 750 /etc/sudoers.d + install -v -m 640 $(DIR_SRC)/config/logwatch/sudoers/logwatch-mdadm \ /etc/sudoers.d/logwatch-mdadm @rm -rf $(DIR_APP) diff --git a/lfs/setup b/lfs/setup index 5779406ef0..82286d6a09 100644 --- a/lfs/setup +++ b/lfs/setup @@ -58,5 +58,9 @@ $(TARGET) : --with-config-root="$(CONFIG_ROOT)" cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install + + # Fix file permissions of /etc/sudoers.d/setup + chmod 640 /etc/sudoers.d/setup + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index c44f2b5f58..63566c1a7a 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -113,7 +113,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(call INSTALL_INITSCRIPTS,$(SERVICES)) # Install sudoers include file - install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/sudoers \ + install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers \ /etc/sudoers.d/zabbix # Install include file for backup -- 2.39.5