From patchwork Sat Apr 30 10:05:44 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 5574
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Kr4k50T25z3x1y
	for <patchwork@web04.haj.ipfire.org>; Sat, 30 Apr 2022 10:05:49 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4Kr4k3654Cz3XN;
	Sat, 30 Apr 2022 10:05:47 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Kr4k35FvQz2yVV;
	Sat, 30 Apr 2022 10:05:47 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Kr4k20PBJz2xv9
 for <development@lists.ipfire.org>; Sat, 30 Apr 2022 10:05:46 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4Kr4k10PxWz12T
 for <development@lists.ipfire.org>; Sat, 30 Apr 2022 10:05:44 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1651313145;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=x7bIZvrwN1o31tEA3LykLzW0tpaSdZl6pjua2MJJu3c=;
 b=lyE1pZha2TezO6BC/oKhIpam8i64xe+mAIk583Fz2loc+vZ+WfasdfymsAV1/9M4ge/bqL
 iH9yo8vLDWb8KKCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1651313145;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=x7bIZvrwN1o31tEA3LykLzW0tpaSdZl6pjua2MJJu3c=;
 b=JqqG0x73ZNCe849YP5mi2HUbj9fNVkzHaCIyrKobm19zBIvzzvBpPx+axO+/P0YD1oif6t
 Epge4isEG25ABrNCx4HJIiwdT5qcTOCtVv0rfBeJ3HbVA0xMZPdCpGzrFFTTqog2HZY37F
 AAuhdNxd4+BIqKjLFj164z3aJLBsSkXep9QuXr+w+MmGFV/eyhrS35fGN6KOKz5bWI0ATK
 n2hfVmsmwOWVkRV46+nl8h4yu/0VBVLya5uObUhadIrbfLjAlRYUD0hhqdaygMVAv+NXt0
 iEw3o5o9znCJKr9snpKLcMGlIiADy0qKe4pWEW0uEu+mGcuYKXM4dQh7fGY37A==
Message-ID: <43e66e1b-b231-8869-4348-8172d820d7a5@ipfire.org>
Date: Sat, 30 Apr 2022 10:05:44 +0000
MIME-Version: 1.0
Content-Language: en-US
To: "IPFire: Development" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH] Do not permit world-readability of /etc/sudoers.d/
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Lynis (rightly) complains about this directory and its contents being
world-readable on current IPFire installations. Since there is no
necessity for this, we might as well chmod them to 750 / 640.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
---
 lfs/logwatch      | 4 ++--
 lfs/setup         | 4 ++++
 lfs/zabbix_agentd | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/lfs/logwatch b/lfs/logwatch
index 26da2c62e..8631f4541 100644
--- a/lfs/logwatch
+++ b/lfs/logwatch
@@ -106,8 +106,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	ln -vsf /usr/share/logwatch/default.conf /etc/logwatch/conf
 
 	-mkdir -p /etc/sudoers.d
-	chmod -v 755 /etc/sudoers.d
-	install -v -m 644 $(DIR_SRC)/config/logwatch/sudoers/logwatch-mdadm \
+	chmod -v 750 /etc/sudoers.d
+	install -v -m 640 $(DIR_SRC)/config/logwatch/sudoers/logwatch-mdadm \
                 /etc/sudoers.d/logwatch-mdadm
 
 	@rm -rf $(DIR_APP)
diff --git a/lfs/setup b/lfs/setup
index 5779406ef..82286d6a0 100644
--- a/lfs/setup
+++ b/lfs/setup
@@ -58,5 +58,9 @@ $(TARGET) :
 		--with-config-root="$(CONFIG_ROOT)"
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
+
+	# Fix file permissions of /etc/sudoers.d/setup
+	chmod 640 /etc/sudoers.d/setup
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
index c44f2b5f5..63566c1a7 100644
--- a/lfs/zabbix_agentd
+++ b/lfs/zabbix_agentd
@@ -113,7 +113,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(call INSTALL_INITSCRIPTS,$(SERVICES))
 
 	# Install sudoers include file
-	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/sudoers \
+	install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers \
 		/etc/sudoers.d/zabbix
 
 	# Install include file for backup