Lynis (rightly) complains about this directory and its contents being world-readable on current IPFire installations. Since there is no necessity for this, we might as well chmod them to 750 / 640.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- lfs/logwatch | 4 ++-- lfs/setup | 4 ++++ lfs/zabbix_agentd | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/lfs/logwatch b/lfs/logwatch index 26da2c62e..8631f4541 100644 --- a/lfs/logwatch +++ b/lfs/logwatch @@ -106,8 +106,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) ln -vsf /usr/share/logwatch/default.conf /etc/logwatch/conf
-mkdir -p /etc/sudoers.d - chmod -v 755 /etc/sudoers.d - install -v -m 644 $(DIR_SRC)/config/logwatch/sudoers/logwatch-mdadm \ + chmod -v 750 /etc/sudoers.d + install -v -m 640 $(DIR_SRC)/config/logwatch/sudoers/logwatch-mdadm \ /etc/sudoers.d/logwatch-mdadm
@rm -rf $(DIR_APP) diff --git a/lfs/setup b/lfs/setup index 5779406ef..82286d6a0 100644 --- a/lfs/setup +++ b/lfs/setup @@ -58,5 +58,9 @@ $(TARGET) : --with-config-root="$(CONFIG_ROOT)" cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install + + # Fix file permissions of /etc/sudoers.d/setup + chmod 640 /etc/sudoers.d/setup + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index c44f2b5f5..63566c1a7 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -113,7 +113,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(call INSTALL_INITSCRIPTS,$(SERVICES))
# Install sudoers include file - install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/sudoers \ + install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers \ /etc/sudoers.d/zabbix
# Install include file for backup
Reviewed-by: Adolf Belka adolf.belka@ipfire.org
On 30/04/2022 12:05, Peter Müller wrote:
Lynis (rightly) complains about this directory and its contents being world-readable on current IPFire installations. Since there is no necessity for this, we might as well chmod them to 750 / 640.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
lfs/logwatch | 4 ++-- lfs/setup | 4 ++++ lfs/zabbix_agentd | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/lfs/logwatch b/lfs/logwatch index 26da2c62e..8631f4541 100644 --- a/lfs/logwatch +++ b/lfs/logwatch @@ -106,8 +106,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) ln -vsf /usr/share/logwatch/default.conf /etc/logwatch/conf
-mkdir -p /etc/sudoers.d
- chmod -v 755 /etc/sudoers.d
- install -v -m 644 $(DIR_SRC)/config/logwatch/sudoers/logwatch-mdadm \
chmod -v 750 /etc/sudoers.d
install -v -m 640 $(DIR_SRC)/config/logwatch/sudoers/logwatch-mdadm \ /etc/sudoers.d/logwatch-mdadm
@rm -rf $(DIR_APP)
diff --git a/lfs/setup b/lfs/setup index 5779406ef..82286d6a0 100644 --- a/lfs/setup +++ b/lfs/setup @@ -58,5 +58,9 @@ $(TARGET) : --with-config-root="$(CONFIG_ROOT)" cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install
- # Fix file permissions of /etc/sudoers.d/setup
- chmod 640 /etc/sudoers.d/setup
- @rm -rf $(DIR_APP) @$(POSTBUILD)
diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index c44f2b5f5..63566c1a7 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -113,7 +113,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(call INSTALL_INITSCRIPTS,$(SERVICES))
# Install sudoers include file
- install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/sudoers \
install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers \ /etc/sudoers.d/zabbix
# Install include file for backup
-
Adolf Belka -
Peter Müller