Forum: Cfengine Help
Subject: Needless/wrong SETUID reporting and logging
Author: Authority
Link to topic: https://cfengine.com/forum/read.php?3,17072,17072#msg-17072
I have a promise that sets the permissions on an binary to be SETUID root.
"/usr/X11R6/bin/xscreensaver"
comment => "SetUID so root can break user lock" ,
create => "false" ,
perms => mog("4755" , "root" , "root");
Obviously that opens up the potential for exploit so Cfengine gives a very
obvious report that it occurred, which is nice. But now, every time I run
cf-agent, I get the message:
NEW SETUID root PROGRAM /usr/X11R6/bin/xscreensaver
Edited file /var/cache/cfengine3/cfagent.hostname.log
This occurs if the promise is repaired or kept. So even if the binary was
already SETUID, it reports it as "NEW" and adds a line to the aforementioned
log file. That's not particularly helpful and could potentially end up wasting
a lot of disk space, but is it also a bug?
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
