Cfengine Help: Re: FW: Weird permissions with Cfengine.

[no-reply]

Forum: Cfengine Help
Subject: Re: FW: Weird permissions with Cfengine.
Author: berntjernberg
Link to topic: https://cfengine.com/forum/read.php?3,21620,21654#msg-21654

Hi,

I don't know if this is the solution to my problem but Cfengine seem to
remove read permission on files in /var were a ZFS acl i set.

Via an acl an application user may read /var/cron/log, /var/adm/sulog
and /var/adm/loginlog.

I use this code. I run a similar bundle to remove write for other on all files
in /var/tmp and /tmp.

I use Community 3.1.4.
 


body file_select by_umf(user,mode,files)
{
    search_owners => { "$(user)" };
    search_mode => { "$(mode)" };
    path_name => { @(files) };
    file_types => { "reg" };
    file_result => "!path_name.mode.owner.file_types";
}


#
# Remove all but whitelisted suid root files.
#
bundle agent manage_root_suid_files
{
    vars:
        !suid_files_lockfile|(Hr01_Q3|Hr05_Q3|Hr09_Q3|Hr13_Q3|Hr17_Q3|Hr21_Q3)::
            "dir_list"     slist => { @(g.suid_dir_list) };
            "exclude_dirs" slist => { @(g.suid_excl_dir_list) };
            "allow_files"  slist => { @(g.suid_allow_list) };

    classes:
        "suid_files_lockfile"   expression => 
isplain("/var/run/cfe_suid_files.lck");

    files:
        !suid_files_lockfile|(Hr01_Q3|Hr05_Q3|Hr09_Q3|Hr13_Q3|Hr17_Q3|Hr21_Q3)::
            "$(dir_list)"
            file_select => by_umf("root","u+s","@(allow_files)"),
            depth_search => recurse_ignore("inf","@(exclude_dirs)"),
            action => policy("fix"),
            comment => "Allow only whitelisted setuid root files",
            transformer => "$(g.chmod) u-s $(this.promiser)";

    methods:
        !suid_files_lockfile::
            "Create lockfile" usebundle => touch("/var/run/cfe_suid_files.lck");

}

bundle common g
{
            #
            # Directories to search for suid root files.
            #
            "suid_dir_list" slist => {
                                     "/usr/bin",
                                     "/usr/sbin",
                                     "/sbin",
                                     "/var"
                                     };
            #
            # Directories to exclude while searching for suid root files.
            #
            "suid_excl_dir_list" slist => {
                                          "/opt/OV",
                                          "/opt/oracle",
                                          "/var/opt/OV",
                                          "/var/sadm/pkg",
                                          "/var/sadm/patch",
                                          "/var/sun",
                                          "/var/run"
                                          };

            #
            # Allowed suid files.
            #
            "suid_allow_list" slist => {
                                       "/usr/bin/at",
                                       "/usr/bin/atq",
                                       "/usr/bin/atrm",
                                       "/usr/bin/crontab",
                                       "/usr/bin/pfexec",
                                       "/usr/sbin/ping",
                                       "/usr/lib/pt_chmod"
                                      };
}



_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine