openstack/ansible-hardening
Code Issues Proposed changes

Fix filesystem permission masks

Browse Source 
The setuid bit is ignored on directories, so it's not necessary
to remove it. The tasks currently remove the user's ability to
use their home directory.

The patch fixes the permissions problem, ensures that the 'nobody'
user is skipped, and enables testing for the tasks in the gate.

Closes-Bug: 1731005
Closes-Bug: 1730994
Change-Id: Id7be77b2eaa707c4c27d46f97d07f34825813749
This commit is contained in:
Major Hayden 2017-11-09 08:47:14 -06:00
parent dc194a1ac4
commit 79b3d25070
No known key found for this signature in database
GPG Key ID: 737051E0C1011FB1
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
tasks/rhel7stig/file_perms.yml
View File

@ -105,9 +105,10 @@
dest: "{{ item.dir }}"
owner: "{{ item.name }}"
group: "{{ item.group.name }}"
mode: "u-X,g-ws,o-rwxt"
mode: "g-ws,o-rwxt"
when:
- item.uid >= 1000
- item.name != 'nobody'
- security_set_home_directory_permissions_and_owners | bool
with_items: "{{ user_list.users | selectattr('uid', 'greaterthan', 999) | list }}"
tags:

1
tests/test.yml
View File

@ -53,6 +53,7 @@
security_rhel7_remove_shosts_files: yes
security_search_for_invalid_owner: yes
security_search_for_invalid_group_owner: yes
security_set_home_directory_permissions_and_owners: yes
security_set_minimum_password_lifetime: yes
security_unattended_upgrades_enabled: yes
security_unattended_upgrades_notifications: yes