fix accounts_users_home_files_permissions to handle symlinks properly

chmod syscall doesn't apply to symlinks, so they shall be ignored when setting user files permissions. - OVAL check now filters out symlinks - bash_restrict_permissions_home_directories macro now ignore symlinks
ComplianceAsCode · Nov 7, 2024 · d18e07f · d18e07f
1 parent 7adc6db
commit d18e07f
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/...de/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml b/...de/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml
@@ -24,11 +24,15 @@
     <unix:path var_ref="var_accounts_users_home_files_permissions_dirs" var_check="at least one"/>
     <unix:filename xsi:nil="true" />
   </unix:file_object>
+  <unix:file_state id="state_accounts_users_home_files_permissions_is_symlink" version="1">
+    <unix:type operation="equals">symbolic link</unix:type>
+  </unix:file_state>
   <unix:file_object id="object_accounts_users_home_files_permissions_files" version="1">
     <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1"
                     recurse_file_system="local"/>
     <unix:path var_ref="var_accounts_users_home_files_permissions_dirs" var_check="at least one"/>
     <unix:filename operation="pattern match">^[^\.].*</unix:filename>
+    <filter action="exclude">state_accounts_users_home_files_permissions_is_symlink</filter>
   </unix:file_object>
   <!-- #### creation of state #### -->
   <unix:file_state id="state_accounts_users_home_files_permissions_dirs" version="1" operator='AND'>

diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
@@ -1432,9 +1432,9 @@ for home_dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != {{{ nobody_uid
     # the permission is already defined as expected, therefore not impacting in possible integrity
     # check systems that also check inodes timestamps.
     {{%- if recursive %}}
-    find "$home_dir" -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;
+    find "$home_dir" -perm /7027 \! -type l -exec chmod u-s,g-w-s,o=- {} \;
     {{%- else %}}
-    find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;
+    find "$home_dir" -maxdepth 0 -perm /7027 \! -type l -exec chmod u-s,g-w-s,o=- {} \;
     {{%- endif %}}
 done
 {{%- endmacro -%}}