add check permissions for g+w which would fail in cron

lyda · Feb 28, 2017 · fda67d4 · fda67d4
1 parent 468d696
commit fda67d4
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 0 deletions.
diff --git a/chkcrontab_lib.py b/chkcrontab_lib.py
@@ -76,6 +76,7 @@
 import pwd
 import re
 import string
+import stat
 
 
 # The following extensions imply further postprocessing or that the slack
@@ -1099,6 +1100,13 @@ def check_crontab(arguments, log):
       log.Warn('Cron will not process this file - its name must match'
                ' [A-Za-z0-9_-]+ .')
 
+  # check file permissions should not have g+w
+  st=os.stat(arguments.crontab)
+  print(bool(st.st_mode & stat.S_IWGRP))
+  if bool(st.st_mode & stat.S_IWGRP):
+    log.Error('Cron will not process this file - it has group write '
+              'permission. Use "chmod g-w %s"' % arguments.crontab)
+
   line_no = 0
   cron_line_factory = CronLineFactory()
   with open(arguments.crontab, 'r') as crontab_f:

diff --git a/tests/test_check.py b/tests/test_check.py
@@ -349,6 +349,10 @@ def testCheckBadWithUserLookup(self):
     args.check_passwd = False
     self.CheckACrontab(args)
 
+  def testCheckWrongPermissions(self):
+    args = type("", (), {})()
+    args.crontab = os.path.join(BASE_PATH, 'test_crontab.permissions')
+    self.CheckACrontab(args)
 
 if __name__ == '__main__':
   result = unittest.main()

diff --git a/tests/test_crontab.permissions b/tests/test_crontab.permissions
@@ -0,0 +1,2 @@
+# WARN 1 for filename issue.
+# FAIL 1 for writable permissions by group
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# WARN 1 for filename issue.
		# FAIL 1 for writable permissions by group