ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2024-11-10 17:26:51 +08:00
Code Issues Projects Releases Packages Wiki Activity

enh: config reading: add rootonly option

Browse source
This commit is contained in:
Stéphane Lesimple 2021-07-30 12:00:45 +00:00 committed by Stéphane Lesimple
parent 9b2aa996b3
commit 873804dbbe
1 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
lib/perl/OVH/Bastion/configuration.inc
View file

@ -14,7 +14,11 @@ sub load_configuration_file {
# it won't allow symlinks either
my $secure = $params{'secure'};
if ($secure) {
# if $rootonly is set, the $secure restriction apply, and
# in addition we won't load the file if it's o+r
my $rootonly = $params{'rootonly'};
if ($secure || $rootonly) {
my @stat = lstat($file);
if (@stat) {
if ($stat[4] != 0 or $stat[5] != 0) {
@ -26,6 +30,9 @@ sub load_configuration_file {
if (S_IMODE($stat[2]) & S_IWOTH) {
return R('ERR_SECURITY_VIOLATION', msg => "Configuration file ($file) is world-writable, report to your sysadmin.");
}
if ($rootonly && S_IMODE($stat[2]) & S_IROTH) {
return R('ERR_SECURITY_VIOLATION', msg => "Configuration file ($file) is world-readable, report to your sysadmin.");
}
}
# no @stat ? file doesn't exist, we'll error just below