mirror of
https://github.com/ovh/the-bastion.git
synced 2024-12-29 03:31:23 +08:00
fix: superowners need to have +x on group homes
This commit is contained in:
parent
f3ce9dfb06
commit
90d6dc2e3c
3 changed files with 6 additions and 4 deletions
|
@ -298,9 +298,10 @@ foreach my $file (@keyhomesfound) {
|
|||
check_file_rights(
|
||||
"/home/$file",
|
||||
[
|
||||
"# file: /home/$file", "# owner: $file", "# group: $file", "user::rwx",
|
||||
"group::r-x", "group:osh-whoHasAccessTo:--x", "group:osh-auditor:--x", "group:$file-aclkeeper:--x",
|
||||
"group:$file-gatekeeper:--x", "group:$file-owner:--x", "mask::r-x", "other::---",
|
||||
"# file: /home/$file", "# owner: $file", "# group: $file", "user::rwx",
|
||||
"group::r-x", "group:osh-whoHasAccessTo:--x", "group:osh-auditor:--x", "group:osh-superowner:--x",
|
||||
"group:$file-aclkeeper:--x", "group:$file-gatekeeper:--x", "group:$file-owner:--x", "mask::r-x",
|
||||
"other::---",
|
||||
],
|
||||
"drwxr-x--x",
|
||||
$file, $file
|
||||
|
|
|
@ -843,6 +843,7 @@ if [ "$nothing" = 0 ]; then
|
|||
if [ "$OS_FAMILY" = "Linux" ] || [ "$OS_FAMILY" = "FreeBSD" ]; then
|
||||
setfacl -m "group:osh-whoHasAccessTo:--x" "/home/$grp"
|
||||
setfacl -m "group:osh-auditor:--x" "/home/$grp"
|
||||
setfacl -m "group:osh-superowner:--x" "/home/$grp"
|
||||
setfacl -m "group:$grp-gatekeeper:--x" "/home/$grp"
|
||||
setfacl -m "group:$grp-aclkeeper:--x" "/home/$grp"
|
||||
setfacl -m "group:$grp-owner:--x" "/home/$grp"
|
||||
|
|
|
@ -190,7 +190,7 @@ foreach my $command (
|
|||
}
|
||||
chmod 0751, "/home/$group" if !OVH::Bastion::has_acls();
|
||||
|
||||
foreach my $gr ("$group-owner", "$group-gatekeeper", "$group-aclkeeper", "osh-whoHasAccessTo", "osh-auditor") {
|
||||
foreach my $gr ("$group-owner", "$group-gatekeeper", "$group-aclkeeper", "osh-whoHasAccessTo", "osh-auditor", "osh-superowner") {
|
||||
OVH::Bastion::sys_setfacl(target => "/home/$group", perms => "g:$gr:x")
|
||||
or HEXIT('ERR_SETFACL_FAILED', msg => "Error setting ACLs on group homedir");
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue