ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2024-12-29 11:41:27 +08:00
Code Issues Projects Releases Packages Wiki Activity

fix: superowners need to have +x on group homes

Browse source
This commit is contained in:
Stéphane Lesimple 2021-04-08 14:55:56 +00:00 committed by Stéphane Lesimple
parent f3ce9dfb06
commit 90d6dc2e3c
3 changed files with 6 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
bin/admin/check-consistency.pl
View file

@ -298,9 +298,10 @@ foreach my $file (@keyhomesfound) {
check_file_rights(
"/home/$file",
[
"# file: /home/$file", "# owner: $file", "# group: $file", "user::rwx",
"group::r-x", "group:osh-whoHasAccessTo:--x", "group:osh-auditor:--x", "group:$file-aclkeeper:--x",
"group:$file-gatekeeper:--x", "group:$file-owner:--x", "mask::r-x", "other::---",
"# file: /home/$file", "# owner: $file", "# group: $file", "user::rwx",
"group::r-x", "group:osh-whoHasAccessTo:--x", "group:osh-auditor:--x", "group:osh-superowner:--x",
"group:$file-aclkeeper:--x", "group:$file-gatekeeper:--x", "group:$file-owner:--x", "mask::r-x",
"other::---",
],
"drwxr-x--x",
$file, $file

1
bin/admin/install
View file

@ -843,6 +843,7 @@ if [ "$nothing" = 0 ]; then
if [ "$OS_FAMILY" = "Linux" ] || [ "$OS_FAMILY" = "FreeBSD" ]; then
setfacl -m "group:osh-whoHasAccessTo:--x" "/home/$grp"
setfacl -m "group:osh-auditor:--x" "/home/$grp"
setfacl -m "group:osh-superowner:--x" "/home/$grp"
setfacl -m "group:$grp-gatekeeper:--x" "/home/$grp"
setfacl -m "group:$grp-aclkeeper:--x" "/home/$grp"
setfacl -m "group:$grp-owner:--x" "/home/$grp"

2
bin/helper/osh-groupCreate
View file

@ -190,7 +190,7 @@ foreach my $command (
}
chmod 0751, "/home/$group" if !OVH::Bastion::has_acls();
foreach my $gr ("$group-owner", "$group-gatekeeper", "$group-aclkeeper", "osh-whoHasAccessTo", "osh-auditor") {
foreach my $gr ("$group-owner", "$group-gatekeeper", "$group-aclkeeper", "osh-whoHasAccessTo", "osh-auditor", "osh-superowner") {
OVH::Bastion::sys_setfacl(target => "/home/$group", perms => "g:$gr:x")
or HEXIT('ERR_SETFACL_FAILED', msg => "Error setting ACLs on group homedir");
}