ports/184143: [patch] secyrity/lynis incorrect permissions for data files

Kozlov Sergey kozlov.sergey.404 at gmail.com
Thu Nov 21 14:00:01 UTC 2013 

>Number:         184143
>Category:       ports
>Synopsis:       [patch] secyrity/lynis incorrect permissions for data files
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 21 14:00:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Kozlov Sergey
>Release:        9.1-RELEASE-p7
>Organization:
ARC
>Environment:
FreeBSD sonya 9.1-RELEASE-p7 FreeBSD 9.1-RELEASE-p7 #4: Tue Sep 10 18:39:35 EEST 2013     root at sonya:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
New version of lynis demands strict permissions on %%DATADIR%%/include/tests_* files, no more than 0600, but the port installs the files with mode 0444.
When the lynis is called with the files with bad permissions, all of them are skipped:
root# lynis -c -Q
..
[+] General
------------------------------------
  - Running test category storage...                          [ SKIPPED ]

[+] General
------------------------------------
  - Running test category storage_nfs...                      [ SKIPPED ]
..
   - [15:37:27] Warning: Invalid permissions on tests file tests_storage [test:NONE] [impact:H]
   - [15:37:27] Warning: Invalid permissions on tests file tests_storage_nfs [test:NONE] [impact:H]
..

>How-To-Repeat:
Install the lynis-1.3.5, call
root# lynis -c -Q
>Fix:
Correct the pkg-plist so the package files will be installed with the correct modes

Patch attached with submission follows:

Index: Makefile
===================================================================
--- Makefile    (revision 334484)
+++ Makefile    (working copy)
@@ -3,6 +3,7 @@

 PORTNAME=      lynis
 PORTVERSION=   1.3.5
+PORTREVISION=  1
 CATEGORIES=    security
 MASTER_SITES=  http://cisofy.com/files/

Index: pkg-plist
===================================================================
--- pkg-plist   (revision 334484)
+++ pkg-plist   (working copy)
@@ -22,6 +22,7 @@
 %%DATADIR%%/include/parameters
 %%DATADIR%%/include/profiles
 %%DATADIR%%/include/report
+ at mode 0400
 %%DATADIR%%/include/tests_accounting
 %%DATADIR%%/include/tests_authentication
 %%DATADIR%%/include/tests_banners
@@ -63,6 +64,7 @@
 %%DATADIR%%/include/tests_tooling
 %%DATADIR%%/include/tests_virtualization
 %%DATADIR%%/include/tests_webservers
+ at mode
 @dirrm %%DATADIR%%/include
 @dirrm %%DATADIR%%/dev/openbsd
 @dirrm %%DATADIR%%/dev

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list