Fix filesystem permission masks

The setuid bit is ignored on directories, so it's not necessary to remove it. The tasks currently remove the user's ability to use their home directory. The patch fixes the permissions problem, ensures that the 'nobody' user is skipped, and enables testing for the tasks in the gate. Closes-Bug: 1731005 Closes-Bug: 1730994 Change-Id: Id7be77b2eaa707c4c27d46f97d07f34825813749 (cherry picked from commit 79b3d25070)
2017-11-09 08:47:14 -06:00 · 2017-11-09 08:47:14 -06:00 · 5543b54ffb
parent 8248f89068
commit 5543b54ffb
2 changed files with 3 additions and 1 deletions
--- a/tasks/rhel7stig/file_perms.yml
+++ b/tasks/rhel7stig/file_perms.yml
@ -105,9 +105,10 @@
    dest: "{{ item.dir }}"
    owner: "{{ item.name }}"
    group: "{{ item.group.name }}"
-    mode: "u-X,g-ws,o-rwxt"
+    mode: "g-ws,o-rwxt"
  when:
    - item.uid >= 1000
+    - item.name != 'nobody'
    - security_set_home_directory_permissions_and_owners | bool
  with_items: "{{ user_list.users | selectattr('uid', 'greaterthan', 999) | list }}"
  tags:
--- a/tests/test.yml
+++ b/tests/test.yml
@ -93,6 +93,7 @@
    security_rhel7_remove_shosts_files: yes
    security_search_for_invalid_owner: yes
    security_search_for_invalid_group_owner: yes
+    security_set_home_directory_permissions_and_owners: yes
    security_set_minimum_password_lifetime: yes
    security_unattended_upgrades_enabled: yes
    security_unattended_upgrades_notifications: yes