ovh/debian-cis

Double users_valid_homedir.sh

wilfriedroset opened this issue · 1 comments

wilfriedroset commented

The repository contains two scripts users_valid_homedir.sh but not the same id.
They do almost the same thing with minor differences.
One difference is the max userid:

debian-cis/bin/hardening/6.2.3_users_valid_homedir.sh

Line 30 in e478a89

if [ "$USERID" -ge 1000 ] && [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then

vs

debian-cis/bin/hardening/6.2.9_users_valid_homedir.sh

Line 49 in e478a89

if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then

I've a usecase where 6.2.9 version reports an issue while 6.2.3 don't. This is because the userid it 999 which is a valid system user id.

++ debug 'Working on systemd-timesync:999:/run/systemd'
++ '[' 4 -ge 5 ']'
+++ awk -F: '{print $1}'
++ USER=systemd-timesync
+++ awk -F: '{print $2}'
++ USERID=999
+++ awk -F: '{print $3}'
++ DIR=/run/systemd
++ '[' 999 -ge 500 ']'
++ '[' -d /run/systemd ']'
++ '[' systemd-timesync '!=' nfsnobody ']'
+++ stat -L -c %U /run/systemd
++ OWNER=root
++ '[' root '!=' systemd-timesync ']'
++ EXCEP_FOUND=0
++ for excep in $EXCEPTIONS
++ '[' /run/systemd:systemd-timesync:root = /:systemd-coredump:root ']'
++ for excep in $EXCEPTIONS
++ '[' /run/systemd:systemd-timesync:root = /var/ossec:ossec:root ']'
++ for excep in $EXCEPTIONS
++ '[' /run/systemd:systemd-timesync:root = /var/ossec:ossecm:root ']'
++ for excep in $EXCEPTIONS
++ '[' /run/systemd:systemd-timesync:root = /var/ossec:ossecr:root ']'
++ for excep in $EXCEPTIONS
++ '[' /run/systemd:systemd-timesync:root = /etc/telegraf:telegraf:root ']'
++ '[' 0 -eq 0 ']'
++ crit 'The home directory (/run/systemd) of user systemd-timesync is owned by root.'
++ '[' 0 -eq 1 ']'
++ '[' 4 -ge 1 ']'
++ _logger '\033[1;31m' '[ KO ] The home directory (/run/systemd) of user systemd-timesync is owned by root.'
++ COLOR='\033[1;31m'
++ shift
++ test -z 6.2.9_users_valid_homedir
++ builtin echo '[ KO ] The home directory (/run/systemd) of user systemd-timesync is owned by root.'
++ /usr/bin/logger -t 'CIS_Hardening[13922] 6.2.9_users_valid_homedir' -p user.info
+++ printf %-25.25s 6.2.9_users_valid_homedir
++ SCRIPT_NAME_FIXEDLEN=6.2.9_users_valid_homedir
++ cecho '\033[1;31m' '6.2.9_users_valid_homedir [ KO ] The home directory (/run/systemd) of user systemd-timesync is owned by root.'
++ COLOR='\033[1;31m'
++ shift
++ builtin echo -e '\033[1;31m6.2.9_users_valid_homedir [ KO ] The home directory (/run/systemd) of user systemd-timesync is owned by root.\033[0m'
6.2.9_users_valid_homedir [ KO ] The home directory (/run/systemd) of user systemd-timesync is owned by root.
tdenof commented

Hi @wilfriedroset , thanks for the report , we'll check which one is relevant according to cis benchmark .