Do not permit world-readability of /etc/sudoers.d/

Lynis (rightly) complains about this directory and its contents being world-readable on current IPFire installations. Since there is no necessity for this, we might as well chmod them to 750 / 640. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2022-04-30 10:05:44 +00:00
parent 64567c9423
commit a260900c8d
3 changed files with 7 additions and 3 deletions
--- a/lfs/logwatch
+++ b/lfs/logwatch
@@ -106,8 +106,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	ln -vsf /usr/share/logwatch/default.conf /etc/logwatch/conf

 	-mkdir -p /etc/sudoers.d
-	chmod -v 755 /etc/sudoers.d
-	install -v -m 644 $(DIR_SRC)/config/logwatch/sudoers/logwatch-mdadm \
+	chmod -v 750 /etc/sudoers.d
+	install -v -m 640 $(DIR_SRC)/config/logwatch/sudoers/logwatch-mdadm \
                /etc/sudoers.d/logwatch-mdadm

 	@rm -rf $(DIR_APP)
--- a/lfs/setup
+++ b/lfs/setup
@@ -58,5 +58,9 @@ $(TARGET) :
 		--with-config-root="$(CONFIG_ROOT)"
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
+
+	# Fix file permissions of /etc/sudoers.d/setup
+	chmod 640 /etc/sudoers.d/setup
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
--- a/lfs/zabbix_agentd
+++ b/lfs/zabbix_agentd
@@ -113,7 +113,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(call INSTALL_INITSCRIPTS,$(SERVICES))

 	# Install sudoers include file
-	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/sudoers \
+	install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers \
 		/etc/sudoers.d/zabbix

 	# Install include file for backup