rpms/aide
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c10s
aide/aide-include-permission-checks.patch
Super User 68a98f660c RHEL-10.3 ERRATUM 
Add aide timer for regular execution of aide
Resolves: RHEL-123520
Support for included files in /etc/aide.d/
Resolves: RHEL-141673
Increase default values for num_workers
Resolves: RHEL-141678
2026-06-04 14:24:33 +02:00

67 lines
4.0 KiB
Diff
Raw Permalink Blame History

diff --git a/src/conf_eval.c b/src/conf_eval.c
index 5774ce6..6503709 100644
--- a/src/conf_eval.c
+++ b/src/conf_eval.c
@@ -580,9 +580,9 @@ static void include_file(const char* file, bool execute, int include_depth, char
}
}
-void check_permissions(const char* path, struct stat *st, int linenumber, char *filename, char* linebuf) {
+static void check_permissions(const char* path, struct stat *st, const char *directive, int linenumber, char *filename, char* linebuf) {
if ((st->st_uid != geteuid() && st->st_uid != 0) || (st->st_mode & 002) != 0 || (st->st_mode & 020) != 0) {
- LOG_CONFIG_FORMAT_LINE(LOG_LEVEL_ERROR, "'@@x_include': bad ownership or modes for '%s' (please ensure it is neither group- nor world-writable and owned by the current user or root)", path)
+ LOG_CONFIG_FORMAT_LINE(LOG_LEVEL_ERROR, "'%s': bad ownership or modes for '%s' (please ensure it is neither group- nor world-writable and owned by the current user or root)", directive, path)
exit(INVALID_CONFIGURELINE_ERROR);
}
}
@@ -611,13 +611,13 @@ static void include_directory(const char* dir, const char* rx, bool execute, cha
struct stat fs;
- if (execute) {
- if (stat(dir,&fs) == -1) {
- LOG_CONFIG_FORMAT_LINE(LOG_LEVEL_ERROR, "'@@x_include': stat for '%s' failed: %s", dir, strerror(errno))
- exit(INVALID_CONFIGURELINE_ERROR);
- }
- check_permissions(dir, &fs, linenumber, filename, linebuf);
+ /* stat() follows symlinks; we intentionally check the target's ownership
+ * and mode rather than the symlink node itself */
+ if (stat(dir,&fs) == -1) {
+ LOG_CONFIG_FORMAT_LINE(LOG_LEVEL_ERROR, "'%s': stat for '%s' failed: %s", execute?"@@x_include":"@@include", dir, strerror(errno))
+ exit(INVALID_CONFIGURELINE_ERROR);
}
+ check_permissions(dir, &fs, execute?"@@x_include":"@@include", linenumber, filename, linebuf);
n = scandir(dir, &namelist, dirfilter, alphasort);
if (n == -1) {
@@ -660,9 +660,8 @@ static void include_directory(const char* dir, const char* rx, bool execute, cha
log_msg(LOG_LEVEL_DEBUG,"%s: skip '%s' (reason: file name does not match regex '%s')", dir, namelist[i]->d_name, rx);
} else {
int exec = execute && S_IXUSR&fs.st_mode;
- if (exec) {
- check_permissions(filepath, &fs, linenumber, filename, linebuf);
- }
+ /* pass directive name (not exec flag) so the error names the directive the user wrote */
+ check_permissions(filepath, &fs, execute?"@@x_include":"@@include", linenumber, filename, linebuf);
log_msg(LOG_LEVEL_CONFIG,"%s: %s '%s'", dir, exec?"execute":"include", namelist[i]->d_name);
include_file(filepath, exec, include_depth, nested_rule_prefix);
}
@@ -701,14 +700,15 @@ static void eval_include_statement(include_statement statement, int include_dept
} else {
struct stat fs;
if (lstat(path,&fs) == -1) {
- LOG_CONFIG_FORMAT_LINE(LOG_LEVEL_ERROR, "'@@include': lstat for '%s' failed: %s", path, strerror(errno))
+ LOG_CONFIG_FORMAT_LINE(LOG_LEVEL_ERROR, "'%s': lstat for '%s' failed: %s", statement.execute?"@@x_include":"@@include", path, strerror(errno))
exit(INVALID_CONFIGURELINE_ERROR);
}
if (S_ISREG(fs.st_mode)) {
+ check_permissions(path, &fs, statement.execute?"@@x_include":"@@include", linenumber, filename, linebuf);
LOG_CONFIG_FORMAT_LINE_PREFIX(LOG_LEVEL_CONFIG, "include file '%s' (depth: %d)", path, include_depth)
include_file(path, statement.execute && S_IXUSR&fs.st_mode, include_depth, rule_prefix);
} else {
- LOG_CONFIG_FORMAT_LINE(LOG_LEVEL_ERROR, "'@@include': '%s' is not a regular file", path);
+ LOG_CONFIG_FORMAT_LINE(LOG_LEVEL_ERROR, "'%s': '%s' is not a regular file", statement.execute?"@@x_include":"@@include", path);
exit(INVALID_CONFIGURELINE_ERROR);
}
}
Reference in New Issue View Git Blame Copy Permalink