Hi,
I have a simple promise to ensure that there is no setuid bit on Centrify Kerberized su binary (per security advisory from Centrify):
---8<-----------------------------------------------------------
bundle agent main {
files:
"/usr/share/centrifydc/kerberos/bin/ksu"
perms => m("u-s");
}
body perms m(mode)
{
mode => "$(mode)";
}
---8<-----------------------------------------------------------
This works fine except on a few hosts that don't have Centrify installed:
error: Failed to chdir into '/usr/share/centrifydc/kerberos/bin'. (chdir: 'No such file or directory')
#
While I can change the promise to:
files:
"/usr/share/centrifydc/kerberos/bin/ksu"
if => fileexists("/usr/share/centrifydc/kerberos/bin/ksu"),
perms => m("u-s");
I want to comment that it seems to me that if the file doesn't exist, the promise that the file is not setuid root is KEPT, and I should get a thumbs-up and a smiley face, instead of an error message. ;)
I suppose it's expecting too much of a C program to have that kind of insight.
Mechanisms, mechanisms... I'm glad I'm still needed. =)
Aleksey