broken root detection

[XenGi]

Describe the bug

When I run lynis without root privileges, instead of giving an informative error message it just gives out this a permission denied error.

Version

• Distribution: Arch Linux
• Lynis version: 3.0.8

Expected behavior

A clear and concise error message, telling the user to run the program as root.

Output

$ lynis
/usr/bin/lynis: line 206: /usr/share/lynis/include/consts: Permission denied

[xnoguer]

@XenGi ¿Can you post here the permissions and ownership for your /usr/share/lynis/include/consts file ?

[XenGi]

That is strange the permission differ a lot. I would expect them to be quite uniform and readable by everyone.

$ ls -la /usr/share/lynis/include/
total 1408
drwxr-xr-x 2 root root   4096 2023-04-09 00:33:33 .
drwxr-xr-x 5 root root   4096 2023-04-09 00:33:33 ..
-rw-r----- 1 root root  39280 2022-05-21 22:13:01 binaries
-rw-r----- 1 root root  11029 2022-05-21 22:13:01 consts
-rw-r--r-- 1 root root  13957 2022-05-21 22:13:01 data_upload
-rw-r----- 1 root root 161151 2022-05-21 22:13:01 functions
-rw-r--r-- 1 root root   8007 2022-05-21 22:13:01 helper_audit_dockerfile
-rw-r--r-- 1 root root   3754 2022-05-21 22:13:01 helper_configure
-rw-r--r-- 1 root root   7563 2022-05-21 22:13:01 helper_generate
-rw-r--r-- 1 root root  22826 2022-05-21 22:13:01 helper_show
-rw-r--r-- 1 root root   3626 2022-05-21 22:13:01 helper_system_remote_scan
-rw-r--r-- 1 root root   3677 2022-05-21 22:13:01 helper_update
-rw-r----- 1 root root  38792 2022-05-21 22:13:01 osdetection
-rw-r--r-- 1 root root  16876 2022-05-21 22:13:01 parameters
-rw-r--r-- 1 root root  27538 2022-05-21 22:13:01 profiles
-rw-r--r-- 1 root root  16845 2022-05-21 22:13:01 report
-rw-r--r-- 1 root root  26089 2022-05-21 22:13:01 tests_accounting
-rw-r----- 1 root root  86042 2022-05-21 22:13:01 tests_authentication
-rw-r--r-- 1 root root   8548 2022-05-21 22:13:01 tests_banners
-rw-r----- 1 root root  55819 2022-05-21 22:13:01 tests_boot_services
-rw-r--r-- 1 root root  11565 2022-05-21 22:13:01 tests_containers
-rw-r----- 1 root root  18090 2022-05-21 22:13:01 tests_crypto
-rw-r--r-- 1 root root   6942 2022-05-21 22:13:01 tests_custom.template
-rw-r----- 1 root root  23464 2022-05-21 22:13:01 tests_databases
-rw-r--r-- 1 root root   3470 2022-05-21 22:13:01 tests_dns
-rw-r----- 1 root root  21919 2022-05-21 22:13:01 tests_file_integrity
-rw-r--r-- 1 root root   3323 2022-05-21 22:13:01 tests_file_permissions
-rw-r----- 1 root root  47407 2022-05-21 22:13:01 tests_filesystems
-rw-r--r-- 1 root root  30676 2022-05-21 22:13:01 tests_firewalls
-rw-r--r-- 1 root root   7183 2022-05-21 22:13:01 tests_hardening
-rw-r--r-- 1 root root   9391 2022-05-21 22:13:01 tests_homedirs
-rw-r--r-- 1 root root  27371 2022-05-21 22:13:01 tests_insecure_services
-rw-r----- 1 root root  62223 2022-05-21 22:13:01 tests_kernel
-rw-r--r-- 1 root root   5755 2022-05-21 22:13:01 tests_kernel_hardening
-rw-r--r-- 1 root root   4058 2022-05-21 22:13:01 tests_ldap
-rw-r----- 1 root root  31998 2022-05-21 22:13:01 tests_logging
-rw-r--r-- 1 root root  14880 2022-05-21 22:13:01 tests_mac_frameworks
-rw-r--r-- 1 root root  21960 2022-05-21 22:13:01 tests_mail_messaging
-rw-r--r-- 1 root root  18885 2022-05-21 22:13:01 tests_malware
-rw-r--r-- 1 root root   7337 2022-05-21 22:13:01 tests_memory_processes
-rw-r--r-- 1 root root  35339 2022-05-21 22:13:01 tests_nameservices
-rw-r----- 1 root root  41648 2022-05-21 22:13:01 tests_networking
-rw-r--r-- 1 root root  28143 2022-05-21 22:13:01 tests_php
-rw-r----- 1 root root  80655 2022-05-21 22:13:01 tests_ports_packages
-rw-r----- 1 root root  14185 2022-05-21 22:13:01 tests_printers_spoolers
-rw-r----- 1 root root  16117 2022-05-21 22:13:01 tests_scheduling
-rw-r----- 1 root root  13693 2022-05-21 22:13:01 tests_shells
-rw-r--r-- 1 root root   4427 2022-05-21 22:13:01 tests_snmp
-rw-r----- 1 root root  17309 2022-05-21 22:13:01 tests_squid
-rw-r--r-- 1 root root  17986 2022-05-21 22:13:01 tests_ssh
-rw-r--r-- 1 root root   3828 2022-05-21 22:13:01 tests_storage
-rw-r--r-- 1 root root   8606 2022-05-21 22:13:01 tests_storage_nfs
-rw-r--r-- 1 root root   2180 2022-05-21 22:13:01 tests_system_integrity
-rw-r--r-- 1 root root  33396 2022-05-21 22:13:01 tests_time
-rw-r--r-- 1 root root  21373 2022-05-21 22:13:01 tests_tooling
-rw-r--r-- 1 root root  21540 2022-05-21 22:13:01 tests_usb
-rw-r--r-- 1 root root   1995 2022-05-21 22:13:01 tests_virtualization
-rw-r----- 1 root root  31639 2022-05-21 22:13:01 tests_webservers
-rw-r--r-- 1 root root   2210 2022-05-21 22:13:01 tool_tips

Seems like the package is build correctly with read permissions for all:
https://github.com/archlinux/svntogit-community/blob/packages/lynis/trunk/PKGBUILD

The package just copies the include dir over. See here.
Maybe the permissions are incorrect in the archive from lynis already.

[xnoguer]

@XenGi I added a pull request that fixes the problem with the message:
#1385

About the file permissions in the Archlinux package, it seems to be a problem with file permissions in the tarball that is downloaded from the CISOfy site:
https://downloads.cisofy.com/lynis/lynis-3.0.8.tar.gz
Up to version 3.0.6 the file permissions seem to be ok, but something seems to have happened with versions 3.0.7 and 3.0.8 that left those files with 640 permissions. I assume that only Michael Boelen or someone else at CISOfy can change that.

[mboelen]

Are the file permissions still wrong in the tarball with recent changes?

[xnoguer]

Are the file permissions still wrong in the tarball with recent changes?

@mboelen No. Permissions now look fine in the last versions, 3.1.0 and 3.1.1.
Thanks!

[mboelen]

Closing this issue then. No other change at the moment, besides that we did before (updating it in our build process) 👍