file permissions for symlinked files are not checked correctly

[vjeffrey]

this test fails:
control "xccdf_org.cisecurity.benchmarks_rule_1.5.2_Set_Permissions_on_etcgrub.conf" do
title "Set Permissions on /etc/grub.conf"
desc "Set permission on the /etc/grub.conf file to read and write for root only."
impact 1.0
describe file("/etc/grub.conf") do
it { should exist }
end
describe file("/etc/grub.conf") do
it { should_not be_executable.by "group" }
end
describe file("/etc/grub.conf") do
it { should_not be_readable.by "group" }
end
describe file("/etc/grub.conf") do
it { should_not be_writable.by "group" }
end
describe file("/etc/grub.conf") do
it { should_not be_executable.by "other" }
end
describe file("/etc/grub.conf") do
it { should_not be_readable.by "other" }
end
describe file("/etc/grub.conf") do
it { should_not be_writable.by "other" }
end
end

because:

[srenatus]

🎉 good catch 😨

[arlimus]

@vjeffrey @srenatus Good use-case! the way that file currently works, is that it will check the item you are pointing to, without resolving any fancy links:

inspec> file('/dev/initctl').mode.to_s(8)
=> "777"
inspec> file('/dev/initctl').symlink?
=> true

The actual target is behind the api:

inspec> file('/dev/initctl').link_path
=> "/run/systemd/initctl/fifo"
inspec> file('/dev/initctl').link_target.mode.to_s(8)
=> "600"

This is great for being specific and not wasting effort each time we need to resolve a file, but you may be pointing to an underlying difficulty in that model, which is: Users might be more interested in always testing the target, i.e. having it resolved. What are your thoughts?

If we decide to change this behavior, let's do it in train and make it applicable everywhere.