Remove link following in minimize_access file resource #64
Conversation
Issue: dev-sec#60 From this page ubuntu linking ```/usr/bin/X11 -> .``` is by design: http://askubuntu.com/questions/191654/why-are-there-infinitely-many-x11-subdirectories-in-usr-bin-x11 This modification says ```links => follow``` is inappropriate. The specification of directories to apply this file resource is good, so it should cover the desired scope: that any files contained herein should be set as per the resource. Any files outside, including symlink targets should be untouched. Any files which are symlinked to other files inside will be caught, and any symlinks, self-referential or otherwise, will be ignored. This would resolve issue 60.
|
Bump! |
|
Boop! |
|
What can we do to get this PR to the next step? I'll take any feedback please. |
|
No feedback? |
|
Sorry, I'm going to take a look this week. |
|
I think removing "follow links" is a viable option. Most symlinks in the bin-directories link to binaries in other bin-directories. There are of course symlinks that lie outside a bin-directory, e.g. virtualbox-binaries or systemd-links. These should be handled by the user (maybe we should add an info to the readme, stating that binaries otuside the usual bin-directories should be handled by the user). However I think these do not justify breaking this task, so I think we should merge this change. @chris-rock, @arlimus what do you think? |
|
+1 will merge this evening if noone disagrees. |
|
@tuxmea is it possible for this be merged? |
This patch resolves Issue: #60
From this page, Ubuntu containing the symlink
/usr/bin/X11 -> .is by design:http://askubuntu.com/questions/191654/why-are-there-infinitely-many-x11-subdirectories-in-usr-bin-x11
This patch removes
links => followto prevent recursing down links. The caller defines the directories to apply the File resource to, so defining the scope. Any files lying in directories outside this scope should not be touched, covering symlink targets outside.