(PUP-10627) Add default file permissions 640 for last_run_summary.yaml

Due to security concerns, this commit downgrades file permissions for `last_run_summary.yaml` from `644` to `640`. This allows only file owner and its group access to it by default.
puppetlabs · Nov 4, 2020 · 57f7125 · 57f7125
1 parent 09405d4
commit 57f7125
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 7 deletions.
diff --git a/acceptance/tests/agent/last_run_summary_report.rb b/acceptance/tests/agent/last_run_summary_report.rb
@@ -50,19 +50,24 @@
       end
     end
 
-    step "Check if the 'last_run_summary.yaml' report file created has '0644' permissions" do
+    step "Check if the 'last_run_summary.yaml' report file created has '0640' permissions" do
       if agent['platform'] =~ /windows/
         on(agent, "icacls #{File.join(publicdir, 'last_run_summary.yaml')}") do |result|
           # Linux 'Owner' premissions class equivalent
           assert_match('Administrator:(R,W', result.stdout)
           # Linux 'Group' permissions class equivalent
           assert_match('None:(R)', result.stdout)
           # Linux 'Public' permissions class equivalent
-          assert_match('Everyone:(R)', result.stdout)
+          assert_match('Everyone:(Rc,S,RA)', result.stdout)
+          # According to icacls docs:
+          # Rc = Read control
+          # S  = Synchronize
+          # RA = Read attributes
+          # More at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
         end
       else
         on(agent, "ls -al #{publicdir}") do |result|
-          assert_match(/rw-r--r--.+last_run_summary\.yaml$/, result.stdout)
+          assert_match(/rw-r-----.+last_run_summary\.yaml$/, result.stdout)
         end
       end
     end
@@ -86,19 +91,24 @@
       end
     end
 
-    step "Check if the 'last_run_summary.yaml' report file was created in the new location and still has '0644' permissions" do
+    step "Check if the 'last_run_summary.yaml' report file was created in the new location and still has '0640' permissions" do
       if agent['platform'] =~ /windows/
         on(agent, "icacls #{File.join(custom_publicdir, 'last_run_summary.yaml')}") do |result|
           # Linux 'Owner' premissions class equivalent
           assert_match('Administrator:(R,W', result.stdout)
           # Linux 'Group' permissions class equivalent
           assert_match('None:(R)', result.stdout)
           # Linux 'Public' permissions class equivalent
-          assert_match('Everyone:(R)', result.stdout)
+          assert_match('Everyone:(Rc,S,RA)', result.stdout)
+          # According to icacls docs:
+          # Rc = Read control
+          # S  = Synchronize
+          # RA = Read attributes
+          # More at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
         end
       else
         on(agent, "ls -al #{custom_publicdir}") do |result|
-          assert_match(/rw-r--r--.+last_run_summary\.yaml$/, result.stdout)
+          assert_match(/rw-r-----.+last_run_summary\.yaml$/, result.stdout)
         end
       end
     end

diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
@@ -1809,7 +1809,7 @@ def self.initialize_default_settings!(settings)
     :lastrunfile =>  {
       :default  => "$publicdir/last_run_summary.yaml",
       :type     => :file,
-      :mode     => "0644",
+      :mode     => "0640",
       :desc     => "Where puppet agent stores the last run report summary in yaml format."
     },
     :lastrunreport =>  {