|
 |
0b628f |
From f2d9ec9883a344daa67a80ad54e6652185346395 Mon Sep 17 00:00:00 2001
|
|
|
0b628f |
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
|
|
|
0b628f |
Date: Fri, 14 Feb 2020 14:57:33 +0100
|
|
|
0b628f |
Subject: [PATCH] Fixed oscap-ssh failing to retrieve the result files when
|
|
|
0b628f |
executing with --sudo
|
|
|
0b628f |
|
|
|
0b628f |
Depending on the umask configuration of the target system, "sudo oscap"
|
|
|
0b628f |
may create the result files in temporary directory with 600 permissions,
|
|
|
0b628f |
which makes retrieving the log (as the regular user that ssh'ed to the
|
|
|
0b628f |
system) impossible:
|
|
|
0b628f |
|
|
|
0b628f |
~~~
|
|
|
0b628f |
$ oscap-ssh --sudo user@system 22 xccdf eval ...
|
|
|
0b628f |
[...]
|
|
|
0b628f |
oscap exit code: 0
|
|
|
0b628f |
Copying back requested files...
|
|
|
0b628f |
scp: /tmp/tmp.0kfbPWEy6u/report.html: Permission denied
|
|
|
0b628f |
Failed to copy the HTML report back to local machine!
|
|
|
0b628f |
~~~
|
|
|
0b628f |
|
|
|
0b628f |
Scenario to reproduce the failure: set a default umask in /etc/sudoers:
|
|
|
0b628f |
|
|
|
0b628f |
~~~
|
|
|
0b628f |
Defaults umask = 0077
|
|
|
0b628f |
~~~
|
|
|
0b628f |
|
|
|
0b628f |
The fix consists in changing the result files' ownership from "root" to
|
|
|
0b628f |
user's back, all while in the single sudo (using two sudo commands
|
|
|
0b628f |
wouldn't be nice since the user may get the password prompt twice,
|
|
|
0b628f |
depending on the sudo's configuration).
|
|
|
0b628f |
---
|
|
|
0b628f |
utils/oscap-ssh | 7 ++++++-
|
|
|
0b628f |
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
0b628f |
|
|
|
0b628f |
diff --git a/utils/oscap-ssh b/utils/oscap-ssh
|
|
|
0b628f |
index 658cc2ee4..bd2e209c4 100755
|
|
|
0b628f |
--- a/utils/oscap-ssh
|
|
|
0b628f |
+++ b/utils/oscap-ssh
|
|
|
0b628f |
@@ -280,7 +280,12 @@ echo "Starting the evaluation..."
|
|
|
0b628f |
# changing directory because of --oval-results support. oval results files are
|
|
|
0b628f |
# dumped into PWD, and we can't be sure by the file names - we need controlled
|
|
|
0b628f |
# environment
|
|
|
0b628f |
-ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO oscap $(command_array_to_string oscap_args)" "$SSH_TTY_ALLOCATION_OPTION"
|
|
|
0b628f |
+if [ -z "$OSCAP_SUDO" ]; then
|
|
|
0b628f |
+ ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; oscap $(command_array_to_string oscap_args)" "$SSH_TTY_ALLOCATION_OPTION"
|
|
|
0b628f |
+else
|
|
|
0b628f |
+ OSCAP_CMD="oscap $(command_array_to_string oscap_args); rc=\$?; chown \$SUDO_USER $REMOTE_TEMP_DIR/*; exit \$rc"
|
|
|
0b628f |
+ ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO sh -c '$OSCAP_CMD'" "$SSH_TTY_ALLOCATION_OPTION"
|
|
|
0b628f |
+fi
|
|
|
0b628f |
OSCAP_EXIT_CODE=$?
|
|
|
0b628f |
echo "oscap exit code: $OSCAP_EXIT_CODE"
|
|
|
0b628f |
|