Extra functionality for PermissionIs (#124)

* more functionality added for PermissionIs check * documentation
elysium-suite · Jul 24, 2021 · b701e3f · b701e3f
1 parent 5a74d8f
commit b701e3f
Show file tree

Hide file tree

Showing 3 changed files with 85 additions and 9 deletions.
diff --git a/cmd/checks_linux.go b/cmd/checks_linux.go
@@ -59,15 +59,35 @@ func processCheck(check *check, checkType, arg1, arg2, arg3 string) bool {
 		return err == nil && !result
 	case "PermissionIs":
 		if check.Message == "" {
-			check.Message = "The permissions of " + arg1 + " are " + arg2
+
+			if arg2 == "octal" {
+				check.Message = "The octal permissions of " + arg1 + " are " + arg3
+			} else if arg2 == "WorldWritable" {
+				check.Message = arg1 + " is world writable"
+			} else if arg2 == "WorldReadable" {
+				check.Message = arg1 + " is world readable"
+			} else {
+				check.Message = "Permissions of " + arg1 + " are " + arg3
+			}
+
 		}
-		result, err := permissionIs(arg1, arg2)
+		result, err := permissionIs(arg1, arg2, arg3)
 		return err == nil && result
 	case "PermissionIsNot":
 		if check.Message == "" {
-			check.Message = "The permissions of " + arg1 + " are not " + arg2
+
+			if arg2 == "octal" {
+				check.Message = "The octal permissions of " + arg1 + " are not " + arg3
+			} else if arg2 == "WorldWritable" {
+				check.Message = arg1 + " is not world writable"
+			} else if arg2 == "WorldReadable" {
+				check.Message = arg1 + " is not world readable"
+			} else {
+				check.Message = "Permissions of " + arg1 + " are not " + arg3
+			}
+
 		}
-		result, err := permissionIs(arg1, arg2)
+		result, err := permissionIs(arg1, arg2, arg3)
 		return err == nil && !result
 	default:
 		failPrint("No check type " + checkType)
@@ -149,7 +169,20 @@ func autoCheckUpdatesEnabled() (bool, error) {
 	return fileContainsRegex("/etc/apt/apt.conf.d/20auto-upgrades", `APT::Periodic::Update-Package-Lists( |)"1";`)
 }
 
-func permissionIs(filePath, permissionToCheck string) (bool, error) {
-	perm, err := commandOutput(`stat -c '%a' ` + filePath)
-	return perm == permissionToCheck, err
+// func permissionIs(filePath, permissionToCheck string) (bool, error) {
+// 	perm, err := commandOutput(`stat -c '%a' ` + filePath)
+// 	return perm == permissionToCheck, err
+// }
+
+func permissionIs(filePath, checkType, permissionToCheck string) (bool, error) {
+	if checkType == "octal" {
+		perm, err := commandOutput(`stat -c '%a' ` + filePath)
+		return perm == permissionToCheck, err
+	} else if checkType == "WorldWritable" {
+		return commandContains(`find `+filePath+` -perm -g+w -or -perm -o+w`, filePath)
+	} else if checkType == "WorldReadable" {
+		return commandContains(`find `+filePath+` -perm -o=r`, filePath)
+	}
+	// If arguments are messed up or whatever:
+	return false, nil
 }
diff --git a/docs/checks.md b/docs/checks.md
@@ -173,12 +173,27 @@ type='AutoCheckUpdatesEnabled'
 
 > Only works for standard `apt` installs.
 
-**PermissionIs**: pass if the specified file has the octal permissions specified
+**PermissionIs**: pass if the specified file has permissions specified
 
 ```
 type='PermissionIs'
 arg1='/etc/passwd'
-arg2='644'
+arg2='octal'
+arg3='644'
+```
+
+```
+type='PermissionIs'
+arg1='/etc/passwd'
+arg2='WorldWritable'
+arg3='none'
+```
+
+```
+type='PermissionIs'
+arg1='/etc/passwd'
+arg2='WorldReadable'
+arg3='none'
 ```
 
 <hr>

diff --git a/docs/examples/linux-allchecks.conf b/docs/examples/linux-allchecks.conf
@@ -181,3 +181,31 @@ arg2='644'
 type='PermissionIsNot'
 arg1='/etc/passwd'
 arg2='777'
+
+[[check]]
+[[check.pass]]
+type='PermissionIs'
+arg1='/etc/passwd'
+arg2='WorldWritable'
+arg3='none'
+
+[[check]]
+[[check.pass]]
+type='PermissionIsNot'
+arg1='/etc/passwd'
+arg2='WorldWritable'
+arg3='none'
+
+[[check]]
+[[check.pass]]
+type='PermissionIs'
+arg1='/etc/passwd'
+arg2='WorldReadable'
+arg3='none'
+
+[[check]]
+[[check.pass]]
+type='PermissionIsNot'
+arg1='/etc/passwd'
+arg2='WorldReadable'
+arg3='none'