Google Git
Sign in
cos / cos / overlays / board-overlays / ec713d657844c6e132067858a314e1b9efef9792^! / .
commitec713d657844c6e132067858a314e1b9efef9792[log] [tgz]
authorAnil Altinay <aaltinay@google.com>Wed Sep 01 22:15:58 2021 +0000
committerAnil Altinay <aaltinay@google.com>Thu Sep 02 21:54:22 2021 +0000
tree18b7e85d10d8892c7da2b1d65463a14057187964
parent74001c57391cf25e8b0d93c3c2a6206e22e4374b [diff]
project-lakitu: set permissions of /root dir to 750

BUG=b/198488267
TEST=presubmit and manual test
RELEASE_NOTE=None

Change-Id: I3a6cb155f49d368f4ed94d21458636cfad9d5d17
Reviewed-on: https://cos-review.googlesource.com/c/cos/overlays/board-overlays/+/22110
Reviewed-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>

diff --git a/project-lakitu/scripts/board_specific_setup.sh b/project-lakitu/scripts/board_specific_setup.sh
index a257e4b..ebf3731 100644
--- a/project-lakitu/scripts/board_specific_setup.sh
+++ b/project-lakitu/scripts/board_specific_setup.sh

@@ -223,6 +223,26 @@
   cp "${latest_driver_file}" "${latest_driver_artifact}"
 }
 
+# Apply recommended file permissions by CIS Benchmark
+change_file_permissions_for_cis()  {
+  # set permissions of systemd timer files as recommended by CIS
+  sudo find "${root_fs_dir}"/usr/lib/systemd/user \
+    "${root_fs_dir}"/usr/lib/systemd/system \
+    "${root_fs_dir}"/lib/systemd/system \
+    -type f -name *.timer | xargs sudo chmod go-wrx
+
+  # Set grub.cfg file permissions to 400 as recommended by CIS
+  if [[ -f "${root_fs_dir}"/boot/efi/boot/grub.cfg ]]; then
+    sudo chmod 400 "${root_fs_dir}"/boot/efi/boot/grub.cfg
+  fi
+
+  # Set /root dir permissions to 750 as recommended by CIS
+  if [[ -d "${root_fs_dir}"/root ]]; then
+    sudo chmod 750 "${root_fs_dir}"/root
+  fi
+}
+
+
 # board_finalize_base_image() is invoked as part of build_image before the
 # rootfs is locked. Some rootfs changes have been made before this, and more
 # rootfs changes are made after this.
@@ -249,16 +269,7 @@
   sudo rm "${root_fs_dir}"/etc/machine-id
   sudo touch "${root_fs_dir}"/etc/machine-id
 
-  # set permissions of systemd timer files as recommended by CIS
-  sudo find "${root_fs_dir}"/usr/lib/systemd/user \
-    "${root_fs_dir}"/usr/lib/systemd/system \
-    "${root_fs_dir}"/lib/systemd/system \
-    -type f -name *.timer | xargs sudo chmod go-wrx
-
-  # Set grub.cfg file permissions to 400 as recommended by CIS
-  if [[ -f "${root_fs_dir}"/boot/efi/boot/grub.cfg ]]; then
-    sudo chmod 400 "${root_fs_dir}"/boot/efi/boot/grub.cfg
-  fi
+  change_file_permissions_for_cis
 
   local shim_arch=""
   if [[ "${ARCH}" == "amd64" ]]; then