project-lakitu: set permissions of /root dir to 750
BUG=b/198488267
TEST=presubmit and manual test
RELEASE_NOTE=None
Change-Id: I3a6cb155f49d368f4ed94d21458636cfad9d5d17
Reviewed-on: https://cos-review.googlesource.com/c/cos/overlays/board-overlays/+/22110
Reviewed-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
diff --git a/project-lakitu/scripts/board_specific_setup.sh b/project-lakitu/scripts/board_specific_setup.sh
index a257e4b..ebf3731 100644
--- a/project-lakitu/scripts/board_specific_setup.sh
+++ b/project-lakitu/scripts/board_specific_setup.sh
@@ -223,6 +223,26 @@
cp "${latest_driver_file}" "${latest_driver_artifact}"
}
+# Apply recommended file permissions by CIS Benchmark
+change_file_permissions_for_cis() {
+ # set permissions of systemd timer files as recommended by CIS
+ sudo find "${root_fs_dir}"/usr/lib/systemd/user \
+ "${root_fs_dir}"/usr/lib/systemd/system \
+ "${root_fs_dir}"/lib/systemd/system \
+ -type f -name *.timer | xargs sudo chmod go-wrx
+
+ # Set grub.cfg file permissions to 400 as recommended by CIS
+ if [[ -f "${root_fs_dir}"/boot/efi/boot/grub.cfg ]]; then
+ sudo chmod 400 "${root_fs_dir}"/boot/efi/boot/grub.cfg
+ fi
+
+ # Set /root dir permissions to 750 as recommended by CIS
+ if [[ -d "${root_fs_dir}"/root ]]; then
+ sudo chmod 750 "${root_fs_dir}"/root
+ fi
+}
+
+
# board_finalize_base_image() is invoked as part of build_image before the
# rootfs is locked. Some rootfs changes have been made before this, and more
# rootfs changes are made after this.
@@ -249,16 +269,7 @@
sudo rm "${root_fs_dir}"/etc/machine-id
sudo touch "${root_fs_dir}"/etc/machine-id
- # set permissions of systemd timer files as recommended by CIS
- sudo find "${root_fs_dir}"/usr/lib/systemd/user \
- "${root_fs_dir}"/usr/lib/systemd/system \
- "${root_fs_dir}"/lib/systemd/system \
- -type f -name *.timer | xargs sudo chmod go-wrx
-
- # Set grub.cfg file permissions to 400 as recommended by CIS
- if [[ -f "${root_fs_dir}"/boot/efi/boot/grub.cfg ]]; then
- sudo chmod 400 "${root_fs_dir}"/boot/efi/boot/grub.cfg
- fi
+ change_file_permissions_for_cis
local shim_arch=""
if [[ "${ARCH}" == "amd64" ]]; then