From 6ab1cab3ce56491d3947c660cd8144b8cb3441f4 Mon Sep 17 00:00:00 2001
From: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
Date: Wed, 17 Feb 2021 11:40:31 +0100
Subject: [PATCH] IMP(5.1.8): allow more restrictive permissions (#59)

fix #52

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
---
 bin/hardening/5.1.8_cron_users.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/bin/hardening/5.1.8_cron_users.sh b/bin/hardening/5.1.8_cron_users.sh
index 64723df..731830f 100755
--- a/bin/hardening/5.1.8_cron_users.sh
+++ b/bin/hardening/5.1.8_cron_users.sh
@@ -20,6 +20,7 @@ DESCRIPTION="Restrict at/cron to authorized users."
 FILES_ABSENT='/etc/cron.deny /etc/at.deny'
 FILES_PRESENT='/etc/cron.allow /etc/at.allow'
 PERMISSIONS='644'
+PERMISSIONSOK='644 640 600 440 400'
 USER='root'
 GROUP='root'
 
@@ -44,7 +45,7 @@ audit() {
             else
                 crit "$FILE ownership was not set to $USER:$GROUP"
             fi
-            has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
             if [ "$FNRET" = 0 ]; then
                 ok "$FILE has correct permissions"
             else
@@ -78,7 +79,7 @@ apply() {
             warn "fixing $FILE ownership to $USER:$GROUP"
             chown "$USER":"$GROUP" "$FILE"
         fi
-        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
         else