From f2d9ec9883a344daa67a80ad54e6652185346395 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Renaud=20M=C3=A9trich?= Date: Fri, 14 Feb 2020 14:57:33 +0100 Subject: [PATCH] Fixed oscap-ssh failing to retrieve the result files when executing with --sudo Depending on the umask configuration of the target system, "sudo oscap" may create the result files in temporary directory with 600 permissions, which makes retrieving the log (as the regular user that ssh'ed to the system) impossible: ~~~ $ oscap-ssh --sudo user@system 22 xccdf eval ... [...] oscap exit code: 0 Copying back requested files... scp: /tmp/tmp.0kfbPWEy6u/report.html: Permission denied Failed to copy the HTML report back to local machine! ~~~ Scenario to reproduce the failure: set a default umask in /etc/sudoers: ~~~ Defaults umask = 0077 ~~~ The fix consists in changing the result files' ownership from "root" to user's back, all while in the single sudo (using two sudo commands wouldn't be nice since the user may get the password prompt twice, depending on the sudo's configuration). --- utils/oscap-ssh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/utils/oscap-ssh b/utils/oscap-ssh index 658cc2ee4..bd2e209c4 100755 --- a/utils/oscap-ssh +++ b/utils/oscap-ssh @@ -280,7 +280,12 @@ echo "Starting the evaluation..." # changing directory because of --oval-results support. oval results files are # dumped into PWD, and we can't be sure by the file names - we need controlled # environment -ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO oscap $(command_array_to_string oscap_args)" "$SSH_TTY_ALLOCATION_OPTION" +if [ -z "$OSCAP_SUDO" ]; then + ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; oscap $(command_array_to_string oscap_args)" "$SSH_TTY_ALLOCATION_OPTION" +else + OSCAP_CMD="oscap $(command_array_to_string oscap_args); rc=\$?; chown \$SUDO_USER $REMOTE_TEMP_DIR/*; exit \$rc" + ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO sh -c '$OSCAP_CMD'" "$SSH_TTY_ALLOCATION_OPTION" +fi OSCAP_EXIT_CODE=$? echo "oscap exit code: $OSCAP_EXIT_CODE"