Bug#939325: lynis: Always aborts with "204: .: Can't open /usr/share/lynis/include/consts" if run as non-privileged user

Tue, 03 Sep 2019 04:45:30 -0700 

Package: lynis
Version: 2.6.2-1
Severity: important
Tags: patch
Justification: major effect on the usability of a package, without rendering it 
completely unusable to everyone

Dear Francisco,

if I call lynis as non-privileged user, lynis always aborts with
"/usr/sbin/lynis: 204: .: Can't open /usr/share/lynis/include/consts".

But according to the lynis(8) man page, root privileges are not
necessarily needed to use lynis:

> Root permissions (e.g. sudo) are not required, however provide more
> details during the audit.

This issue is caused by /usr/share/lynis/include/consts only being
readable by root:

-rw------- 1 root root 9902 Feb 20  2018 /usr/share/lynis/include/consts

Actually all files in /usr/share/lynis/include/ have the wrong
permissions.

So please give all files under /usr/share/lynis/include/ standard 644
file permissions.

The following patch suffices and also removes the bogus lintian override:

--- debian/rules~       2018-01-23 16:27:01.000000000 +0100
+++ debian/rules        2019-09-03 12:46:24.747777752 +0200
@@ -58,7 +58,7 @@
        dh_install
        dh_link
        dh_compress
-       dh_fixperms -Xinclude
+       dh_fixperms
        dh_lintian -plynis
        dh_installdeb
        dh_gencontrol
--- debian/lynis.lintian-overrides~     2018-01-23 16:27:01.000000000 +0100
+++ debian/lynis.lintian-overrides      2019-09-03 12:49:52.352114048 +0200
@@ -1,2 +1 @@
-lynis: non-standard-file-perm
 lynis: script-not-executable
\ No newline at end of file

P.S.: Yes, I am aware that this has been introduced in 1.3.9-1 and
1.6.0-1, but unfortunately the debian/changelog entry does only state
that this was needed, but doesn't explain at all, _why_ this was
needed. So I assume it's no more needed nowadays — in contrary, it's
harmful as of now.

-- System Information:
Debian Release: 10.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable'), 
(400, 'proposed-updates-debug'), (400, 'proposed-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages lynis depends on:
ii  e2fsprogs  1.44.5-1+deb10u1

Versions of packages lynis recommends:
ii  menu  2.1.47+b1

Versions of packages lynis suggests:
pn  aide          <none>
ii  apt-listbugs  0.1.28
ii  debsecan      0.4.19
ii  debsums       2.2.3
ii  dnsutils      1:9.11.5.P4+dfsg-5.1
ii  fail2ban      0.10.2-2.1
pn  samhain       <none>
pn  tripwire      <none>

-- no debconf information

Reply via email to