config: disallow negative permissions

diff --git a/cmd/safcm/config/permissions.go b/cmd/safcm/config/permissions.go
index b84b521d1c615289aeaf17e704bd2ec1dbe79927..4924e2d4af3ba1a014e06d53496eb8dae3be2b99 100644 (file)
--- a/cmd/safcm/config/permissions.go
+++ b/cmd/safcm/config/permissions.go
@@ -65,7 +65,7 @@ func LoadPermissions(group string, files map[string]*safcm.File) error {
                                "(expected e.g. %q or %q)",
                                path, xs[0], "0644", "01777")
                }
-               if perm > 07777 {
+               if perm < 0 || perm > 07777 {
                        return fmt.Errorf("%s: invalid permission %#o "+
                                "(expected e.g. %#o or %#o)",
                                path, perm, 0644, 01777)

diff --git a/cmd/safcm/config/permissions_test.go b/cmd/safcm/config/permissions_test.go
index 2f742d052d96126810a69b9adff47802640e0e35..001489e903e2d6c4507c4235f92793761198a94a 100644 (file)
--- a/cmd/safcm/config/permissions_test.go
+++ b/cmd/safcm/config/permissions_test.go
@@ -234,6 +234,31 @@ host3.example.net
                        },
                        fmt.Errorf("permissions-invalid-permission-int/permissions.yaml: invalid permission 066066 (expected e.g. 0644 or 01777)"),
                },
+               {
+                       "permissions-invalid-permission-negative",
+                       map[string]*safcm.File{
+                               "/": {
+                                       Path: "/",
+                                       Mode: fs.ModeDir | 0755,
+                                       Uid:  -1,
+                                       Gid:  -1,
+                               },
+                               "/etc": {
+                                       Path: "/etc",
+                                       Mode: fs.ModeDir | 0755,
+                                       Uid:  -1,
+                                       Gid:  -1,
+                               },
+                               "/etc/resolv.conf": {
+                                       Path: "/etc/resolv.conf",
+                                       Mode: 0644,
+                                       Uid:  -1,
+                                       Gid:  -1,
+                                       Data: []byte("nameserver ::1\n"),
+                               },
+                       },
+                       fmt.Errorf("permissions-invalid-permission-negative/permissions.yaml: invalid permission -042 (expected e.g. 0644 or 01777)"),
+               },
        }
 
        for _, tc := range tests {

diff --git a/cmd/safcm/testdata/project/permissions-invalid-permission-negative/files/etc/resolv.conf b/cmd/safcm/testdata/project/permissions-invalid-permission-negative/files/etc/resolv.conf
new file mode 100644 (file)
index 0000000..fd4fb85
--- /dev/null
+++ b/cmd/safcm/testdata/project/permissions-invalid-permission-negative/files/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver ::1

diff --git a/cmd/safcm/testdata/project/permissions-invalid-permission-negative/permissions.yaml b/cmd/safcm/testdata/project/permissions-invalid-permission-negative/permissions.yaml
new file mode 100644 (file)
index 0000000..9f6f078
--- /dev/null
+++ b/cmd/safcm/testdata/project/permissions-invalid-permission-negative/permissions.yaml
@@ -0,0 +1 @@
+/etc/resolv.conf: -42