audit: ignore group write bit

2020-02-24 00:24:23 +00:00 · 2020-02-24 00:24:23 +00:00 · 68047abc0e
commit 68047abc0e
parent 2834a75f19
2 changed files with 49 additions and 9 deletions
--- a/Library/Homebrew/dev-cmd/audit.rb
+++ b/Library/Homebrew/dev-cmd/audit.rb
@ -242,15 +242,26 @@ module Homebrew
    end

    def audit_file
-      # Under normal circumstances (umask 0022), we expect a file mode of 644. If
-      # the user's umask is more restrictive, respect that by masking out the
-      # corresponding bits. (The also included 0100000 flag means regular file.)
-      wanted_mode = 0100644 & ~File.umask
      actual_mode = formula.path.stat.mode
-      unless actual_mode == wanted_mode
-        problem format("Incorrect file permissions (%03<actual>o): chmod %03<wanted>o %<path>s",
+      # Check that the file is world-readable.
+      if actual_mode & 0444 != 0444
+        problem format("Incorrect file permissions (%03<actual>o): chmod %<wanted>s %<path>s",
                       actual: actual_mode & 0777,
-                       wanted: wanted_mode & 0777,
+                       wanted: "+r",
+                       path:   formula.path)
+      end
+      # Check that the file is user-writeable.
+      if actual_mode & 0200 != 0200
+        problem format("Incorrect file permissions (%03<actual>o): chmod %<wanted>s %<path>s",
+                       actual: actual_mode & 0777,
+                       wanted: "u+w",
+                       path:   formula.path)
+      end
+      # Check that the file is *not* other-writeable.
+      if actual_mode & 0002 == 002
+        problem format("Incorrect file permissions (%03<actual>o): chmod %<wanted>s %<path>s",
+                       actual: actual_mode & 0777,
+                       wanted: "o-w",
                       path:   formula.path)
      end

--- a/Library/Homebrew/test/dev-cmd/audit_spec.rb
+++ b/Library/Homebrew/test/dev-cmd/audit_spec.rb
@ -106,11 +106,40 @@ module Homebrew
        RUBY

        path = fa.formula.path
-        path.chmod 0400

+        path.chmod 0600
        fa.audit_file
        expect(fa.problems)
-          .to eq(["Incorrect file permissions (400): chmod 644 #{path}"])
+          .to eq([
+                   "Incorrect file permissions (600): chmod +r #{path}",
+                 ])
+        fa.problems.clear
+
+        path.chmod 0444
+        fa.audit_file
+        expect(fa.problems)
+          .to eq([
+                   "Incorrect file permissions (444): chmod u+w #{path}",
+                 ])
+        fa.problems.clear
+
+        path.chmod 0646
+        fa.audit_file
+        expect(fa.problems)
+          .to eq([
+                   "Incorrect file permissions (646): chmod o-w #{path}",
+                 ])
+        fa.problems.clear
+
+        path.chmod 0002
+        fa.audit_file
+        expect(fa.problems)
+          .to eq([
+                   "Incorrect file permissions (002): chmod +r #{path}",
+                   "Incorrect file permissions (002): chmod u+w #{path}",
+                   "Incorrect file permissions (002): chmod o-w #{path}",
+                 ])
+        fa.problems.clear
      end

      specify "DATA but no __END__" do