Hello,
We had the same issue. Security department blamed us for read/write permissions on Agent’s backup, out, resources and temp directory.
According to CIS Red Hat Enterprise Linux 8 Benchmark https://workbench.cisecurity.org/files/2485) “1.1.21 Ensure sticky bit is set on all world-writable directories” the sticky bit to the directories is recommended (if world-writable directories are really needed).
We fixed this during Agent update to Version 21 (21.0.7+hf.2).
- Our Upgrade Job change the permissions:
! open working dirs
echo "chmod 1777 temp out backup resources"
chmod 1777 temp out backup resources
check_success $?
- The new Agent ini file were enhanced by the following parameters:
[MISC]
...
;
; FolderOwner:
; Specified user name or id who becomes the owner of the newly created agent's folder,
; default is the user who executes the agent,
; if you use a ID instead of name, then this ID will be then used for user and group ownership
;
FolderOwner = uc4
;
; FolderOwner_backup: Owner of backup directory
;
FolderOwner_backup =
;
; FolderOwner_temp: Owner of Agent's temp directory
;
FolderOwner_temp =
;
; FolderOwner_out: Owner of Agent's output directory
;
FolderOwner_out =
;
; FolderOwner_cache: Owner of Agent's resources cache directory
;
FolderOwner_cache =
;
; FolderPermissionMask:
; specified permission masks is used as default for for newly created Agent's folders
; existing folder permissions are not modified
; the mask can be used as octal number eg. 777 or as string representation eg. rwxr-xr-x
;
FolderPermissionMask = rwxrwxrwx
;
; FolderPermissionMask_backup: Permission mask of backup directory, can be used to overwrite the default settings
;
FolderPermissionMask_backup =
;
; FolderPermissionMask_temp: Permission mask of Agent's temp directory, can be used to overwrite the default settings
;
FolderPermissionMask_temp =
;
; FolderPermissionMask_out: Permission mask of Agent's output directory, can be used to overwrite the default settings
;
FolderPermissionMask_out =
;
; FolderPermissionMask_cache: Permission mask of Agent's resources cache directory, can be used to overwrite the default settings
;
FolderPermissionMask_cache =
;
...
As you can see it’s not 100% consistent because, the FolderPermissionMask = rwxrwxrwx and not FolderPermissionMask = rwxrwxrwt as it should be.
However, it’s the only way it works – so far as we figured out.
Cheers, Josef