From ede01e5e88459e8301e33bbdd7a1d59639c3a624 Mon Sep 17 00:00:00 2001
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Sat, 8 Apr 2017 18:57:59 +0200
Subject: [PATCH] samhain: disable SuidCheck for /srv/buildd/unpack on buildds

The SuidCheck module was not available in jessie (despite our
configuration file mentioning it), and is now enabled by default in
stretch.

For the build daemons, we need to disable suid checks in
/srv/buildd/unpack.

For the porterboxes, we need to disable suid checks in
/srv/chroot/schroot-unpack.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
---
 modules/samhain/templates/samhainrc.erb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb
index 6f46ae53f..b73730791 100644
--- a/modules/samhain/templates/samhainrc.erb
+++ b/modules/samhain/templates/samhainrc.erb
@@ -665,7 +665,7 @@ SyslogSeverity=alert
 #
 #####################################################
 
-# [SuidCheck]
+[SuidCheck]
 ##
 ## --- Check the filesystem for SUID/SGID binaries
 ## 
@@ -684,7 +684,13 @@ SyslogSeverity=alert
  
 ## Directory to exclude 
 #
+<% if scope.lookupvar('site::nodeinfo')['buildd'] -%>
+SuidCheckExclude = /srv/buildd/unpack
+<% elsif scope.lookupvar('site::nodeinfo')['porterbox'] -%>
+SuidCheckExclude = /srv/chroot/schroot-unpack
+<% else -%>
 # SuidCheckExclude = NULL
+<% end -%>
 
 ## Limit on files per second (0 == no limit)
 #
-- 
2.20.1