puppet-lint world_writable_files check

A puppet-lint extension that ensures file resources do not have a mode that makes them world writable.

On a *nix system a world writable file is one that anyone can write to. This is often undesirable, especially in production, where who can write to certain files should be limited and enabled with deliberation, not by accident.

This plugin currently only checks octal file modes, the no_symbolic_file_modes puppet-lint check ensure this isn't a problem for my code bases but it might be a consideration for other peoples usages.

To use this plugin add the following line to your Gemfile

gem 'puppet-lint-world_writable_files-check'

and then run bundle install

This plugin provides a new check to puppet-lint that warns if it finds a file resource that would be created with a mode that allowed every one to write to it.

class locked_down_file {
  file { '/tmp/open_octal':
    ensure => 'file',
    mode   => '0666',
  }
}

This example makes a file that can be read and written to by all users of the system and so will raise:

files should not be created with world writable permissions

You can find a list of my puppet-lint plugins in the unixdaemon puppet-lint-plugins repo.

Dean Wilson