TD0519: Linux symbolic links and FMT_CFG_EXT.1
FMT_CFG_EXT.1.2 requirement in AppPP v1.3 dictates that application binaries and data files must be protected from unpriviliged users. For Linux, assurance activity mandates checking it with 'find . -pem /002' command. The outcome of the test is specified "The command should not print any files". When executing this test, a product may have symbolic links pointing to binaries and/or data files; the command is flagging the symbolic links themselves rather than the files the symbolic links are pointing to.
The Evaluation Activity for Linux in FMT_CFG_EXT.1.2 shall be modified as follows:
For Linux: The evaluator shall run the command find -L . -perm /002 inside the application's data directories to ensure that all files are not world-writable. The command should not print any files.
Adding "-L" causes the command to follow the symbolic link if it exists and only check the permissions on the file that the symbolic link points to, rather than the symbolic link itself.