freeipa · rcritten · Mar 27, 2025 · Mar 26, 2025
diff --git a/src/ipahealthcheck/core/files.py b/src/ipahealthcheck/core/files.py
@@ -12,6 +12,19 @@
 
 logger = logging.getLogger()
 
+EXPECTED_UMASK = 0o022
+
+
+def current_umask():
+    """
+    Retrieves current umask by setting it temporarily
+
+    :returns: int umask
+    """
+    umask = os.umask(EXPECTED_UMASK)
+    os.umask(umask)
+    return umask
+
 
 class FileCheck:
     """Generic check to validate permission and ownership of files
@@ -41,6 +54,16 @@ def check(self):
                 yield Result(self, constants.ERROR, key=file,
                              msg='Code format is incorrect for file')
 
+        umask = current_umask()
+        correct_umask = umask == EXPECTED_UMASK
+        if not correct_umask:
+            yield Result(self, constants.WARNING, type='umask',
+                         expected=oct(EXPECTED_UMASK), got=oct(umask),
+                         msg='Unexpected umask %s expected %s, '
+                         'skipping file permissions.' %
+                         ('0o' + format(umask, 'o').zfill(3),
+                          '0o' + format(EXPECTED_UMASK, 'o').zfill(3)))
+
         for (path, owner, group, mode) in process_files:
             if not isinstance(owner, tuple):
                 owner = tuple((owner,))
@@ -58,7 +81,7 @@ def check(self):
             stat = os.stat(path)
             fmode = str(oct(stat.st_mode)[-4:])
             key = '%s_mode' % path.replace('/', '_')
-            if fmode not in mode:
+            if correct_umask and fmode not in mode:
                 if len(mode) == 1:
                     modes = mode[0]
                 else:

diff --git a/tests/test_core_files.py b/tests/test_core_files.py
@@ -9,7 +9,7 @@
 from util import capture_results
 
 from ipahealthcheck.core import config
-from ipahealthcheck.core.files import FileCheck
+from ipahealthcheck.core.files import EXPECTED_UMASK, FileCheck
 from ipahealthcheck.core import constants
 from ipahealthcheck.core.plugin import Results
 from ipahealthcheck.ipa.files import IPAFileCheck
@@ -303,3 +303,20 @@ def test_ipa_files_format(mock_pkinit):
 
     for result in results.results:
         assert result.result in (constants.SUCCESS, constants.WARNING)
+
+
+@patch('os.umask')
+def test_bad_umask(mock_umask):
+    mock_umask.return_value = 0o027
+
+    f = FileCheck()
+    f.files = files
+
+    results = capture_results(f)
+    my_results = get_results(results, 'umask')
+    assert my_results.results[0].result == constants.WARNING
+    assert my_results.results[0].kw.get('got') == oct(0o027)
+    assert my_results.results[0].kw.get('expected') == oct(EXPECTED_UMASK)
+    assert my_results.results[0].kw.get('type') == 'umask'
+    assert my_results.results[0].kw.get('msg') == \
+        'Unexpected umask 0o027 expected 0o022, skipping file permissions.'