2024-05-11 10:18:36 +07:00
|
|
|
## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
2021-06-06 02:16:42 +07:00
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
2024-01-02 19:34:29 +07:00
|
|
|
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
|
|
|
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
2021-06-06 02:16:42 +07:00
|
|
|
## configuration. When security-misc is updated, this file may be overwritten.
|
|
|
|
|
2021-06-20 21:16:33 +07:00
|
|
|
## https://forums.whonix.org/t/restrict-root-access/7658/116
|
2021-06-06 02:16:42 +07:00
|
|
|
## This restricts the file permissions of the sudo executable so that a vulnerability
|
|
|
|
## in the program will not be exploitable by any users not in the "sudo" group. sudo
|
|
|
|
## is a very complex program and is setuid so vulnerabilities in it can allow privilege
|
|
|
|
## escalation, regardless of other root access restrictions. For example, the following
|
|
|
|
## buffer overflow vulnerability could have been exploited by any user on the system:
|
|
|
|
## https://www.openwall.com/lists/oss-security/2021/01/26/3
|
|
|
|
## With this restriction, only users explicitly permitted to use sudo by being added to
|
|
|
|
## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a
|
|
|
|
## compromised network-facing daemon (such as web servers, time synchronization daemons,
|
2022-06-08 19:11:28 +07:00
|
|
|
## etc.) running as its own user from exploiting sudo to escalate privileges.
|
2021-06-20 21:16:33 +07:00
|
|
|
#/usr/bin/sudo 4750 root sudo
|
|
|
|
#/bin/sudo 4750 root sudo
|