mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-10 15:17:57 +07:00
Code Issues Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Patrick Schleizer 2019-12-21 05:47:35 -05:00
parent 65b5adb2d7
commit 234ec5fe93
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 17 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
usr/lib/security-misc/permission-hardening
View File

@ -110,7 +110,7 @@ add_nosuid_statoverride_entry() {
fi fi
setsgid="" setsgid=""
setsgid_output="" setsgid_output=""
if test -g "$file_name"; then if test -g "$file_name" ; then
setsgid=true setsgid=true
setsgid_output="set-group-id" setsgid_output="set-group-id"
fi fi
@ -169,13 +169,13 @@ add_nosuid_statoverride_entry() {
echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'"
if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$file_name"; then if dpkg-statoverride --list "$file_name" $dpkg_admindir_parameter_existing_mode ; then
## Existing mode already saved previously. No need to save again. ## Existing mode already saved previously. No need to save again.
true OK true OK
else else
## Save existing_mode in separate database. ## Save existing_mode in separate database.
## Not using --update as not intending to enforce existing_mode. ## Not using --update as not intending to enforce existing_mode.
echo_wrapper_silent_audit $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$file_name" echo_wrapper_silent_audit --add "$existing_owner" "$existing_group" "$existing_mode" "$file_name" $dpkg_admindir_parameter_existing_mode
fi fi
## No need to check "dpkg-statoverride --list" for existing entries. ## No need to check "dpkg-statoverride --list" for existing entries.
@ -186,13 +186,13 @@ add_nosuid_statoverride_entry() {
echo_wrapper_ignore dpkg-statoverride --remove "$file_name" echo_wrapper_ignore dpkg-statoverride --remove "$file_name"
## Remove from separate database. ## Remove from separate database.
echo_wrapper_ignore $dpkg_admindir_parameter_new_mode dpkg-statoverride --remove "$file_name" echo_wrapper_ignore dpkg-statoverride --remove "$file_name" $dpkg_admindir_parameter_new_mode
## Add to real database and use --update to make changes on disk. ## Add to real database and use --update to make changes on disk.
echo_wrapper_audit dpkg-statoverride --add --update "$existing_owner" "$existing_group" "$new_mode" "$file_name" echo_wrapper_audit dpkg-statoverride --add --update "$existing_owner" "$existing_group" "$new_mode" "$file_name"
## Not using --update as this is only for recording. ## Not using --update as this is only for recording.
echo_wrapper_silent_audit $dpkg_admindir_parameter_new_mode dpkg-statoverride --add "$existing_owner" "$existing_group" "$new_mode" "$file_name" echo_wrapper_silent_audit dpkg-statoverride --add "$existing_owner" "$existing_group" "$new_mode" "$file_name"
fi fi
## /lib will hit ARG_MAX. ## /lib will hit ARG_MAX.
@ -276,12 +276,12 @@ set_file_perms() {
continue continue
fi fi
if ! getent passwd | grep -q "^${owner_from_config}:"; then if ! getent passwd | grep -q "^${owner_from_config}:" ; then
echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2 echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2
continue continue
fi fi
if ! getent group | grep -q "^${group_from_config}:"; then if ! getent group | grep -q "^${group_from_config}:" ; then
echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2 echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2
continue continue
fi fi
@ -336,9 +336,9 @@ set_file_perms() {
## root root 755 /home ## root root 755 /home
## ##
## dpkg-statoverride does not show leading '0'. ## dpkg-statoverride does not show leading '0'.
if dpkg-statoverride --list "$fso_without_trailing_slash"; then if dpkg-statoverride --list "$fso_without_trailing_slash" ; then
## There is an fso entry. Check if owner/group/mode match. ## There is an fso entry. Check if owner/group/mode match.
if dpkg-statoverride --list | grep -q "$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash"; then if dpkg-statoverride --list | grep -q "$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash" ; then
## The owner/group/mode matches. No further action required. ## The owner/group/mode matches. No further action required.
true OK true OK
else else
@ -346,16 +346,16 @@ set_file_perms() {
## fso_without_trailing_slash instead of fso to prevent ## fso_without_trailing_slash instead of fso to prevent
## "dpkg-statoverride: warning: stripping trailing /" ## "dpkg-statoverride: warning: stripping trailing /"
if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash"; then if dpkg-statoverride --list "$fso_without_trailing_slash" $dpkg_admindir_parameter_existing_mode ; then
## Existing mode already saved previously. No need to save again. ## Existing mode already saved previously. No need to save again.
true OK true OK
else else
## Save existing_mode in separate database. ## Save existing_mode in separate database.
## Not using --update as not intending to enforce existing_mode. ## Not using --update as not intending to enforce existing_mode.
echo_wrapper_silent_audit $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" echo_wrapper_silent_audit --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" $dpkg_admindir_parameter_existing_mode
fi fi
echo_wrapper_audit $dpkg_admindir_parameter_new_mode dpkg-statoverride --remove "$fso_without_trailing_slash" echo_wrapper_audit dpkg-statoverride --remove "$fso_without_trailing_slash" $dpkg_admindir_parameter_new_mode
## Remove from and add to real database. ## Remove from and add to real database.
echo_wrapper_audit dpkg-statoverride --remove "$fso_without_trailing_slash" echo_wrapper_audit dpkg-statoverride --remove "$fso_without_trailing_slash"
@ -363,18 +363,18 @@ set_file_perms() {
## Save in separate database. ## Save in separate database.
## Not using --update as this is only for saving. ## Not using --update as this is only for saving.
echo_wrapper_silent_audit $dpkg_admindir_parameter_new_mode dpkg-statoverride --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" echo_wrapper_silent_audit dpkg-statoverride --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" $dpkg_admindir_parameter_new_mode
fi fi
else else
## There is no fso entry. Therefore add one. ## There is no fso entry. Therefore add one.
if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash"; then if dpkg-statoverride --list "$fso_without_trailing_slash" $dpkg_admindir_parameter_existing_mode ; then
## Existing mode already saved previously. No need to save again. ## Existing mode already saved previously. No need to save again.
true OK true OK
else else
## Save existing_mode in separate database. ## Save existing_mode in separate database.
## Not using --update as not intending to enforce existing_mode. ## Not using --update as not intending to enforce existing_mode.
echo_wrapper_silent_audit $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" echo_wrapper_silent_audit --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" $dpkg_admindir_parameter_existing_mode
fi fi
## Add to real database. ## Add to real database.
@ -382,7 +382,7 @@ set_file_perms() {
## Save in separate database. ## Save in separate database.
## Not using --update as this is only for saving. ## Not using --update as this is only for saving.
echo_wrapper_silent_audit $dpkg_admindir_parameter_new_mode dpkg-statoverride --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" echo_wrapper_silent_audit dpkg-statoverride --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" $dpkg_admindir_parameter_new_mode
fi fi
fi fi
@ -393,7 +393,7 @@ set_file_perms() {
if [ "$capability_from_config" = "none" ]; then if [ "$capability_from_config" = "none" ]; then
echo_wrapper_audit setcap -r "$fso" echo_wrapper_audit setcap -r "$fso"
else else
if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config"; then if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config" ; then
echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2 echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2
continue continue
fi fi