mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:23:36 +07:00
Merge branch 'master' into PAM-tmp-files-hardening
This commit is contained in:
commit
2a602e78d6
26
README.md
26
README.md
@ -314,6 +314,8 @@ See:
|
||||
|
||||
### Strong user account separation
|
||||
|
||||
#### Permission Lockdown
|
||||
|
||||
Read, write and execute access for "others" are removed during package
|
||||
installation, upgrade or PAM `mkhomedir` for all users who have home
|
||||
folders in `/home` by running, for example:
|
||||
@ -333,6 +335,30 @@ See:
|
||||
* `/usr/libexec/security-misc/permission-lockdown`
|
||||
* `/usr/share/pam-configs/mkhomedir-security-misc`
|
||||
|
||||
#### umask
|
||||
|
||||
Default `umask` is set to `027` for files created by non-root users
|
||||
such as for example user `user`.
|
||||
|
||||
This is doing using pam module `pam_mkhomedir.so umask=027`.
|
||||
|
||||
This means, files created by non-root users cannot be read by other
|
||||
non-root users by default. While Permission Lockdown already protects
|
||||
the `/home` folder, this protects other folders such as `/tmp`.
|
||||
|
||||
`group` read permissions are not removed.
|
||||
This is unnecessary due to Debian's use of User Private Groups (UPGs).
|
||||
See also: https://wiki.debian.org/UserPrivateGroups
|
||||
|
||||
Default `umask` is unchanged for root, because then configuration files
|
||||
created in `/etc` by the system administrator would be unreadable by
|
||||
"others" and break applications. Examples include `/etc/firefox-esr` and
|
||||
`/etc/thunderbird`.
|
||||
|
||||
See:
|
||||
|
||||
* `/usr/share/pam-configs/umask-security-misc`
|
||||
|
||||
### SUID / SGID removal and permission hardening
|
||||
|
||||
Not enabled by default yet.
|
||||
|
@ -1,3 +1,77 @@
|
||||
commit cdd66ee3762c441843d421a9e6b11a20580ed7ac
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Fri Nov 3 10:48:46 2023 -0400
|
||||
|
||||
wrap-and-sort
|
||||
|
||||
commit c33a3d9aadcc4c0ff90f330239eff4b7c905a022
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Fri Nov 3 10:44:48 2023 -0400
|
||||
|
||||
readme
|
||||
|
||||
commit d71ac03d96c9861513ff56c68aec9090ef5c50bb
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Fri Nov 3 10:36:15 2023 -0400
|
||||
|
||||
comment
|
||||
|
||||
commit 8326aecdb460fffa450bbf3ec0b051010f87ee2a
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Fri Nov 3 10:33:02 2023 -0400
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit b85d48eb83005da8fd9edc658c71493f407e3670
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Fri Nov 3 10:31:59 2023 -0400
|
||||
|
||||
do not change default umask for root
|
||||
|
||||
since this causes permission issues in `/etc/`
|
||||
|
||||
https://github.com/Kicksecure/security-misc/pull/151
|
||||
|
||||
commit 07540db90d60b10cbd10881b0024d8e8871330de
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Fri Nov 3 09:45:12 2023 -0400
|
||||
|
||||
Revert "Revert "set default umask to 027""
|
||||
|
||||
This reverts commit f8913ceb2e2fdd274011377c41b5d08e7459e4af.
|
||||
|
||||
commit f8913ceb2e2fdd274011377c41b5d08e7459e4af
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Fri Nov 3 09:43:44 2023 -0400
|
||||
|
||||
Revert "set default umask to 027"
|
||||
|
||||
This reverts commit cd216095eb8d9387437e653d7764ec765ce42a10.
|
||||
|
||||
commit 43bd789c30a562aa60349d019107277a428aece8
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Fri Nov 3 09:28:08 2023 -0400
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit cd216095eb8d9387437e653d7764ec765ce42a10
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Fri Nov 3 09:12:24 2023 -0400
|
||||
|
||||
set default umask to 027
|
||||
|
||||
using package libpam-umask
|
||||
|
||||
https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19
|
||||
|
||||
https://github.com/Kicksecure/security-misc/pull/151
|
||||
|
||||
commit a768f1f1ebfc29b0c0105f2965a4290f8dfd8e63
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Wed Nov 1 12:26:21 2023 -0400
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit bb14a058520b13e242fea9f3022c439c4677bd1d
|
||||
Merge: 5ed2a5c 44906e8
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
|
18
debian/changelog
vendored
18
debian/changelog
vendored
@ -1,3 +1,21 @@
|
||||
security-misc (3:32.7-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@whonix.org> Fri, 03 Nov 2023 16:06:43 +0000
|
||||
|
||||
security-misc (3:32.6-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@whonix.org> Fri, 03 Nov 2023 14:33:02 +0000
|
||||
|
||||
security-misc (3:32.5-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@whonix.org> Fri, 03 Nov 2023 13:28:08 +0000
|
||||
|
||||
security-misc (3:32.4-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
23
debian/control
vendored
23
debian/control
vendored
@ -5,7 +5,10 @@ Source: security-misc
|
||||
Section: misc
|
||||
Priority: optional
|
||||
Maintainer: Patrick Schleizer <adrelanos@kicksecure.com>
|
||||
Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev, dh-apparmor
|
||||
Build-Depends: config-package-dev,
|
||||
debhelper (>= 13),
|
||||
debhelper-compat (= 13),
|
||||
dh-apparmor
|
||||
Homepage: https://www.kicksecure.com/wiki/Security-misc
|
||||
Vcs-Browser: https://github.com/Kicksecure/security-misc
|
||||
Vcs-Git: https://github.com/Kicksecure/security-misc.git
|
||||
@ -14,10 +17,22 @@ Rules-Requires-Root: no
|
||||
|
||||
Package: security-misc
|
||||
Architecture: all
|
||||
Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin,
|
||||
apparmor-profile-dist, helper-scripts, libpam-modules-bin, libpam-tmpdir,
|
||||
secure-delete, dmsetup, ${misc:Depends}
|
||||
Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest
|
||||
Depends: adduser,
|
||||
apparmor-profile-dist,
|
||||
dmsetup,
|
||||
helper-scripts,
|
||||
libcap2-bin,
|
||||
libglib2.0-bin,
|
||||
libpam-modules-bin,
|
||||
libpam-tmpdir,
|
||||
libpam-runtime,
|
||||
libpam-umask,
|
||||
python3,
|
||||
secure-delete,
|
||||
sudo,
|
||||
${misc:Depends}
|
||||
Replaces: anon-gpg-tweaks, swappiness-lowest, tcp-timestamps-disable
|
||||
Description: Enhances Miscellaneous Security Settings
|
||||
https://github.com/Kicksecure/security-misc/blob/master/README.md
|
||||
.
|
||||
|
@ -48,6 +48,8 @@ home_folder_access_rights_lockdown() {
|
||||
## https://unix.stackexchange.com/questions/156473/reasons-behind-the-default-groups-and-users-on-linux
|
||||
## In short, this is useful for "file sharing". A if user1 wants to share data with user2 the command
|
||||
## required to run is sudo addgroup user1 user2.
|
||||
## See also: user private groups UPGs
|
||||
## https://wiki.debian.org/UserPrivateGroups
|
||||
echo "$0: chmod o-rwx \"$folder_name\""
|
||||
chmod o-rwx "$folder_name"
|
||||
touch "/var/cache/security-misc/state-files/$user"
|
||||
|
8
usr/share/pam-configs/umask-security-misc
Normal file
8
usr/share/pam-configs/umask-security-misc
Normal file
@ -0,0 +1,8 @@
|
||||
Name: Restrict umask to 027 (by package security-misc)
|
||||
Default: yes
|
||||
Priority: 100
|
||||
Session-Type: Additional
|
||||
Session-Interactive-Only: yes
|
||||
Session:
|
||||
[success=1 default=ignore] pam_succeed_if.so uid eq 0
|
||||
optional pam_umask.so umask=027
|
Loading…
Reference in New Issue
Block a user