mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:13:40 +07:00
Merge remote-tracking branch 'ben-grande/clean'
This commit is contained in:
commit
862bf6b5ab
10
README.md
10
README.md
@ -433,23 +433,23 @@ include but are not limited to:
|
||||
- Protecting the information of sudoers from others.
|
||||
- Protecting various system relevant files and modules.
|
||||
|
||||
##### permission-hardening #####
|
||||
##### permission-hardener #####
|
||||
|
||||
`permission-hardener` removes SUID / SGID bits from non-essential binaries as
|
||||
these are often used in privilege escalation attacks. It runs at package
|
||||
installation and upgrade time.
|
||||
|
||||
There is also an optional systemd unit which does the same at boot time that
|
||||
can be enabled by running `systemctl enable permission-hardening.service` as
|
||||
can be enabled by running `systemctl enable permission-hardener.service` as
|
||||
root. The hardening at boot time is not the default because this slows down
|
||||
the boot too much.
|
||||
|
||||
See:
|
||||
|
||||
* `/usr/bin/permission-hardening`
|
||||
* `/usr/bin/permission-hardener`
|
||||
* `debian/security-misc.postinst`
|
||||
* `/lib/systemd/system/permission-hardening.service`
|
||||
* `/etc/permission-hardening.d`
|
||||
* `/lib/systemd/system/permission-hardener.service`
|
||||
* `/etc/permission-hardener.d`
|
||||
* https://forums.whonix.org/t/disable-suid-binaries/7706
|
||||
* https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
|
||||
|
||||
|
6
debian/security-misc.postinst
vendored
6
debian/security-misc.postinst
vendored
@ -20,8 +20,8 @@ permission_hardening() {
|
||||
echo "Running SUID Disabler and Permission Hardener... See also:"
|
||||
echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener"
|
||||
echo ""
|
||||
echo "$0: INFO: running: permission-hardening"
|
||||
if ! permission-hardening ; then
|
||||
echo "$0: INFO: running: permission-hardener"
|
||||
if ! permission-hardener ; then
|
||||
echo "$0: ERROR: Permission hardening failed." >&2
|
||||
return 0
|
||||
fi
|
||||
@ -59,7 +59,7 @@ esac
|
||||
pam-auth-update --package
|
||||
|
||||
/usr/libexec/security-misc/permission-lockdown
|
||||
permission_hardening
|
||||
permission_hardener
|
||||
|
||||
## https://phabricator.whonix.org/T377
|
||||
## Debian has no update-grub trigger yet:
|
||||
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
# Keep the `passwd` utility executable to prevent issues with the
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
## https://forums.whonix.org/t/restrict-root-access/7658/116
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
/usr/bin/bwrap exactwhitelist
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
chrome-sandbox matchwhitelist
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
dbus-daemon-launch-helper matchwhitelist
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
## There is a controversy about firejail but those who choose to install it
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
## required for AppImages such as electrum Bitcoin wallet
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
libhardened_malloc.so matchwhitelist
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
## https://forums.whonix.org/t/disable-suid-binaries/7706/61
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
## Without this, Xfce fails to start with a dbus-launch error.
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
/usr/bin/pkexec exactwhitelist
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
## TODO: research
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
/utempter/utempter matchwhitelist
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
spice-client-glib-usb-acl-helper matchwhitelist
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
## TODO: research
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
/usr/bin/sudo exactwhitelist
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
## required for performing password validation from unprivileged user
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
## TODO: research
|
@ -1,18 +1,16 @@
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||
## Please use "/etc/permission-hardener.d/20_user.conf" or
|
||||
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
|
||||
## configuration. When security-misc is updated, this file may be overwritten.
|
||||
|
||||
## File permission hardening.
|
||||
##
|
||||
## Syntax:
|
||||
## [filename] [mode] [owner] [group] [capability]
|
||||
## [filename] [exactwhitelist|matchwhitelist|disablewhitelist|nosuid]
|
||||
##
|
||||
## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
|
||||
## argument.
|
||||
|
||||
## TODO: white spaces inside file name untested and probably will not work.
|
||||
|
||||
######################################################################
|
||||
@ -22,13 +20,9 @@
|
||||
#whitelists_disable_all=true
|
||||
|
||||
######################################################################
|
||||
# SUID disablewhitelist
|
||||
# SUID disables below (or in lexically higher) files: disablewhitelist
|
||||
######################################################################
|
||||
|
||||
## disablewhitelist disables below (or in lexically higher) files
|
||||
## exactwhitelist and matchwhitelist. Add these here (discouraged) or better
|
||||
## in file "/etc/permission-hardening.d/20_user.conf".
|
||||
|
||||
## For example, if you are not using SELinux the following might make sense to
|
||||
## enable. TODO: research
|
||||
#/utempter/utempter disablewhitelist
|
||||
@ -37,7 +31,7 @@
|
||||
#/fusermount disablewhitelist
|
||||
|
||||
######################################################################
|
||||
# SUID exact match whitelist
|
||||
# SUID whitelist matches full path: exactwhitelist
|
||||
######################################################################
|
||||
|
||||
## In case you need to use 'su'. See also:
|
||||
@ -45,10 +39,6 @@
|
||||
#/bin/su exactwhitelist
|
||||
#/usr/bin/su exactwhitelist
|
||||
|
||||
######################################################################
|
||||
# SUID exact match whitelist
|
||||
######################################################################
|
||||
|
||||
## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html
|
||||
## https://lwn.net/Articles/590315/
|
||||
## http://forums.whonix.org/t/permission-hardening/8655/25
|
||||
@ -56,12 +46,12 @@
|
||||
#/lib/xorg/Xorg.wrap whitelist
|
||||
|
||||
######################################################################
|
||||
# SUID regex match whitelist
|
||||
# SUID whitelist matches in any section of the path: matchwhitelist
|
||||
######################################################################
|
||||
|
||||
######################################################################
|
||||
# SUID regex match whitelist
|
||||
######################################################################
|
||||
## Examples below are already configured:
|
||||
#ssh-agent matchwhitelist
|
||||
#/lib/openssh matchwhitelist
|
||||
|
||||
######################################################################
|
||||
# Permission Hardening
|
||||
@ -70,8 +60,8 @@
|
||||
/home/ 0755 root root
|
||||
/root/ 0700 root root
|
||||
/boot/ 0700 root root
|
||||
/etc/permission-hardening.d 0600 root root
|
||||
/usr/local/etc/permission-hardening.d 0600 root root
|
||||
/etc/permission-hardener.d 0600 root root
|
||||
/usr/local/etc/permission-hardener.d 0600 root root
|
||||
/lib/modules/ 0700 root root
|
||||
/usr/src 0700 root root
|
||||
/etc/cups/cupsd.conf 0400 root root
|
||||
@ -95,9 +85,12 @@
|
||||
/etc/passwd- 0644 root root
|
||||
|
||||
######################################################################
|
||||
# SUID/SGID Removal
|
||||
# SUID/SGID Removal: nosuid
|
||||
######################################################################
|
||||
|
||||
## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
|
||||
## argument.
|
||||
##
|
||||
## Remove all SUID/SGID binaries/libraries.
|
||||
|
||||
/bin/ nosuid
|
@ -5,7 +5,7 @@
|
||||
disable hide-hardware-info.service
|
||||
|
||||
## Disable for now until development finished / tested.
|
||||
disable permission-hardening.service
|
||||
disable permission-hardener.service
|
||||
|
||||
## Disable for now until development finished / tested.
|
||||
## https://github.com/Kicksecure/security-misc/pull/152
|
||||
|
@ -13,7 +13,7 @@ After=local-fs.target
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=permission-hardening
|
||||
ExecStart=permission-hardener
|
||||
|
||||
[Install]
|
||||
WantedBy=sysinit.target
|
669
usr/bin/permission-hardener
Executable file
669
usr/bin/permission-hardener
Executable file
@ -0,0 +1,669 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## https://forums.whonix.org/t/disable-suid-binaries/7706
|
||||
## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
|
||||
|
||||
set -o errexit -o nounset -o pipefail
|
||||
|
||||
exit_code=0
|
||||
store_dir="/var/lib/permission-hardener"
|
||||
dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode"
|
||||
dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode"
|
||||
|
||||
echo_wrapper_ignore() {
|
||||
echo "INFO: run: $*"
|
||||
"$@" 2>/dev/null || true
|
||||
}
|
||||
|
||||
echo_wrapper_silent_ignore() {
|
||||
#echo "INFO: run: $@"
|
||||
"$@" 2>/dev/null || true
|
||||
}
|
||||
|
||||
echo_wrapper_audit() {
|
||||
echo "INFO: run: $*"
|
||||
return_code=0
|
||||
"$@" ||
|
||||
{
|
||||
return_code="$?"
|
||||
exit_code=203
|
||||
echo "ERROR: above command failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2
|
||||
}
|
||||
}
|
||||
|
||||
echo_wrapper_silent_audit() {
|
||||
#echo "run (debugging): $@"
|
||||
return_code=0
|
||||
"$@" ||
|
||||
{
|
||||
return_code="$?"
|
||||
exit_code=204
|
||||
echo "ERROR: above command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2
|
||||
}
|
||||
}
|
||||
|
||||
make_store_dir(){
|
||||
mkdir --parents "${store_dir}/private"
|
||||
mkdir --parents "${store_dir}/existing_mode"
|
||||
mkdir --parents "${store_dir}/new_mode"
|
||||
}
|
||||
|
||||
sanity_tests() {
|
||||
echo_wrapper_silent_audit which \
|
||||
capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null
|
||||
}
|
||||
|
||||
add_nosuid_statoverride_entry() {
|
||||
local fso_to_process
|
||||
fso_to_process="${fso}"
|
||||
local should_be_counter
|
||||
should_be_counter="$(find "${fso_to_process}" -perm /u=s,g=s | wc -l)" || true
|
||||
local counter_actual
|
||||
counter_actual=0
|
||||
|
||||
local line
|
||||
while read -r line; do
|
||||
true "line: ${line}"
|
||||
counter_actual="$((counter_actual + 1))"
|
||||
|
||||
local arr file_name existing_mode existing_owner existing_group
|
||||
IFS=" " read -r -a arr <<< "${line}"
|
||||
file_name="${arr[0]}"
|
||||
existing_mode="${arr[1]}"
|
||||
existing_owner="${arr[2]}"
|
||||
existing_group="${arr[3]}"
|
||||
|
||||
if test "${#arr[@]}" = 0; then
|
||||
echo "ERROR: arr is empty. line: '${line}'" >&2
|
||||
continue
|
||||
fi
|
||||
if test -z "${file_name}"; then
|
||||
echo "ERROR: file_name is empty. line: '${line}'" >&2
|
||||
continue
|
||||
fi
|
||||
if test -z "${existing_mode}"; then
|
||||
echo "ERROR: existing_mode is empty. line: '${line}'" >&2
|
||||
continue
|
||||
fi
|
||||
if test -z "${existing_owner}"; then
|
||||
echo "ERROR: existing_owner is empty. line: '${line}'" >&2
|
||||
continue
|
||||
fi
|
||||
if test -z "${existing_group}"; then
|
||||
echo "ERROR: existing_group is empty. line: '${line}'" >&2
|
||||
continue
|
||||
fi
|
||||
|
||||
## -h file True if file is a symbolic Link.
|
||||
## -u file True if file has its set-user-id bit set.
|
||||
## -g file True if file has its set-group-id bit set.
|
||||
|
||||
if test -h "${file_name}"; then
|
||||
## https://forums.whonix.org/t/disable-suid-binaries/7706/14
|
||||
true "skip symlink: ${file_name}"
|
||||
continue
|
||||
fi
|
||||
|
||||
if test -d "${file_name}"; then
|
||||
true "skip directory: ${file_name}"
|
||||
continue
|
||||
fi
|
||||
|
||||
local setuid setuid_output setsgid setsgid_output
|
||||
setuid=""
|
||||
setuid_output=""
|
||||
if test -u "${file_name}"; then
|
||||
setuid=true
|
||||
setuid_output="set-user-id"
|
||||
fi
|
||||
setsgid=""
|
||||
setsgid_output=""
|
||||
if test -g "${file_name}"; then
|
||||
setsgid=true
|
||||
setsgid_output="set-group-id"
|
||||
fi
|
||||
|
||||
local setuid_or_setsgid
|
||||
setuid_or_setsgid=""
|
||||
if test "${setuid}" = "true" || test "${setsgid}" = "true"; then
|
||||
setuid_or_setsgid=true
|
||||
fi
|
||||
if test -z "${setuid_or_setsgid}"; then
|
||||
continue
|
||||
fi
|
||||
|
||||
## Remove suid / gid and execute permission for 'group' and 'others'.
|
||||
## Similar to: chmod og-ugx /path/to/filename
|
||||
## Removing execution permission is useful to make binaries such as 'su'
|
||||
## fail closed rather than fail open if suid was removed from these.
|
||||
## Do not remove read access since no security benefit and easier to
|
||||
## manually undo for users.
|
||||
## Are there suid or sgid binaries which are still useful if suid / sgid
|
||||
## has been removed from these?
|
||||
new_mode="744"
|
||||
|
||||
local is_exact_whitelisted
|
||||
is_exact_whitelisted=""
|
||||
for white_list_entry in ${exact_white_list}; do
|
||||
if test "${file_name}" = "${white_list_entry}"; then
|
||||
is_exact_whitelisted="true"
|
||||
## Stop looping through the whitelist.
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
local is_match_whitelisted
|
||||
is_match_whitelisted=""
|
||||
for matchwhite_list_entry in ${match_white_list}; do
|
||||
if echo "${file_name}" | grep --quiet --fixed-strings "${matchwhite_list_entry}"; then
|
||||
is_match_whitelisted="true"
|
||||
## Stop looping through the match_white_list.
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
local is_disable_whitelisted
|
||||
is_disable_whitelisted=""
|
||||
for disablematch_list_entry in ${disable_white_list:-}; do
|
||||
if echo "${file_name}" | grep --quiet --fixed-strings "${disablematch_list_entry}"; then
|
||||
is_disable_whitelisted="true"
|
||||
## Stop looping through the disablewhitelist.
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
if test "${whitelists_disable_all:-}" = "true"; then
|
||||
true "INFO: whitelists_disable_all=true - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}'"
|
||||
elif test "${is_disable_whitelisted}" = "true"; then
|
||||
true "INFO: white list disabled - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}'"
|
||||
else
|
||||
if test "${is_exact_whitelisted}" = "true"; then
|
||||
true "INFO: SKIP whitelisted - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}'"
|
||||
continue
|
||||
fi
|
||||
if test "${is_match_whitelisted}" = "true"; then
|
||||
true "INFO: SKIP matchwhitelisted - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}' | matchwhite_list_entry: '${matchwhite_list_entry}'"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "INFO: ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}' | new_mode: '${new_mode}'"
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then
|
||||
true "OK Existing mode already saved previously. Not saving again."
|
||||
else
|
||||
## Save existing_mode in separate database.
|
||||
## Not using --update as not intending to enforce existing_mode.
|
||||
# shellcheck disable=SC2086
|
||||
echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${file_name}"
|
||||
fi
|
||||
|
||||
## No need to check "dpkg-statoverride --list" for existing entries.
|
||||
## If existing_mode was correct already, we would not have reached this
|
||||
## point. Since existing_mode is incorrect, remove from dpkg-statoverride
|
||||
## and re-add.
|
||||
|
||||
## Remove from real database.
|
||||
echo_wrapper_silent_ignore dpkg-statoverride --remove "${file_name}"
|
||||
|
||||
## Remove from separate database.
|
||||
# shellcheck disable=SC2086
|
||||
echo_wrapper_silent_ignore dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}"
|
||||
|
||||
## Add to real database and use --update to make changes on disk.
|
||||
echo_wrapper_audit dpkg-statoverride --add --update "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}"
|
||||
|
||||
## Not using --update as this is only for recording.
|
||||
# shellcheck disable=SC2086
|
||||
echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}"
|
||||
|
||||
## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'.
|
||||
## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX.
|
||||
## https://forums.whonix.org/t/disable-suid-binaries/7706/17
|
||||
done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {})
|
||||
|
||||
## Sanity test.
|
||||
if test ! "${should_be_counter}" = "${counter_actual}"; then
|
||||
echo "INFO: fso_to_process: '${fso_to_process}' | counter_actual : '${counter_actual}'"
|
||||
echo "INFO: fso_to_process: '${fso_to_process}' | should_be_counter: '${should_be_counter}'"
|
||||
exit_code=202
|
||||
echo "ERROR: counter does not check out." >&2
|
||||
fi
|
||||
}
|
||||
|
||||
set_file_perms() {
|
||||
true "INFO: START parsing config_file: '${config_file}'"
|
||||
local line
|
||||
while read -r line || test -n "${line}"; do
|
||||
if test -z "${line}"; then
|
||||
continue
|
||||
fi
|
||||
|
||||
if [[ "${line}" =~ ^# ]]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
if [[ "${line}" =~ [0-9a-zA-Z/] ]]; then
|
||||
true "OK line contains only white listed characters."
|
||||
else
|
||||
exit_code=200
|
||||
echo "ERROR: cannot parse line with invalid character. line: '${line}'" >&2
|
||||
## Safer to exit with error in this case.
|
||||
## https://forums.whonix.org/t/disable-suid-binaries/7706/59
|
||||
exit "${exit_code}"
|
||||
fi
|
||||
|
||||
if test "${line}" = 'whitelists_disable_all=true'; then
|
||||
whitelists_disable_all=true
|
||||
echo "INFO: whitelists_disable_all=true - all whitelists disabled."
|
||||
continue
|
||||
fi
|
||||
|
||||
#global fso
|
||||
local mode_from_config owner_from_config group_from_config capability_from_config
|
||||
if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<<"${line}"; then
|
||||
exit_code=201
|
||||
echo "ERROR: cannot parse. line: '${line}'" >&2
|
||||
## Debugging.
|
||||
du -hs /tmp || true
|
||||
echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true
|
||||
## Safer to exit with error in this case.
|
||||
## https://forums.whonix.org/t/disable-suid-binaries/7706/59
|
||||
exit "${exit_code}"
|
||||
fi
|
||||
|
||||
## Debugging.
|
||||
#echo "line: '${line}'"
|
||||
#echo "fso: '${fso}'"
|
||||
#echo "mode_from_config: '${mode_from_config}'"
|
||||
#echo "owner_from_config: '${owner_from_config}'"
|
||||
|
||||
local fso_without_trailing_slash
|
||||
fso_without_trailing_slash="${fso%/}"
|
||||
|
||||
if test "${mode_from_config}" = "disablewhitelist"; then
|
||||
## TODO: test/add white spaces inside file name support
|
||||
disable_white_list+="${fso} "
|
||||
continue
|
||||
fi
|
||||
|
||||
if test "${mode_from_config}" = "exactwhitelist"; then
|
||||
## TODO: test/add white spaces inside file name support
|
||||
exact_white_list+="${fso} "
|
||||
continue
|
||||
fi
|
||||
|
||||
if test "${mode_from_config}" = "matchwhitelist"; then
|
||||
## TODO: test/add white spaces inside file name support
|
||||
match_white_list+="${fso} "
|
||||
continue
|
||||
fi
|
||||
|
||||
if test ! -e "${fso}"; then
|
||||
true "INFO: fso: '${fso}' - does not exist. This is likely normal."
|
||||
continue
|
||||
fi
|
||||
|
||||
## Use dpkg-statoverride so permissions are not reset during upgrades.
|
||||
|
||||
if test "${mode_from_config}" = "nosuid"; then
|
||||
## If mode_from_config is "nosuid" the config does not set owner and
|
||||
## group. Therefore do not enforce owner/group check.
|
||||
add_nosuid_statoverride_entry
|
||||
else
|
||||
local string_length_of_mode_from_config
|
||||
string_length_of_mode_from_config="${#mode_from_config}"
|
||||
if test "${string_length_of_mode_from_config}" -gt "4"; then
|
||||
echo "ERROR: Mode '${mode_from_config}' is invalid!" >&2
|
||||
continue
|
||||
fi
|
||||
if test "${string_length_of_mode_from_config}" -lt "3"; then
|
||||
echo "ERROR: Mode '${mode_from_config}' is invalid!" >&2
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! grep --quiet --fixed-strings "${owner_from_config}:" "${store_dir}/private/passwd"; then
|
||||
echo "ERROR: owner_from_config '${owner_from_config}' does not exist!" >&2
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! grep --quiet --fixed-strings "${group_from_config}:" "${store_dir}/private/group"; then
|
||||
echo "ERROR: group_from_config '${group_from_config}' does not exist!" >&2
|
||||
continue
|
||||
fi
|
||||
|
||||
local mode_for_grep
|
||||
mode_for_grep="${mode_from_config}"
|
||||
first_character_of_mode_from_config="${mode_from_config::1}"
|
||||
if test "${first_character_of_mode_from_config}" = "0"; then
|
||||
## Remove leading '0'.
|
||||
mode_for_grep="${mode_from_config:1}"
|
||||
fi
|
||||
|
||||
local stat_output
|
||||
stat_output=""
|
||||
if ! stat_output="$(stat -c "%n %a %U %G" "${fso_without_trailing_slash}")"; then
|
||||
echo "ERROR: failed to run 'stat' for fso_without_trailing_slash: '${fso_without_trailing_slash}'!" >&2
|
||||
continue
|
||||
fi
|
||||
|
||||
local arr file_name existing_mode existing_owner existing_group
|
||||
IFS=" " read -r -a arr <<< "${stat_output}"
|
||||
file_name="${arr[0]}"
|
||||
existing_mode="${arr[1]}"
|
||||
existing_owner="${arr[2]}"
|
||||
existing_group="${arr[3]}"
|
||||
|
||||
if test "${#arr[@]}" = 0; then
|
||||
echo "ERROR: arr is empty. stat_output: '${stat_output}' | line: '${line}'" >&2
|
||||
continue
|
||||
fi
|
||||
if test -z "${file_name}"; then
|
||||
echo "ERROR: file_name is empty. stat_output: '${stat_output}' | line: '${line}'" >&2
|
||||
continue
|
||||
fi
|
||||
if test -z "${existing_mode}"; then
|
||||
echo "ERROR: existing_mode is empty. stat_output: '${stat_output}' | line: '${line}'" >&2
|
||||
continue
|
||||
fi
|
||||
if test -z "${existing_owner}"; then
|
||||
echo "ERROR: existing_owner is empty. stat_output: '${stat_output}' | line: '${line}'" >&2
|
||||
continue
|
||||
fi
|
||||
if test -z "${existing_group}"; then
|
||||
echo "ERROR: ${existing_group} is empty. stat_output: '${stat_output}' | line: '${line}'" >&2
|
||||
continue
|
||||
fi
|
||||
|
||||
## Check there is an entry for the fso.
|
||||
##
|
||||
## example: dpkg-statoverride --list | grep /home
|
||||
## output:
|
||||
## root root 755 /home
|
||||
##
|
||||
## dpkg-statoverride does not show leading '0'.
|
||||
local dpkg_statoverride_list_output=""
|
||||
local dpkg_statoverride_list_exit_code=0
|
||||
dpkg_statoverride_list_output="$(dpkg-statoverride --list "${fso_without_trailing_slash}")" || {
|
||||
dpkg_statoverride_list_exit_code=$?
|
||||
true
|
||||
}
|
||||
|
||||
if test "${dpkg_statoverride_list_exit_code}" = "0"; then
|
||||
true "There is an fso entry. Check if owner/group/mode match."
|
||||
local grep_line
|
||||
grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}"
|
||||
if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings "${grep_line}"; then
|
||||
true "OK The owner/group/mode matches. No further action required."
|
||||
else
|
||||
true "The owner/group/mode do not match, therefore remove and re-add the entry to update it."
|
||||
## fso_without_trailing_slash instead of fso to prevent
|
||||
## "dpkg-statoverride: warning: stripping trailing /"
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then
|
||||
true "OK Existing mode already saved previously. No need to save again."
|
||||
else
|
||||
## Save existing_mode in separate database.
|
||||
## Not using --update as not intending to enforce existing_mode.
|
||||
# shellcheck disable=SC2086
|
||||
echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}"
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
echo_wrapper_silent_ignore dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${fso_without_trailing_slash}"
|
||||
|
||||
## Remove from and add to real database.
|
||||
echo_wrapper_silent_ignore dpkg-statoverride --remove "${fso_without_trailing_slash}"
|
||||
echo_wrapper_audit dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}"
|
||||
|
||||
## Save in separate database.
|
||||
## Not using --update as this is only for saving.
|
||||
# shellcheck disable=SC2086
|
||||
echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}"
|
||||
fi
|
||||
else
|
||||
true "There is no fso entry. Therefore add one."
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then
|
||||
true "OK Existing mode already saved previously. No need to save again."
|
||||
else
|
||||
## Save existing_mode in separate database.
|
||||
## Not using --update as not intending to enforce existing_mode.
|
||||
# shellcheck disable=SC2086
|
||||
echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}"
|
||||
fi
|
||||
|
||||
## Add to real database.
|
||||
echo_wrapper_audit dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}"
|
||||
|
||||
## Save in separate database.
|
||||
## Not using --update as this is only for saving.
|
||||
# shellcheck disable=SC2086
|
||||
echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}"
|
||||
fi
|
||||
fi
|
||||
if test -z "${capability_from_config}"; then
|
||||
continue
|
||||
fi
|
||||
|
||||
if test "${capability_from_config}" = "none"; then
|
||||
## https://forums.whonix.org/t/disable-suid-binaries/7706/45
|
||||
## sudo setcap -r /bin/ping 2>/dev/null
|
||||
## Failed to set capabilities on file '/bin/ping' (No data available)
|
||||
## The value of the capability argument is not permitted for a file. Or
|
||||
## the file is not a regular (non-symlink) file
|
||||
## Therefore use echo_wrapper_ignore.
|
||||
echo_wrapper_ignore setcap -r "${fso}"
|
||||
getcap_output="$(getcap "${fso}")"
|
||||
if test -n "${getcap_output}"; then
|
||||
exit_code=205
|
||||
echo "ERROR: removing capabilities for fso '${fso}' failed!" >&2
|
||||
continue
|
||||
fi
|
||||
else
|
||||
if ! capsh --print | grep --fixed-strings "Bounding set" | grep --quiet "${capability_from_config}"; then
|
||||
echo "ERROR: capability_from_config '${capability_from_config}' does not exist!" >&2
|
||||
continue
|
||||
fi
|
||||
|
||||
## feature request: dpkg-statoverride: support for capabilities
|
||||
## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580
|
||||
echo_wrapper_audit setcap "${capability_from_config}+ep" "${fso}"
|
||||
fi
|
||||
done <"${config_file}"
|
||||
true "INFO: END parsing config_file: '${config_file}'"
|
||||
}
|
||||
|
||||
parse_config_folder() {
|
||||
touch "${store_dir}/private/passwd"
|
||||
chmod og-rwx "${store_dir}/private/passwd"
|
||||
touch "${store_dir}/private/group"
|
||||
chmod og-rwx "${store_dir}/private/group"
|
||||
|
||||
local passwd_file_contents_temp
|
||||
## Query contents of password and group databases only once and buffer them
|
||||
##
|
||||
## If we don't buffer we sometimes get incorrect results when checking for
|
||||
## entries using 'if getent passwd | grep --quiet '^root:'; ...' since
|
||||
## 'grep' exits after the first match in this case causing 'getent' to
|
||||
## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is
|
||||
## set for this script.
|
||||
passwd_file_contents_temp=$(getent passwd)
|
||||
echo "${passwd_file_contents_temp}" | tee "${store_dir}/private/passwd" >/dev/null
|
||||
group_file_contents_temp=$(getent group)
|
||||
echo "${group_file_contents_temp}" | tee "${store_dir}/private/group" >/dev/null
|
||||
|
||||
#passwd_file_contents="$(cat "${store_dir}/private/passwd")"
|
||||
#group_file_contents="$(cat "${store_dir}/private/group")"
|
||||
|
||||
shopt -s nullglob
|
||||
for config_file in \
|
||||
/etc/permission-hardener.d/*.conf \
|
||||
/usr/local/etc/permission-hardener.d/*.conf \
|
||||
/etc/permission-hardening.d/*.conf \
|
||||
/usr/local/etc/permission-hardening.d/*.conf
|
||||
do
|
||||
set_file_perms
|
||||
done
|
||||
}
|
||||
|
||||
apply() {
|
||||
check_root
|
||||
make_store_dir
|
||||
sanity_tests
|
||||
parse_config_folder
|
||||
|
||||
echo "\
|
||||
INFO: To compare the current and previous permission modes:
|
||||
Install 'meld' (or preferred diff tool) for comparison of file mode changes:
|
||||
sudo apt install --no-install-recommends meld
|
||||
|
||||
Use 'meld' or another diff tool to view the differences:
|
||||
meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride"
|
||||
}
|
||||
|
||||
spare() {
|
||||
check_root
|
||||
make_store_dir
|
||||
|
||||
remove_file="${1}"
|
||||
exit_code=0
|
||||
dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode"
|
||||
dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode"
|
||||
|
||||
if test ! -f "${store_dir}/existing_mode/statoverride"; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
local line
|
||||
while read -r line; do
|
||||
## example line:
|
||||
## root root 4755 /usr/lib/eject/dmcrypt-get-device
|
||||
|
||||
local owner group mode file_name
|
||||
if ! read -r owner group mode file_name <<< "${line}"; then
|
||||
exit_code=201
|
||||
echo "ERROR: cannot parse line: ${line}" >&2
|
||||
continue
|
||||
fi
|
||||
true "owner: '${owner}' group: '${group}' mode: '${mode}' file_name: '${file_name}'"
|
||||
|
||||
if test "${remove_file}" = "all"; then
|
||||
verbose=""
|
||||
remove_one=false
|
||||
else
|
||||
if test "${remove_file}" = "${file_name}"; then
|
||||
verbose="--verbose"
|
||||
remove_one=true
|
||||
echo "${remove_one}" | tee "${store_dir}/remove_one" >/dev/null
|
||||
else
|
||||
echo "false" | tee "${store_dir}/remove_one" >/dev/null
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
|
||||
if test "${remove_one}" = "true"; then
|
||||
set -o xtrace
|
||||
fi
|
||||
|
||||
if test -e "${file_name}"; then
|
||||
# shellcheck disable=SC2086
|
||||
chown ${verbose} "${owner}:${group}" "${file_name}" || exit_code=202
|
||||
## chmod need to be run after chown since chown removes suid.
|
||||
## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature
|
||||
# shellcheck disable=SC2086
|
||||
chmod ${verbose} "${mode}" "${file_name}" || exit_code=203
|
||||
else
|
||||
echo "INFO: file_name: '${file_name}' - does not exist. This is likely normal."
|
||||
fi
|
||||
|
||||
dpkg-statoverride --remove "${file_name}" &>/dev/null || true
|
||||
# shellcheck disable=SC2086
|
||||
dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --remove "${file_name}" &>/dev/null || true
|
||||
# shellcheck disable=SC2086
|
||||
dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" &>/dev/null || true
|
||||
|
||||
if test "${remove_one}" = "true"; then
|
||||
set +o xtrace
|
||||
break
|
||||
fi
|
||||
|
||||
done < "${store_dir}/existing_mode/statoverride"
|
||||
|
||||
if test ! "${remove_file}" = "all"; then
|
||||
if test "$(cat "${store_dir}/remove_one")" = "false"; then
|
||||
echo "INFO: no file was removed.
|
||||
|
||||
File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation of this program.
|
||||
|
||||
Note: This is expected if already done earlier.
|
||||
|
||||
Note: This program expects the full path to the file. Example:
|
||||
$0 disable /usr/bin/newgrp
|
||||
|
||||
The following syntax will not work:
|
||||
$0 disable program-name
|
||||
|
||||
The following example will not work:
|
||||
$0 disable newgrp
|
||||
|
||||
To remove all:
|
||||
$0 disable all
|
||||
|
||||
This change might not be permanent (because of the permission-hardener.service systemd unit). For full instructions, see:
|
||||
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
|
||||
|
||||
To view list of changed by SUID Disabler and Permission Hardener:
|
||||
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener
|
||||
|
||||
For re-enabling any specific SUID binary:
|
||||
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries
|
||||
|
||||
For completely disabling SUID Disabler and Permission Hardener:
|
||||
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
check_root(){
|
||||
if test "$(id -u)" != "0"; then
|
||||
echo "ERROR: Not running as root, aborting."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
usage(){
|
||||
echo "Usage: ${0##*/} enable
|
||||
${0##*/} disable [FILE|all]
|
||||
|
||||
Examples:
|
||||
${0##*/} enable
|
||||
${0##*/} disable all
|
||||
${0##*/} disable /usr/bin/newgrp" >&2
|
||||
exit "${1}"
|
||||
}
|
||||
|
||||
case "${1:-}" in
|
||||
enable) shift; apply "$@";;
|
||||
disable)
|
||||
shift
|
||||
case "${1:-}" in
|
||||
"") usage 1;;
|
||||
*) spare "${1}";;
|
||||
esac
|
||||
;;
|
||||
-h|--help) usage 0;;
|
||||
*) usage 1;;
|
||||
esac
|
||||
|
||||
if test "${exit_code}" != "0"; then
|
||||
echo "ERROR: Exiting with non-zero exit code: '${exit_code}'" >&2
|
||||
fi
|
||||
|
||||
exit "${exit_code}"
|
@ -1,510 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## https://forums.whonix.org/t/disable-suid-binaries/7706
|
||||
## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
|
||||
|
||||
## To undo:
|
||||
## sudo /usr/libexec/security-misc/permission-hardening-undo
|
||||
|
||||
#set -x
|
||||
set -e
|
||||
set -o pipefail
|
||||
|
||||
exit_code=0
|
||||
|
||||
mkdir --parents /var/lib/permission-hardening/private
|
||||
mkdir --parents /var/lib/permission-hardening/existing_mode
|
||||
mkdir --parents /var/lib/permission-hardening/new_mode
|
||||
dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode"
|
||||
dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode"
|
||||
|
||||
echo_wrapper_ignore() {
|
||||
echo "run: $@"
|
||||
"$@" 2>/dev/null || true
|
||||
}
|
||||
|
||||
echo_wrapper_silent_ignore() {
|
||||
#echo "run: $@"
|
||||
"$@" 2>/dev/null || true
|
||||
}
|
||||
|
||||
echo_wrapper_audit() {
|
||||
echo "run: $@"
|
||||
return_code=0
|
||||
"$@" || \
|
||||
{ \
|
||||
return_code="$?" ; \
|
||||
exit_code=203 ; \
|
||||
echo "ERROR: above command failed with exit code '$return_code'! calling function name: '${FUNCNAME[1]}'" >&2 ; \
|
||||
};
|
||||
}
|
||||
|
||||
echo_wrapper_silent_audit() {
|
||||
#echo "run (debugging): $@"
|
||||
return_code=0
|
||||
"$@" || \
|
||||
{ \
|
||||
return_code="$?" ; \
|
||||
exit_code=204 ; \
|
||||
echo "ERROR: above command '$@' failed with exit code '$return_code'! calling function name: '${FUNCNAME[1]}'" >&2 ; \
|
||||
};
|
||||
}
|
||||
|
||||
sanity_tests() {
|
||||
echo_wrapper_silent_audit which \
|
||||
capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null
|
||||
}
|
||||
|
||||
add_nosuid_statoverride_entry() {
|
||||
local fso_to_process
|
||||
fso_to_process="$fso"
|
||||
local should_be_counter
|
||||
should_be_counter="$(find "$fso_to_process" -perm /u=s,g=s | wc -l)" || true
|
||||
local counter_actual
|
||||
counter_actual=0
|
||||
|
||||
local line
|
||||
while read -r line; do
|
||||
true "line: $line"
|
||||
counter_actual="$(( counter_actual + 1 ))"
|
||||
|
||||
local arr file_name existing_mode existing_owner existing_group
|
||||
arr=($line)
|
||||
file_name="${arr[0]}"
|
||||
existing_mode="${arr[1]}"
|
||||
existing_owner="${arr[2]}"
|
||||
existing_group="${arr[3]}"
|
||||
|
||||
if [ "$arr" = "" ]; then
|
||||
echo "ERROR: arr is empty. line: '$line'" >&2
|
||||
continue
|
||||
fi
|
||||
if [ "$file_name" = "" ]; then
|
||||
echo "ERROR: file_name is empty. line: '$line'" >&2
|
||||
continue
|
||||
fi
|
||||
if [ "$existing_mode" = "" ]; then
|
||||
echo "ERROR: existing_mode is empty. line: '$line'" >&2
|
||||
continue
|
||||
fi
|
||||
if [ "$existing_owner" = "" ]; then
|
||||
echo "ERROR: existing_owner is empty. line: '$line'" >&2
|
||||
continue
|
||||
fi
|
||||
if [ "$existing_group" = "" ]; then
|
||||
echo "ERROR: existing_group is empty. line: '$line'" >&2
|
||||
continue
|
||||
fi
|
||||
|
||||
## -h file True if file is a symbolic Link.
|
||||
## -u file True if file has its set-user-id bit set.
|
||||
## -g file True if file has its set-group-id bit set.
|
||||
|
||||
if test -h "$file_name" ; then
|
||||
## https://forums.whonix.org/t/disable-suid-binaries/7706/14
|
||||
true "skip symlink: $file_name"
|
||||
continue
|
||||
fi
|
||||
|
||||
if test -d "$file_name" ; then
|
||||
true "skip directory: $file_name"
|
||||
continue
|
||||
fi
|
||||
|
||||
local setuid setuid_output setsgid setsgid_output
|
||||
setuid=""
|
||||
setuid_output=""
|
||||
if test -u "$file_name" ; then
|
||||
setuid=true
|
||||
setuid_output="set-user-id"
|
||||
fi
|
||||
setsgid=""
|
||||
setsgid_output=""
|
||||
if test -g "$file_name" ; then
|
||||
setsgid=true
|
||||
setsgid_output="set-group-id"
|
||||
fi
|
||||
|
||||
local setuid_or_setsgid
|
||||
setuid_or_setsgid=""
|
||||
if [ "$setuid" = "true" ] || [ "$setsgid" = "true" ]; then
|
||||
setuid_or_setsgid=true
|
||||
fi
|
||||
if [ "$setuid_or_setsgid" = "" ]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
## Remove suid / gid and execute permission for 'group' and 'others'.
|
||||
## Similar to: chmod og-ugx /path/to/filename
|
||||
## Removing execution permission is useful to make binaries such as 'su' fail closed rather
|
||||
## than fail open if suid was removed from these.
|
||||
## Do not remove read access since no security benefit and easier to manually undo for users.
|
||||
## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these?
|
||||
new_mode="744"
|
||||
|
||||
local is_exact_whitelisted
|
||||
is_exact_whitelisted=""
|
||||
for white_list_entry in $exact_white_list ; do
|
||||
if [ "$file_name" = "$white_list_entry" ]; then
|
||||
is_exact_whitelisted="true"
|
||||
## Stop looping through the whitelist.
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
local is_match_whitelisted
|
||||
is_match_whitelisted=""
|
||||
for matchwhite_list_entry in $match_white_list ; do
|
||||
if echo "$file_name" | grep --quiet --fixed-strings "$matchwhite_list_entry" ; then
|
||||
is_match_whitelisted="true"
|
||||
## Stop looping through the match_white_list.
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
local is_disable_whitelisted
|
||||
is_disable_whitelisted=""
|
||||
for disablematch_list_entry in $disable_white_list ; do
|
||||
if echo "$file_name" | grep --quiet --fixed-strings "$disablematch_list_entry" ; then
|
||||
is_disable_whitelisted="true"
|
||||
## Stop looping through the disablewhitelist.
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "$whitelists_disable_all" = "true" ]; then
|
||||
true "INFO: whitelists_disable_all=true - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
|
||||
elif [ "$is_disable_whitelisted" = "true" ]; then
|
||||
true "INFO: white list disabled - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
|
||||
else
|
||||
if [ "$is_exact_whitelisted" = "true" ]; then
|
||||
true "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
|
||||
continue
|
||||
fi
|
||||
if [ "$is_match_whitelisted" = "true" ]; then
|
||||
true "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'"
|
||||
|
||||
if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$file_name" >/dev/null ; then
|
||||
true "OK Existing mode already saved previously. No need to save again."
|
||||
else
|
||||
## Save existing_mode in separate database.
|
||||
## Not using --update as not intending to enforce existing_mode.
|
||||
echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$file_name"
|
||||
fi
|
||||
|
||||
## No need to check "dpkg-statoverride --list" for existing entries.
|
||||
## If existing_mode was correct already, we would not have reached this point.
|
||||
## Since existing_mode is incorrect, remove from dpkg-statoverride and re-add.
|
||||
|
||||
## Remove from real database.
|
||||
echo_wrapper_silent_ignore dpkg-statoverride --remove "$file_name"
|
||||
|
||||
## Remove from separate database.
|
||||
echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name"
|
||||
|
||||
## Add to real database and use --update to make changes on disk.
|
||||
echo_wrapper_audit dpkg-statoverride --add --update "$existing_owner" "$existing_group" "$new_mode" "$file_name"
|
||||
|
||||
## Not using --update as this is only for recording.
|
||||
echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$existing_owner" "$existing_group" "$new_mode" "$file_name"
|
||||
|
||||
## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'.
|
||||
## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX.
|
||||
## https://forums.whonix.org/t/disable-suid-binaries/7706/17
|
||||
done < <( find "$fso_to_process" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} )
|
||||
|
||||
## Sanity test.
|
||||
if [ ! "$should_be_counter" = "$counter_actual" ]; then
|
||||
echo "INFO: fso_to_process: '$fso_to_process' | counter_actual : '$counter_actual'"
|
||||
echo "INFO: fso_to_process: '$fso_to_process' | should_be_counter: '$should_be_counter'"
|
||||
exit_code=202
|
||||
echo "ERROR: counter does not check out." >&2
|
||||
fi
|
||||
}
|
||||
|
||||
set_file_perms() {
|
||||
true "INFO: START parsing config_file: '$config_file'"
|
||||
local line
|
||||
while read -r line || [[ -n "${line}" ]]; do
|
||||
if [ "$line" = "" ]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
if [[ "$line" =~ ^# ]]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
if [[ "$line" =~ [0-9a-zA-Z/] ]]; then
|
||||
true "OK line contains only white listed characters."
|
||||
else
|
||||
exit_code=200
|
||||
echo "ERROR: cannot parse line with invalid character. line: '$line'" >&2
|
||||
## Safer to exit with error in this case.
|
||||
## https://forums.whonix.org/t/disable-suid-binaries/7706/59
|
||||
exit "$exit_code"
|
||||
fi
|
||||
|
||||
if [ "$line" = 'whitelists_disable_all=true' ]; then
|
||||
whitelists_disable_all=true
|
||||
echo "INFO: whitelists_disable_all=true - all whitelists disabled."
|
||||
continue
|
||||
fi
|
||||
|
||||
#global fso
|
||||
local mode_from_config owner_from_config group_from_config capability_from_config
|
||||
if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then
|
||||
exit_code=201
|
||||
echo "ERROR: cannot parse. line: '$line'" >&2
|
||||
## Debugging.
|
||||
du -hs /tmp || true
|
||||
echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true
|
||||
## Safer to exit with error in this case.
|
||||
## https://forums.whonix.org/t/disable-suid-binaries/7706/59
|
||||
exit "$exit_code"
|
||||
fi
|
||||
|
||||
## Debugging.
|
||||
#echo "line: '$line'"
|
||||
#echo "fso: '$fso'"
|
||||
#echo "mode_from_config: '$mode_from_config'"
|
||||
#echo "owner_from_config: '$owner_from_config'"
|
||||
|
||||
local fso_without_trailing_slash
|
||||
fso_without_trailing_slash="${fso%/}"
|
||||
|
||||
if [ "$mode_from_config" = "disablewhitelist" ]; then
|
||||
## TODO: test/add white spaces inside file name support
|
||||
disable_white_list+="$fso "
|
||||
continue
|
||||
fi
|
||||
|
||||
if [ "$mode_from_config" = "exactwhitelist" ]; then
|
||||
## TODO: test/add white spaces inside file name support
|
||||
exact_white_list+="$fso "
|
||||
continue
|
||||
fi
|
||||
|
||||
if [ "$mode_from_config" = "matchwhitelist" ]; then
|
||||
## TODO: test/add white spaces inside file name support
|
||||
match_white_list+="$fso "
|
||||
continue
|
||||
fi
|
||||
|
||||
if [ ! -e "$fso" ]; then
|
||||
true "INFO: fso: '$fso' - does not exist. This is likely normal."
|
||||
continue
|
||||
fi
|
||||
|
||||
## Use dpkg-statoverride so permissions are not reset during upgrades.
|
||||
|
||||
if [ "$mode_from_config" = "nosuid" ]; then
|
||||
## If mode_from_config is "nosuid" the config does not set owner and
|
||||
## group. Therefore do not enforce owner/group check.
|
||||
|
||||
add_nosuid_statoverride_entry
|
||||
else
|
||||
local string_length_of_mode_from_config
|
||||
string_length_of_mode_from_config="${#mode_from_config}"
|
||||
if [ "$string_length_of_mode_from_config" -gt "4" ]; then
|
||||
echo "ERROR: Mode '$mode_from_config' is invalid!" >&2
|
||||
continue
|
||||
fi
|
||||
if [ "$string_length_of_mode_from_config" -lt "3" ]; then
|
||||
echo "ERROR: Mode '$mode_from_config' is invalid!" >&2
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! grep --quiet --fixed-strings "${owner_from_config}:" /var/lib/permission-hardening/private/passwd ; then
|
||||
echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! grep --quiet --fixed-strings "${group_from_config}:" /var/lib/permission-hardening/private/group ; then
|
||||
echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2
|
||||
continue
|
||||
fi
|
||||
|
||||
local mode_for_grep
|
||||
mode_for_grep="$mode_from_config"
|
||||
first_character_of_mode_from_config="${mode_from_config::1}"
|
||||
if [ "$first_character_of_mode_from_config" = "0" ]; then
|
||||
## Remove leading '0'.
|
||||
mode_for_grep="${mode_from_config:1}"
|
||||
fi
|
||||
|
||||
local stat_output
|
||||
stat_output=""
|
||||
if ! stat_output="$(stat -c "%n %a %U %G" "$fso_without_trailing_slash")" ; then
|
||||
echo "ERROR: failed to run 'stat' for fso_without_trailing_slash: '$fso_without_trailing_slash'!" >&2
|
||||
continue
|
||||
fi
|
||||
|
||||
local arr file_name existing_mode existing_owner existing_group
|
||||
arr=($stat_output)
|
||||
file_name="${arr[0]}"
|
||||
existing_mode="${arr[1]}"
|
||||
existing_owner="${arr[2]}"
|
||||
existing_group="${arr[3]}"
|
||||
|
||||
if [ "$arr" = "" ]; then
|
||||
echo "ERROR: arr is empty. stat_output: '$stat_output' | line: '$line'" >&2
|
||||
continue
|
||||
fi
|
||||
if [ "$file_name" = "" ]; then
|
||||
echo "ERROR: file_name is empty. stat_output: '$stat_output' | line: '$line'" >&2
|
||||
continue
|
||||
fi
|
||||
if [ "$existing_mode" = "" ]; then
|
||||
echo "ERROR: existing_mode is empty. stat_output: '$stat_output' | line: '$line'" >&2
|
||||
continue
|
||||
fi
|
||||
if [ "$existing_owner" = "" ]; then
|
||||
echo "ERROR: existing_owner is empty. stat_output: '$stat_output' | line: '$line'" >&2
|
||||
continue
|
||||
fi
|
||||
if [ "$existing_group" = "" ]; then
|
||||
echo "ERROR: $existing_group is empty. stat_output: '$stat_output' | line: '$line'" >&2
|
||||
continue
|
||||
fi
|
||||
|
||||
## Check there is an entry for the fso.
|
||||
##
|
||||
## example: dpkg-statoverride --list | grep /home
|
||||
## output:
|
||||
## root root 755 /home
|
||||
##
|
||||
## dpkg-statoverride does not show leading '0'.
|
||||
local dpkg_statoverride_list_output=""
|
||||
local dpkg_statoverride_list_exit_code=0
|
||||
dpkg_statoverride_list_output="$(dpkg-statoverride --list "$fso_without_trailing_slash")" || { dpkg_statoverride_list_exit_code=$? ; true; };
|
||||
|
||||
if [ "$dpkg_statoverride_list_exit_code" = "0" ]; then
|
||||
true "There is an fso entry. Check if owner/group/mode match."
|
||||
local grep_line
|
||||
grep_line="$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash"
|
||||
if echo "$dpkg_statoverride_list_output" | grep --quiet --fixed-strings "$grep_line" ; then
|
||||
true "OK The owner/group/mode matches. No further action required."
|
||||
else
|
||||
true "The owner/group/mode do not match, therefore remove and re-add the entry to update it."
|
||||
## fso_without_trailing_slash instead of fso to prevent
|
||||
## "dpkg-statoverride: warning: stripping trailing /"
|
||||
|
||||
if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then
|
||||
true "OK Existing mode already saved previously. No need to save again."
|
||||
else
|
||||
## Save existing_mode in separate database.
|
||||
## Not using --update as not intending to enforce existing_mode.
|
||||
echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash"
|
||||
fi
|
||||
|
||||
echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash"
|
||||
|
||||
## Remove from and add to real database.
|
||||
echo_wrapper_silent_ignore dpkg-statoverride --remove "$fso_without_trailing_slash"
|
||||
echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash"
|
||||
|
||||
## Save in separate database.
|
||||
## Not using --update as this is only for saving.
|
||||
echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash"
|
||||
fi
|
||||
else
|
||||
true "There is no fso entry. Therefore add one."
|
||||
|
||||
if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then
|
||||
true "OK Existing mode already saved previously. No need to save again."
|
||||
else
|
||||
## Save existing_mode in separate database.
|
||||
## Not using --update as not intending to enforce existing_mode.
|
||||
echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash"
|
||||
fi
|
||||
|
||||
## Add to real database.
|
||||
echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash"
|
||||
|
||||
## Save in separate database.
|
||||
## Not using --update as this is only for saving.
|
||||
echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash"
|
||||
fi
|
||||
fi
|
||||
if [ "$capability_from_config" = "" ]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
if [ "$capability_from_config" = "none" ]; then
|
||||
## https://forums.whonix.org/t/disable-suid-binaries/7706/45
|
||||
# sudo setcap -r /bin/ping 2>/dev/null
|
||||
# Failed to set capabilities on file '/bin/ping' (No data available)
|
||||
# The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
|
||||
## Therefore use echo_wrapper_ignore.
|
||||
echo_wrapper_ignore setcap -r "$fso"
|
||||
getcap_output="$(getcap "$fso")"
|
||||
if [ ! "$getcap_output" = "" ]; then
|
||||
exit_code=205
|
||||
echo "ERROR: removing capabilities for fso '$fso' failed!" >&2
|
||||
continue
|
||||
fi
|
||||
else
|
||||
if ! capsh --print | grep --fixed-strings "Bounding set" | grep --quiet "$capability_from_config" ; then
|
||||
echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2
|
||||
continue
|
||||
fi
|
||||
|
||||
## feature request: dpkg-statoverride: support for capabilities
|
||||
## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580
|
||||
echo_wrapper_audit setcap "${capability_from_config}+ep" "$fso"
|
||||
fi
|
||||
done < "$config_file"
|
||||
true "INFO: END parsing config_file: '$config_file'"
|
||||
}
|
||||
|
||||
parse_config_folder() {
|
||||
touch /var/lib/permission-hardening/private/passwd
|
||||
chmod og-rwx /var/lib/permission-hardening/private/passwd
|
||||
touch /var/lib/permission-hardening/private/group
|
||||
chmod og-rwx /var/lib/permission-hardening/private/group
|
||||
|
||||
local passwd_file_contents_temp
|
||||
# Query contents of password and group databases only once and buffer them
|
||||
#
|
||||
# If we don't buffer we sometimes get incorrect results when checking for entries using
|
||||
# 'if getent passwd | grep --quiet '^root:'; ...' since 'grep' exits after the first match in
|
||||
# this case causing 'getent' to receive SIGPIPE, which then fails the pipeline since
|
||||
# 'set -o pipefail' is set for this script.
|
||||
passwd_file_contents_temp=$(getent passwd)
|
||||
echo "$passwd_file_contents_temp" | tee /var/lib/permission-hardening/private/passwd >/dev/null
|
||||
group_file_contents_temp=$(getent group)
|
||||
echo "$group_file_contents_temp" | tee /var/lib/permission-hardening/private/group >/dev/null
|
||||
|
||||
passwd_file_contents=$(cat /var/lib/permission-hardening/private/passwd)
|
||||
group_file_contents=$(cat /var/lib/permission-hardening/private/group)
|
||||
|
||||
shopt -s nullglob
|
||||
for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do
|
||||
set_file_perms
|
||||
done
|
||||
}
|
||||
|
||||
sanity_tests
|
||||
parse_config_folder
|
||||
|
||||
echo "\
|
||||
INFO: To compare the current and previous permission modes:
|
||||
1. Install 'meld' (or similar) for an easier comparison of file changes:
|
||||
sudo apt install --no-install-recommends meld
|
||||
|
||||
2. Use 'meld' to view the differences:
|
||||
meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride"
|
||||
|
||||
if [ ! "$exit_code" = "0" ]; then
|
||||
echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2
|
||||
fi
|
||||
|
||||
exit "$exit_code"
|
@ -1,136 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
#set -x
|
||||
set -e
|
||||
set -o pipefail
|
||||
|
||||
if [ "$1" = "all" ]; then
|
||||
remove_file="all"
|
||||
elif [ ! "$1" = "" ]; then
|
||||
remove_file="$1"
|
||||
else
|
||||
echo "ERROR: need to give parameter 'all' or a filename.
|
||||
|
||||
examples:
|
||||
|
||||
$0 all
|
||||
|
||||
$0 /usr/bin/newgrp
|
||||
" >&2
|
||||
fi
|
||||
|
||||
exit_code=0
|
||||
|
||||
dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode"
|
||||
dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode"
|
||||
|
||||
undo_permission_hardening() {
|
||||
if [ ! -f /var/lib/permission-hardening/existing_mode/statoverride ]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
local line
|
||||
|
||||
while read -r line; do
|
||||
## example line:
|
||||
## root root 4755 /usr/lib/eject/dmcrypt-get-device
|
||||
|
||||
local owner group mode file_name
|
||||
if ! read -r owner group mode file_name <<< "$line" ; then
|
||||
exit_code=201
|
||||
echo "ERROR: cannot parse line: $line" >&2
|
||||
continue
|
||||
fi
|
||||
true "owner: '$owner' group: '$group' mode: '$mode' file_name: '$file_name'"
|
||||
|
||||
if [ "$remove_file" = "all" ]; then
|
||||
do_proceed=true
|
||||
verbose_maybe=""
|
||||
else
|
||||
if [ "$remove_file" = "$file_name" ]; then
|
||||
do_proceed=true
|
||||
verbose_maybe="--verbose"
|
||||
remove_one=true
|
||||
else
|
||||
do_proceed=false
|
||||
verbose_maybe=""
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$do_proceed" = "false" ]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
if [ "$remove_one" = "true" ]; then
|
||||
set -x
|
||||
fi
|
||||
|
||||
if test -e "$file_name" ; then
|
||||
chown $verbose_maybe "${owner}:${group}" "$file_name" || exit_code=202
|
||||
## chmod need to be run after chown since chown removes suid.
|
||||
## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature
|
||||
chmod $verbose_maybe "$mode" "$file_name" || exit_code=203
|
||||
else
|
||||
echo "INFO: file_name: '$file_name' - does not exist. This is likely normal."
|
||||
fi
|
||||
|
||||
dpkg-statoverride --remove "$file_name" &>/dev/null || true
|
||||
dpkg-statoverride $dpkg_admindir_parameter_existing_mode --remove "$file_name" &>/dev/null || true
|
||||
dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" &>/dev/null || true
|
||||
|
||||
if [ "$remove_one" = "true" ]; then
|
||||
set +x
|
||||
break
|
||||
fi
|
||||
|
||||
done < "/var/lib/permission-hardening/existing_mode/statoverride"
|
||||
}
|
||||
|
||||
undo_permission_hardening
|
||||
|
||||
if [ ! "$remove_file" = "all" ]; then
|
||||
if [ ! "$remove_one" = "true" ]; then
|
||||
echo "INFO: none removed.
|
||||
|
||||
File '$remove_file' has not removed from SUID Disabler and Permission Hardener during this invocation of this program.
|
||||
|
||||
Note: This is expected if already done earlier.
|
||||
|
||||
Note: This program expects the full path to the file. Example:
|
||||
|
||||
$0 /usr/bin/newgrp
|
||||
|
||||
The following syntax will not work:
|
||||
|
||||
$0 program-name
|
||||
|
||||
The following example will not work:
|
||||
|
||||
$0 newgrp
|
||||
|
||||
To remove all:
|
||||
|
||||
$0 all
|
||||
|
||||
This change might not be permanent (because of the permission-hardening.service systemd unit). For full instructions, see:
|
||||
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
|
||||
|
||||
To view list of changed by SUID Disabler and Permission Hardener:
|
||||
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener
|
||||
|
||||
For re-enabling any specific SUID binary:
|
||||
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries
|
||||
|
||||
For completely disabling SUID Disabler and Permission Hardener:
|
||||
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! "$exit_code" = "0" ]; then
|
||||
echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2
|
||||
fi
|
||||
|
||||
exit "$exit_code"
|
Loading…
Reference in New Issue
Block a user