From 61e19fa5f1343554e9a213a1a9762cef4707ab3d Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 8 Dec 2019 16:49:28 +0000 Subject: [PATCH 1/3] Create permission-hardening --- usr/lib/security-misc/permission-hardening | 66 ++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 usr/lib/security-misc/permission-hardening diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening new file mode 100644 index 0000000..9dec815 --- /dev/null +++ b/usr/lib/security-misc/permission-hardening @@ -0,0 +1,66 @@ +#!/bin/bash + +config_file="/etc/permission-hardening.conf" + +set_file_perms() { + while read line + do + [[ "$line" =~ ^#.*$ ]] && continue + + file="$(awk '{print $1}' <<< ${line})" + mode="$(awk '{print $2}' <<< ${line})" + owner="$(awk '{print $3}' <<< ${line})" + group="$(awk '{print $4}' <<< ${line})" + capability="$(awk '{print $5}' <<< ${line})" + + if ! [ -e "${file}" ]; then + echo "ERROR: File '${file}' does not exist!" + continue + fi + + if ! seq -w 000 4777 | grep -qw "${mode}"; then + echo "ERROR: Mode '${mode}' is invalid!" + continue + fi + + if ! getent passwd | grep -q "^${owner}:"; then + echo "ERROR: User '${owner}' does not exist!" + continue + fi + + if ! getent group | grep -q "^${group}:"; then + echo "ERROR: Group '${group}' does not exist!" + continue + fi + + chmod "${mode}" "${file}" + chown "${owner}:${group}" "${file}" + + ## The permissions should not be reset during upgrades. + if dpkg-statoverride --list | grep -q "${file%/}"; then + ## If there is an entry for the file, but the owner/group/mode do not + ## match, we remove and re-add the entry to update it. + if ! dpkg-statoverride --list | grep -q "${owner} ${group} ${mode:1} ${file%/}"; then + dpkg-statoverride --remove "${file}" + dpkg-statoverride --add "${owner}" "${group}" "${mode}" "${file}" + fi + else + dpkg-statoverride --add "${owner}" "${group}" "${mode}" "${file}" + fi + + if ! [ "${capability}" = "" ]; then + if [ "${capability}" = "none" ]; then + setcap -r "${file}" + else + if ! capsh --print | grep "Bounding set" | grep -q ${capability}; then + echo "ERROR: Capability '${capability}' does not exist!" + continue + fi + + setcap "${capability}+ep" "${file}" + fi + fi + done <${config_file} +} + +set_file_perms From 6c564f6e9549462412299fd5b2f7e303409c5dad Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 8 Dec 2019 16:50:11 +0000 Subject: [PATCH 2/3] Create permission-hardening.conf --- etc/permission-hardening.conf | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 etc/permission-hardening.conf diff --git a/etc/permission-hardening.conf b/etc/permission-hardening.conf new file mode 100644 index 0000000..ec69b5d --- /dev/null +++ b/etc/permission-hardening.conf @@ -0,0 +1,10 @@ +## File permission hardening. +## +## Syntax: +## [filename] [mode] [owner] [group] [capability] +## +/home/ 0755 root root +/home/user/ 0700 user user +/root/ 0700 root root +/boot/ 0700 root root +/etc/permission-hardening.conf 0600 root root From d7e2deae9250abd79ab83c2025b98476dde710d3 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 8 Dec 2019 16:50:54 +0000 Subject: [PATCH 3/3] Create permission-hardening.service --- lib/systemd/system/permission-hardening.service | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 lib/systemd/system/permission-hardening.service diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service new file mode 100644 index 0000000..216da23 --- /dev/null +++ b/lib/systemd/system/permission-hardening.service @@ -0,0 +1,14 @@ +[Unit] +Description=File permission hardening +Documentation=https://github.com/Whonix/security-misc +DefaultDependencies=no +Before=sysinit.target +Requires=local-fs.target +After=local-fs.target + +[Service] +Type=oneshot +ExecStart=/usr/lib/security-misc/permission-hardening + +[Install] +WantedBy=sysinit.target