mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-02-23 13:12:02 +07:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-refactor'

Browse Source
This commit is contained in:
Patrick Schleizer 2025-01-06 08:43:54 -05:00
commit c4cfb8597d
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
3 changed files with 613 additions and 525 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
debian/security-misc.maintscript vendored
View File

@ -106,3 +106,6 @@ rm_conffile /etc/default/grub.d/41_quiet.cfg
## moved to usability-misc
rm_conffile /etc/dkms/framework.conf.d/30_security-misc.conf
## renamed to reflect the fact that this uses a whitelist
rm_conffile /usr/lib/permission-hardener.d/25_default_passwd.conf

1130
usr/bin/permission-hardener
View File

File diff suppressed because it is too large Load Diff

5
usr/lib/permission-hardener.d/25_default_passwd.conf → usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf
View File

@ -7,8 +7,11 @@
# Keep the `passwd` utility executable to prevent issues with the
# /usr/libexec/security-misc/pam-abort-on-locked-password script blocking
# user logins with `su` and KScreenLocker
# user logins with `su` and KScreenLocker. exactwhitelist is needed to keep
# the nosuid rule on /usr/bin from fighting with these rules.
#
# See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd
/usr/bin/passwd exactwhitelist
/bin/passwd exactwhitelist
/usr/bin/passwd 0755 root root
/bin/passwd 0755 root root