mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-25 10:35:32 +07:00
Code Issues Packages Projects Releases Wiki Activity

Remove suid / gid and execute permission for 'group' and 'others'.

Browse Source 
Similar to: chmod og-ugx /path/to/filename

Removing execution permission is useful to make binaries such as 'su' fail closed rather
than fail open if suid was removed from these.

Do not remove read access since no security benefit and easier to manually undo for users.

chmod 744
This commit is contained in:
Patrick Schleizer 2019-12-22 19:42:40 -05:00
parent 58a4e0bc7d
commit f4b1df02ee
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 105 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
usr/lib/security-misc/permission-hardening
View File

@ -121,27 +121,22 @@ add_nosuid_statoverride_entry() {
setsgid_output="set-group-id" setsgid_output="set-group-id"
fi fi
local setuid_or_setsgid
setuid_or_setsgid=""
if [ "$setuid" = "true" ] || [ "$setsgid" = "true" ]; then if [ "$setuid" = "true" ] || [ "$setsgid" = "true" ]; then
string_length_of_existing_mode="${#existing_mode}" setuid_or_setsgid=true
if [ "$string_length_of_existing_mode" = "4" ]; then fi
new_mode="${existing_mode:1}" if [ "$setuid_or_setsgid" = "" ]; then
else continue
new_mode="$existing_mode"
fi fi
## Remove 'others' / 'group' execution ('chmod og-x /path/to/binary') rights for better usability? ## Remove suid / gid and execute permission for 'group' and 'others'.
## Make binaries such as 'su' fail closed rather than fail open if suid was removed from these? ## Similar to: chmod og-ugx /path/to/filename
## Removing execution permission is useful to make binaries such as 'su' fail closed rather
## than fail open if suid was removed from these.
## Do not remove read access since no security benefit and easier to manually undo for users.
## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these? ## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these?
## https://forums.whonix.org/t/permission-hardening/8655/10 new_mode="744"
# if [ "$new_mode" = "755" ]; then
# new_mode=744
# fi
# if [ "$new_mode" = "754" ]; then
# new_mode=744
# fi
# if [ "$new_mode" = "745" ]; then
# new_mode=744
# fi
local is_whitelisted local is_whitelisted
is_whitelisted="" is_whitelisted=""
@ -198,7 +193,6 @@ add_nosuid_statoverride_entry() {
## Not using --update as this is only for recording. ## Not using --update as this is only for recording.
echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$existing_owner" "$existing_group" "$new_mode" "$file_name" echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$existing_owner" "$existing_group" "$new_mode" "$file_name"
fi
## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'. ## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'.
## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX.