Remove suid / gid and execute permission for 'group' and 'others'.

Similar to: chmod og-ugx /path/to/filename Removing execution permission is useful to make binaries such as 'su' fail closed rather than fail open if suid was removed from these. Do not remove read access since no security benefit and easier to manually undo for users. chmod 744
2025-01-10 07:06:43 +07:00 · 2019-12-22 19:42:40 -05:00 · 2019-12-22 19:42:40 -05:00 · f4b1df02ee
commit f4b1df02ee
parent 58a4e0bc7d
1 changed files with 105 additions and 111 deletions
--- a/usr/lib/security-misc/permission-hardening
+++ b/usr/lib/security-misc/permission-hardening
@ -121,27 +121,22 @@ add_nosuid_statoverride_entry() {
         setsgid_output="set-group-id"
      fi

+      local setuid_or_setsgid
+      setuid_or_setsgid=""
      if [ "$setuid" = "true" ] || [ "$setsgid" = "true" ]; then
-      string_length_of_existing_mode="${#existing_mode}"
-      if [ "$string_length_of_existing_mode" = "4" ]; then
-        new_mode="${existing_mode:1}"
-      else
-        new_mode="$existing_mode"
+         setuid_or_setsgid=true
+      fi
+      if [ "$setuid_or_setsgid" = "" ]; then
+         continue
      fi

-## Remove 'others' / 'group' execution ('chmod og-x /path/to/binary') rights for better usability?
-## Make binaries such as 'su' fail closed rather than fail open if suid was removed from these?
+      ## Remove suid / gid and execute permission for 'group' and 'others'.
+      ## Similar to: chmod og-ugx /path/to/filename
+      ## Removing execution permission is useful to make binaries such as 'su' fail closed rather
+      ## than fail open if suid was removed from these.
+      ## Do not remove read access since no security benefit and easier to manually undo for users.
      ## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these?
-## https://forums.whonix.org/t/permission-hardening/8655/10
-#       if [ "$new_mode" = "755" ]; then
-#         new_mode=744
-#       fi
-#       if [ "$new_mode" = "754" ]; then
-#         new_mode=744
-#       fi
-#       if [ "$new_mode" = "745" ]; then
-#         new_mode=744
-#       fi
+      new_mode="744"

      local is_whitelisted
      is_whitelisted=""
@ -198,7 +193,6 @@ add_nosuid_statoverride_entry() {

      ## Not using --update as this is only for recording.
      echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$existing_owner" "$existing_group" "$new_mode" "$file_name"
-    fi

      ## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'.
      ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX.