diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 2305c1d..b2500dc 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -82,14 +82,14 @@ add_nosuid_statoverride_entry() { setuid=true setuid_output="set-user-id" fi - setguid="" - setguid_output="" + setsgid="" + setsgid_output="" if test -g "$file_name"; then - setguid=true - setguid_output="set-group-id" + setsgid=true + setsgid_output="set-group-id" fi - if [ "$setuid" = "true" ] || [ "$setguid" = "true" ]; then + if [ "$setuid" = "true" ] || [ "$setsgid" = "true" ]; then string_length_of_existing_mode="${#existing_mode}" if [ "$string_length_of_existing_mode" = "4" ]; then new_mode="${existing_mode:1}" @@ -99,7 +99,7 @@ add_nosuid_statoverride_entry() { ## Remove 'others' / 'group' execution ('chmod og-x /path/to/binary') rights for better usability? ## Make binaries such as 'su' fail closed rather than fail open if suid was removed from these? -## Are there suid or guid binaries which are still useful if suid / guid has been removed from these? +## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these? ## https://forums.whonix.org/t/permission-hardening/8655/10 # if [ "$new_mode" = "755" ]; then # new_mode=744 @@ -121,11 +121,11 @@ add_nosuid_statoverride_entry() { done if [ "$is_whitelisted" = "true" ]; then - echo "INFO: SKIP whitelisted - $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" + echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" continue fi - echo "INFO: $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" + echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" ## No need to check "dpkg-statoverride --list" for existing entries. ## If existing_mode was correct already, we would not have reached this point.