55d16e1602
remove unicode
2022-06-08 09:04:03 -04:00
fcaec49675
Merge remote-tracking branch 'github-kicksecure/master'
2022-06-08 08:20:24 -04:00
5c43197f10
minor
2022-06-08 08:11:28 -04:00
6e8f584d88
permission-hardening: Keep pam_unix.so password checking helper SetGID shadow
2022-06-08 05:29:42 +00:00
3910e4ee15
permission-hardening: Keep passwd executable but non-SetUID
2022-06-07 08:11:51 +00:00
2d37e3a1af
copyright
2022-05-20 14:46:38 -04:00
bb0307290b
update link
2022-04-16 14:18:35 -04:00
c94281121e
comment
2021-08-01 16:37:02 -04:00
eff5af0318
https://forums.whonix.org/t/restrict-root-access/7658/116
2021-06-20 10:16:33 -04:00
97d8db3f74
Restrict sudo's file permissions
2021-06-05 19:16:42 +00:00
a67007f4b7
copyright
2021-03-17 09:45:21 -04:00
b2b614ed2a
cover more folders in /usr/local
2020-12-06 04:15:52 -05:00
5bd267d774
refactoring
2020-12-06 04:10:50 -05:00
11cdce02a0
refactoring
2020-12-06 04:10:10 -05:00
f73c55f16c
/opt
...
https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68
2020-12-06 04:08:58 -05:00
c031f22995
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
...
`whitelists_disable_all=true`
2020-12-01 05:14:48 -05:00
b09cc0de6a
Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists"
...
This reverts commit 36a471ebce
2020-12-01 05:10:26 -05:00
704f0500ba
fix, rename 40_default_whitelist_[...].conf to 25_default_whitelist_[...].conf
...
since whitelist needs to be defined before SUID removal commands
2020-12-01 05:03:16 -05:00
36a471ebce
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
...
`whitelists_disable_all=true`
2020-12-01 05:02:34 -05:00
318ab570aa
simplify disabling of SUID Disabler and Permission Hardener whitelist
...
split `/etc/permission-hardening.d/30_default.conf` into multiple files
`/etc/permission-hardening.d/40_default_whitelist_[...].conf`
therefore make it easier to delete any whitelisted SUID binaries
2020-12-01 04:28:15 -05:00
cf07e977bd
add /bin/pkexec exactwhitelist for consistency
...
since there is already `/usr/bin/pkexec exactwhitelist`
2020-11-29 09:09:42 -05:00
938e929f39
add pkexec to suid default whitelist
...
/usr/bin/pkexec exactwhitelist
/usr/bin/pkexec.security-misc-orig exactwhitelist
2020-04-12 16:37:51 -04:00
2ceea8d1fe
update copyright year
2020-04-01 08:49:59 -04:00
f3ff32ddbb
Protect /bin/mount from 'chmod -x'.
...
/bin/mount exactwhitelist
/usr/bin/mount exactwhitelist
Remove SUID from 'mount' but keep executable.
/bin/mount 745 root root
/usr/bin/mount 745 root root
https://forums.whonix.org/t/disable-suid-binaries/7706/61
2019-12-30 06:39:24 -05:00
e5623fcd2b
comment
2019-12-29 04:21:52 -05:00
674840e6f9
/fusermount matchwhitelist
...
unbreak AppImages such as electrum Bitcoin wallet
https://forums.whonix.org/t/disable-suid-binaries/7706/57
2019-12-26 05:44:35 -05:00
79241c5d09
Make /lib/modules unreadable
2019-12-23 20:28:29 +00:00
9d77d88a4d
comments
2019-12-23 09:39:50 -05:00
11b4192fbd
comments
2019-12-23 03:28:42 -05:00
2152fa2d61
comment
2019-12-23 02:38:53 -05:00
f8f2e6c704
fix disablewhitelist feature
2019-12-23 02:35:13 -05:00
47ddcad0c0
rename keyword whitelist to exactwhitelist
...
add new keyword disablewhitelist
refactoring
2019-12-23 02:29:47 -05:00
1ff56625a1
polkit-agent-helper-1 matchwhitelist to match both
...
- /usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist
- /lib/policykit-1/polkit-agent-helper-1
2019-12-23 01:42:03 -05:00
d484b299ea
matchwhitelist /qubes/qfile-unpacker to match both
...
- /usr/lib/qubes/qfile-unpacker whitelist
- /lib/qubes/qfile-unpacker
2019-12-23 01:38:31 -05:00
58a4e0bc7d
dbus-daemon-launch-helper matchwhitelist
2019-12-22 19:12:10 -05:00
15e3a2832d
comment
2019-12-22 18:57:23 -05:00
6eb8fd257a
suid utempter/utempter matchwhitelist
...
to cover both:
/usr/lib/x86_64-linux-gnu/utempter/utempter
/lib/x86_64-linux-gnu/utempter/utempter
2019-12-22 18:56:36 -05:00
2ddf7b5db5
/lib/ nosuid
2019-12-21 14:06:51 -05:00
3ea587187e
no need to exclude xorg nosuid on Debian
...
http://forums.whonix.org/t/permission-hardening/8655/25
2019-12-21 06:53:07 -05:00
d220bb3bc4
suid /usr/lib/chromium/chrome-sandbox whitelist
2019-12-20 13:07:01 -05:00
77b3dd5d6b
comments
2019-12-20 13:02:33 -05:00
d7bd477e73
add "/usr/lib/xorg/Xorg.wrap whitelist"
...
until this is researched
https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html
https://lwn.net/Articles/590315/
2019-12-20 12:59:27 -05:00
17e8605119
add matchwhitelist feature
...
add "/usr/lib/virtualbox/ matchwhitelist"
2019-12-20 12:57:24 -05:00
3fab387669
suid /usr/bin/firejail whitelist
...
There is a controversy about firejail but those who choose to install it
should be able to use it.
https://www.whonix.org/wiki/Dev/Firejail#Security
2019-12-20 12:50:35 -05:00
d3f16a5bf4
sgid /usr/lib/qubes/qfile-unpacker whitelist
2019-12-20 12:47:10 -05:00
508ec0c6fa
comment
2019-12-20 12:34:07 -05:00
1b569ea790
comment
2019-12-20 12:32:36 -05:00
e28da89253
/bin/sudo whitelist / /bin/bwrap whitelist
2019-12-20 09:48:06 -05:00
6d30e3b4a2
do not remove suid from whitelisted binaries ever
...
https://forums.whonix.org/t/permission-hardening/8655/13
2019-12-20 08:13:23 -05:00
48fe7312bf
update config
2019-12-20 05:57:41 -05:00
