security-misc/etc/permission-hardening.d/25_default_sudo.conf

21 lines
1.3 KiB
Plaintext
Raw Normal View History

2023-03-30 02:08:47 -04:00
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
2021-06-05 15:16:42 -04:00
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
## configuration. When security-misc is updated, this file may be overwritten.
## https://forums.whonix.org/t/restrict-root-access/7658/116
2021-06-05 15:16:42 -04:00
## This restricts the file permissions of the sudo executable so that a vulnerability
## in the program will not be exploitable by any users not in the "sudo" group. sudo
## is a very complex program and is setuid so vulnerabilities in it can allow privilege
## escalation, regardless of other root access restrictions. For example, the following
## buffer overflow vulnerability could have been exploited by any user on the system:
## https://www.openwall.com/lists/oss-security/2021/01/26/3
## With this restriction, only users explicitly permitted to use sudo by being added to
## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a
## compromised network-facing daemon (such as web servers, time synchronization daemons,
2022-06-08 08:11:28 -04:00
## etc.) running as its own user from exploiting sudo to escalate privileges.
#/usr/bin/sudo 4750 root sudo
#/bin/sudo 4750 root sudo