2023-03-30 02:08:47 -04:00
|
|
|
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
2021-06-05 15:16:42 -04:00
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
|
|
|
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
|
|
|
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
|
|
|
## configuration. When security-misc is updated, this file may be overwritten.
|
|
|
|
|
2021-06-20 10:16:33 -04:00
|
|
|
## https://forums.whonix.org/t/restrict-root-access/7658/116
|
2021-06-05 15:16:42 -04:00
|
|
|
## This restricts the file permissions of the sudo executable so that a vulnerability
|
|
|
|
## in the program will not be exploitable by any users not in the "sudo" group. sudo
|
|
|
|
## is a very complex program and is setuid so vulnerabilities in it can allow privilege
|
|
|
|
## escalation, regardless of other root access restrictions. For example, the following
|
|
|
|
## buffer overflow vulnerability could have been exploited by any user on the system:
|
|
|
|
## https://www.openwall.com/lists/oss-security/2021/01/26/3
|
|
|
|
## With this restriction, only users explicitly permitted to use sudo by being added to
|
|
|
|
## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a
|
|
|
|
## compromised network-facing daemon (such as web servers, time synchronization daemons,
|
2022-06-08 08:11:28 -04:00
|
|
|
## etc.) running as its own user from exploiting sudo to escalate privileges.
|
2021-06-20 10:16:33 -04:00
|
|
|
#/usr/bin/sudo 4750 root sudo
|
|
|
|
#/bin/sudo 4750 root sudo
|