security-misc/etc/permission-hardening.d/25_default_sudo.conf

20 lines
1.2 KiB
Plaintext
Raw Normal View History

2021-06-05 15:16:42 -04:00
## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
## configuration. When security-misc is updated, this file may be overwritten.
## This restricts the file permissions of the sudo executable so that a vulnerability
## in the program will not be exploitable by any users not in the "sudo" group. sudo
## is a very complex program and is setuid so vulnerabilities in it can allow privilege
## escalation, regardless of other root access restrictions. For example, the following
## buffer overflow vulnerability could have been exploited by any user on the system:
## https://www.openwall.com/lists/oss-security/2021/01/26/3
## With this restriction, only users explicitly permitted to use sudo by being added to
## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a
## compromised network-facing daemon (such as web servers, time synchronization daemons,
## etc.) running as its own user from exploiting sudo to escalate privileges.
/usr/bin/sudo 4750 root sudo
/bin/sudo 4750 root sudo