2019-12-08 11:49:28 -05:00
#!/bin/bash
2024-01-02 06:17:16 -05:00
## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
2019-12-19 12:01:08 -05:00
## See the file COPYING for copying conditions.
2019-12-21 07:47:00 -05:00
## https://forums.whonix.org/t/disable-suid-binaries/7706
2019-12-20 06:34:37 -05:00
## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
2024-01-02 06:17:16 -05:00
set -o errexit -o nounset -o pipefail
2019-12-19 12:01:08 -05:00
2019-12-20 02:01:36 -05:00
exit_code=0
2024-01-02 07:34:29 -05:00
store_dir="/var/lib/permission-hardener"
2024-01-02 06:17:16 -05:00
dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode"
dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode"
2019-12-21 04:08:35 -05:00
2024-07-23 12:46:47 -04:00
log_level=info
# shellcheck disable=SC1091
source /usr/libexec/helper-scripts/log_run_die.sh
2019-12-20 11:03:22 -05:00
echo_wrapper_ignore() {
2024-07-22 11:06:07 -04:00
if test "${1}" = "verbose"; then
2024-07-23 12:46:47 -04:00
shift
log info "Run: $*"
else
shift
2024-07-22 11:06:07 -04:00
fi
2024-01-02 06:17:16 -05:00
"$@" 2>/dev/null || true
2019-12-23 01:32:42 -05:00
}
2019-12-20 11:03:22 -05:00
echo_wrapper_audit() {
2024-07-22 11:06:07 -04:00
if test "${1}" = "verbose"; then
2024-07-23 12:46:47 -04:00
shift
log info "Run: $*"
else
shift
2024-07-22 11:06:07 -04:00
fi
2024-01-02 06:17:16 -05:00
return_code=0
"$@" ||
{
return_code="$?"
exit_code=203
2024-07-23 12:46:47 -04:00
log error "Command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2
2024-01-02 06:17:16 -05:00
}
}
make_store_dir(){
mkdir --parents "${store_dir}/private"
mkdir --parents "${store_dir}/existing_mode"
mkdir --parents "${store_dir}/new_mode"
2019-12-21 04:08:35 -05:00
}
2019-12-23 00:59:24 -05:00
sanity_tests() {
2024-07-22 11:06:07 -04:00
echo_wrapper_audit silent which \
2024-01-02 06:17:16 -05:00
capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null
2019-12-23 00:59:24 -05:00
}
2019-12-20 04:08:46 -05:00
add_nosuid_statoverride_entry() {
2024-01-02 06:17:16 -05:00
local fso_to_process
fso_to_process="${fso}"
local should_be_counter
2024-07-11 05:04:22 -04:00
should_be_counter=0
2024-01-02 06:17:16 -05:00
local counter_actual
counter_actual=0
2024-07-11 05:04:22 -04:00
local dummy_line
2024-07-23 13:36:12 -04:00
while IFS="" read -r -d "" dummy_line; do
2024-07-23 12:46:47 -04:00
log info "Test would parse line: ${dummy_line}"
2024-07-11 05:04:22 -04:00
should_be_counter=$((should_be_counter + 1))
2024-07-23 13:36:12 -04:00
done < <(find "${fso_to_process}" -perm /u=s,g=s -print0)
2024-07-11 05:04:22 -04:00
2024-01-02 06:17:16 -05:00
local line
2024-07-23 13:36:12 -04:00
while IFS="" read -r -d "" line; do
2024-01-02 06:17:16 -05:00
counter_actual="$((counter_actual + 1))"
2024-07-24 11:10:56 -04:00
local arr file_name file_name_from_stat existing_mode existing_owner existing_group stat_output
2024-07-24 10:58:05 -04:00
2024-07-23 13:36:12 -04:00
file_name="${line}"
2024-07-24 10:58:05 -04:00
if test -z "${file_name}"; then
log error "File name is empty in line: ${line}" >&2
continue
fi
2024-07-24 10:56:08 -04:00
## Capture the stat output with fields separated by NUL characters.
## Delimiter at the end to avoid the last field to be interpreted as having a newline.
stat_output=$(stat -c '%n\0%a\0%U\0%G\0%' "${line}")
2024-07-24 10:57:13 -04:00
2024-07-24 10:56:08 -04:00
readarray -d '\0' -t arr <<< "${stat_output}"
2024-01-02 06:17:16 -05:00
if test "${#arr[@]}" = 0; then
2024-07-24 11:10:56 -04:00
log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2
2024-01-02 06:17:16 -05:00
continue
fi
2024-07-24 10:57:13 -04:00
file_name_from_stat="${arr[0]}"
existing_mode="${arr[1]}"
existing_owner="${arr[2]}"
existing_group="${arr[3]}"
2024-07-24 11:01:24 -04:00
if [ ! "$file_name" = "$file_name_from_stat" ]; then
log error "\
file_name is different from file_name_from_stat:
line: '${line}'
file_name '${file_name}'
file_name_from_stat: '${file_name_from_stat}'" >&2
continue
fi
2024-01-02 06:17:16 -05:00
if test -z "${existing_mode}"; then
2024-07-23 13:36:12 -04:00
log error "Existing mode is empty in line: ${line}" >&2
2024-01-02 06:17:16 -05:00
continue
fi
if test -z "${existing_owner}"; then
2024-07-23 13:36:12 -04:00
log error "Existing owner is empty in line: ${line}" >&2
2024-01-02 06:17:16 -05:00
continue
fi
if test -z "${existing_group}"; then
2024-07-23 13:36:12 -04:00
log error "Existing group is empty in line: ${line}" >&2
continue
fi
## dpkg-statoverride: error: path may not contain newlines
if [[ "${file_name}" == *$'\n'* ]]; then
log warn "Skipping file name that contains newlines: ${file_name}" >&2
2024-01-02 06:17:16 -05:00
continue
fi
## -h file True if file is a symbolic Link.
## -u file True if file has its set-user-id bit set.
## -g file True if file has its set-group-id bit set.
if test -h "${file_name}"; then
## https://forums.whonix.org/t/disable-suid-binaries/7706/14
2024-07-23 12:46:47 -04:00
log info "Skip symlink: ${file_name}"
2024-01-02 06:17:16 -05:00
continue
fi
if test -d "${file_name}"; then
2024-07-23 12:46:47 -04:00
log info "Skip directory: ${file_name}"
2024-01-02 06:17:16 -05:00
continue
fi
local setuid setuid_output setsgid setsgid_output
setuid=""
setuid_output=""
if test -u "${file_name}"; then
setuid=true
setuid_output="set-user-id"
fi
setsgid=""
setsgid_output=""
if test -g "${file_name}"; then
setsgid=true
setsgid_output="set-group-id"
fi
local setuid_or_setsgid
setuid_or_setsgid=""
if test "${setuid}" = "true" || test "${setsgid}" = "true"; then
setuid_or_setsgid=true
fi
if test -z "${setuid_or_setsgid}"; then
continue
fi
## Remove suid / gid and execute permission for 'group' and 'others'.
## Similar to: chmod og-ugx /path/to/filename
## Removing execution permission is useful to make binaries such as 'su'
## fail closed rather than fail open if suid was removed from these.
## Do not remove read access since no security benefit and easier to
## manually undo for users.
## Are there suid or sgid binaries which are still useful if suid / sgid
## has been removed from these?
new_mode="744"
local is_exact_whitelisted
is_exact_whitelisted=""
2024-07-22 10:01:14 -04:00
for white_list_entry in "${exact_white_list[@]:-}"; do
2024-07-23 12:46:47 -04:00
if test -z "${white_list_entry}"; then
continue
fi
2024-01-02 06:17:16 -05:00
if test "${file_name}" = "${white_list_entry}"; then
is_exact_whitelisted="true"
## Stop looping through the whitelist.
break
2019-12-22 19:42:40 -05:00
fi
2024-01-02 06:17:16 -05:00
done
local is_match_whitelisted
is_match_whitelisted=""
2024-07-22 10:01:14 -04:00
for matchwhite_list_entry in "${match_white_list[@]:-}"; do
2024-07-23 12:46:47 -04:00
if test -z "${matchwhite_list_entry}"; then
continue
fi
2024-01-02 06:17:16 -05:00
if echo "${file_name}" | grep --quiet --fixed-strings "${matchwhite_list_entry}"; then
is_match_whitelisted="true"
## Stop looping through the match_white_list.
break
2019-12-22 19:42:40 -05:00
fi
2024-01-02 06:17:16 -05:00
done
local is_disable_whitelisted
is_disable_whitelisted=""
2024-07-22 10:01:14 -04:00
for disablematch_list_entry in "${disable_white_list[@]:-}"; do
2024-07-23 12:46:47 -04:00
if test -z "${disablematch_list_entry}"; then
continue
fi
2024-01-02 06:17:16 -05:00
if echo "${file_name}" | grep --quiet --fixed-strings "${disablematch_list_entry}"; then
is_disable_whitelisted="true"
## Stop looping through the disablewhitelist.
break
2019-12-22 19:42:40 -05:00
fi
2024-01-02 06:17:16 -05:00
done
2024-07-24 11:03:28 -04:00
local clean_output_prefix clean_output
2024-07-23 12:46:47 -04:00
clean_output_prefix="Managing (S|G)UID of line:"
2024-07-23 03:55:02 -04:00
clean_output="setuid=${setuid_output} setgid=${setsgid_output} existing_mode=${existing_mode} new_mode=${new_mode} file='${file_name}'"
2024-01-02 06:17:16 -05:00
if test "${whitelists_disable_all:-}" = "true"; then
2024-07-23 12:46:47 -04:00
log info "${clean_output_prefix} whitelists_disable_all=true ${clean_output}"
2024-01-02 06:17:16 -05:00
elif test "${is_disable_whitelisted}" = "true"; then
2024-07-23 12:46:47 -04:00
log info "${clean_output_prefix} is_disable_whitelisted=true ${clean_output}"
2024-01-02 06:17:16 -05:00
else
if test "${is_exact_whitelisted}" = "true"; then
2024-07-23 12:46:47 -04:00
log info "${clean_output_prefix} is_exact_whitelisted=true ${clean_output}"
2024-01-02 06:17:16 -05:00
continue
2019-12-22 19:42:40 -05:00
fi
2024-01-02 06:17:16 -05:00
if test "${is_match_whitelisted}" = "true"; then
2024-07-23 12:46:47 -04:00
log info "${clean_output_prefix} is_match_whitelisted=true matchwhite_list_entry=${matchwhite_list_entry} ${clean_output}"
2024-01-02 06:17:16 -05:00
continue
2019-12-22 19:42:40 -05:00
fi
2024-01-02 06:17:16 -05:00
fi
# shellcheck disable=SC2086
if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then
2024-07-23 12:46:47 -04:00
log info "Existing mode already saved previously. Not saving again."
2024-01-02 06:17:16 -05:00
else
## Save existing_mode in separate database.
## Not using --update as not intending to enforce existing_mode.
# shellcheck disable=SC2086
2024-07-22 11:06:07 -04:00
echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${file_name}"
2024-01-02 06:17:16 -05:00
fi
## No need to check "dpkg-statoverride --list" for existing entries.
## If existing_mode was correct already, we would not have reached this
## point. Since existing_mode is incorrect, remove from dpkg-statoverride
## and re-add.
## Remove from real database.
2024-07-22 11:06:07 -04:00
echo_wrapper_ignore silent dpkg-statoverride --remove "${file_name}"
2024-01-02 06:17:16 -05:00
## Remove from separate database.
# shellcheck disable=SC2086
2024-07-22 11:06:07 -04:00
echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}"
2024-01-02 06:17:16 -05:00
## Add to real database and use --update to make changes on disk.
2024-07-22 11:06:07 -04:00
echo_wrapper_audit verbose dpkg-statoverride --add --update "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}"
2024-01-02 06:17:16 -05:00
## Not using --update as this is only for recording.
# shellcheck disable=SC2086
2024-07-22 11:06:07 -04:00
echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}"
2024-01-02 06:17:16 -05:00
2024-01-17 13:39:56 -05:00
## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'.
2024-01-02 06:17:16 -05:00
## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX.
## https://forums.whonix.org/t/disable-suid-binaries/7706/17
2024-07-23 13:36:12 -04:00
done < <(find "${fso_to_process}" -perm /u=s,g=s -print0)
2024-01-02 06:17:16 -05:00
## Sanity test.
if test ! "${should_be_counter}" = "${counter_actual}"; then
2024-07-23 12:46:47 -04:00
log info "File (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})"
log error "Expected number of files to be parsed was not met." >&2
2024-01-02 06:17:16 -05:00
exit_code=202
fi
}
2019-12-19 12:01:08 -05:00
2024-01-02 06:17:16 -05:00
set_file_perms() {
2024-07-23 12:46:47 -04:00
log info "START parsing config file: ${config_file}"
2024-01-02 06:17:16 -05:00
local line
while read -r line || test -n "${line}"; do
if test -z "${line}"; then
continue
fi
2024-07-22 10:01:14 -04:00
if [[ "${line}" =~ ^\s*# ]]; then
2024-01-02 06:17:16 -05:00
continue
fi
2024-07-23 12:46:47 -04:00
if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then
2024-01-02 06:17:16 -05:00
exit_code=200
2024-07-23 12:46:47 -04:00
log error "Line contains invalid characters: ${line}" >&2
2024-01-02 06:17:16 -05:00
## Safer to exit with error in this case.
## https://forums.whonix.org/t/disable-suid-binaries/7706/59
exit "${exit_code}"
fi
if test "${line}" = 'whitelists_disable_all=true'; then
whitelists_disable_all=true
2024-07-23 12:46:47 -04:00
log info "whitelists_disable_all=true"
2024-01-02 06:17:16 -05:00
continue
fi
#global fso
local mode_from_config owner_from_config group_from_config capability_from_config
if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<<"${line}"; then
exit_code=201
2024-07-23 12:46:47 -04:00
log error "Cannot parse line: '${line}'" >&2
2024-01-02 06:17:16 -05:00
## Debugging.
du -hs /tmp || true
echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true
## Safer to exit with error in this case.
## https://forums.whonix.org/t/disable-suid-binaries/7706/59
exit "${exit_code}"
fi
2024-07-23 12:46:47 -04:00
log info "Parsing line: fso=${fso} mode_from_config=${mode_from_config} owner_from_config=${owner_from_config} group_from_config=${group_from_config} capability_from_config=${capability_from_config}"
2024-01-02 06:17:16 -05:00
## Debugging.
#echo "line: '${line}'"
#echo "fso: '${fso}'"
#echo "mode_from_config: '${mode_from_config}'"
#echo "owner_from_config: '${owner_from_config}'"
local fso_without_trailing_slash
fso_without_trailing_slash="${fso%/}"
2024-07-22 10:01:14 -04:00
## TODO: test/add white spaces inside file name support
2024-07-23 12:46:47 -04:00
declare -g disable_white_list exact_white_list match_white_list
2024-07-22 10:01:14 -04:00
case "${mode_from_config}" in
disablewhitelist)
disable_white_list+=("${fso}")
continue
;;
exactwhitelist)
exact_white_list+=("${fso}")
continue
;;
matchwhitelist)
match_white_list+=("${fso}")
continue
;;
esac
2024-01-02 06:17:16 -05:00
if test ! -e "${fso}"; then
2024-07-23 12:46:47 -04:00
log warn "File does not exist: '${fso}'"
2024-01-02 06:17:16 -05:00
continue
fi
## Use dpkg-statoverride so permissions are not reset during upgrades.
if test "${mode_from_config}" = "nosuid"; then
## If mode_from_config is "nosuid" the config does not set owner and
## group. Therefore do not enforce owner/group check.
add_nosuid_statoverride_entry
else
local string_length_of_mode_from_config
string_length_of_mode_from_config="${#mode_from_config}"
if test "${string_length_of_mode_from_config}" -gt "4"; then
2024-07-23 12:46:47 -04:00
log error "Invalid mode: '${mode_from_config}'" >&2
2024-01-02 06:17:16 -05:00
continue
fi
if test "${string_length_of_mode_from_config}" -lt "3"; then
2024-07-23 12:46:47 -04:00
log error "Invalid mode: '${mode_from_config}'" >&2
2024-01-02 06:17:16 -05:00
continue
fi
2019-12-20 02:43:33 -05:00
2024-01-02 06:17:16 -05:00
if ! grep --quiet --fixed-strings "${owner_from_config}:" "${store_dir}/private/passwd"; then
2024-07-23 12:46:47 -04:00
log error "Owner from config does not exist: '${owner_from_config}'" >&2
2024-01-02 06:17:16 -05:00
continue
2019-12-22 19:42:40 -05:00
fi
2019-12-20 02:57:57 -05:00
2024-01-02 06:17:16 -05:00
if ! grep --quiet --fixed-strings "${group_from_config}:" "${store_dir}/private/group"; then
2024-07-23 12:46:47 -04:00
log error "Group from config does not exist: '${group_from_config}'" >&2
2024-01-02 06:17:16 -05:00
continue
2019-12-22 19:42:40 -05:00
fi
2019-12-20 11:47:53 -05:00
2024-01-02 06:17:16 -05:00
local mode_for_grep
mode_for_grep="${mode_from_config}"
first_character_of_mode_from_config="${mode_from_config::1}"
if test "${first_character_of_mode_from_config}" = "0"; then
## Remove leading '0'.
mode_for_grep="${mode_from_config:1}"
2019-12-22 19:42:40 -05:00
fi
2024-01-02 06:17:16 -05:00
local stat_output
stat_output=""
2024-07-24 10:56:08 -04:00
if ! stat_output="$(stat -c '%n\0%a\0%U\0%G\0%' "${fso_without_trailing_slash}")"; then
2024-07-23 12:46:47 -04:00
log error "Failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2
2024-01-02 06:17:16 -05:00
continue
2019-12-22 19:42:40 -05:00
fi
2019-12-20 05:37:33 -05:00
2024-07-24 11:10:56 -04:00
local arr file_name file_name_from_stat existing_mode existing_owner existing_group
readarray -d '\0' -t arr <<< "${stat_output}"
2024-07-23 13:36:12 -04:00
file_name="${fso_without_trailing_slash}"
2024-07-24 11:10:56 -04:00
if test "${#arr[@]}" = 0; then
2024-07-24 11:12:18 -04:00
log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2
2024-07-24 11:10:56 -04:00
continue
fi
file_name_from_stat="${arr[0]}"
existing_mode="${arr[1]}"
existing_owner="${arr[2]}"
existing_group="${arr[3]}"
2024-01-02 06:17:16 -05:00
if test -z "${file_name}"; then
2024-07-23 12:46:47 -04:00
log error "File name is empty. Stat output: '${stat_output}', line: '${line}'" >&2
2024-01-02 06:17:16 -05:00
continue
2019-12-20 04:08:46 -05:00
fi
2024-01-02 06:17:16 -05:00
if test -z "${existing_mode}"; then
2024-07-23 12:46:47 -04:00
log error "Existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2
2024-01-02 06:17:16 -05:00
continue
fi
if test -z "${existing_owner}"; then
2024-07-24 11:12:18 -04:00
log error "Existing_owner is empty. Stat output: '${stat_output}' | line: '${line}'" >&2
2024-01-02 06:17:16 -05:00
continue
fi
if test -z "${existing_group}"; then
2024-07-23 12:46:47 -04:00
log error "Existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2
2024-01-02 06:17:16 -05:00
continue
2019-12-20 12:57:24 -05:00
fi
2024-01-02 06:17:16 -05:00
## Check there is an entry for the fso.
##
## example: dpkg-statoverride --list | grep /home
## output:
## root root 755 /home
##
## dpkg-statoverride does not show leading '0'.
local dpkg_statoverride_list_output=""
local dpkg_statoverride_list_exit_code=0
dpkg_statoverride_list_output="$(dpkg-statoverride --list "${fso_without_trailing_slash}")" || {
dpkg_statoverride_list_exit_code=$?
true
}
if test "${dpkg_statoverride_list_exit_code}" = "0"; then
local grep_line
grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}"
if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings "${grep_line}"; then
2024-07-23 12:46:47 -04:00
log info "The owner/group/mode matches fso entry. No further action required."
2024-01-02 06:17:16 -05:00
else
2024-07-23 12:46:47 -04:00
log info "The owner/group/mode does not match fso entry, updating entry."
2024-01-02 06:17:16 -05:00
## fso_without_trailing_slash instead of fso to prevent
## "dpkg-statoverride: warning: stripping trailing /"
# shellcheck disable=SC2086
if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then
2024-07-23 12:46:47 -04:00
log info "Existing mode already saved previously. Not saving again."
2024-01-02 06:17:16 -05:00
else
## Save existing_mode in separate database.
## Not using --update as not intending to enforce existing_mode.
# shellcheck disable=SC2086
2024-07-22 11:06:07 -04:00
echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}"
2024-01-02 06:17:16 -05:00
fi
# shellcheck disable=SC2086
2024-07-22 11:06:07 -04:00
echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${fso_without_trailing_slash}"
2024-01-02 06:17:16 -05:00
## Remove from and add to real database.
2024-07-22 11:06:07 -04:00
echo_wrapper_ignore silent dpkg-statoverride --remove "${fso_without_trailing_slash}"
echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}"
2024-01-02 06:17:16 -05:00
## Save in separate database.
## Not using --update as this is only for saving.
# shellcheck disable=SC2086
2024-07-22 11:06:07 -04:00
echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}"
2024-01-02 06:17:16 -05:00
fi
2019-12-21 04:08:35 -05:00
else
2024-07-23 12:46:47 -04:00
log info "There is no fso entry, adding one."
2024-01-02 06:17:16 -05:00
# shellcheck disable=SC2086
if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then
2024-07-23 12:46:47 -04:00
log info "Existing mode already saved previously. Not saving again."
2024-01-02 06:17:16 -05:00
else
## Save existing_mode in separate database.
## Not using --update as not intending to enforce existing_mode.
# shellcheck disable=SC2086
2024-07-22 11:06:07 -04:00
echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}"
2024-01-02 06:17:16 -05:00
fi
## Add to real database.
2024-07-22 11:06:07 -04:00
echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}"
2024-01-02 06:17:16 -05:00
## Save in separate database.
## Not using --update as this is only for saving.
# shellcheck disable=SC2086
2024-07-22 11:06:07 -04:00
echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}"
2024-01-02 06:17:16 -05:00
fi
fi
if test -z "${capability_from_config}"; then
continue
fi
if test "${capability_from_config}" = "none"; then
## https://forums.whonix.org/t/disable-suid-binaries/7706/45
## sudo setcap -r /bin/ping 2>/dev/null
## Failed to set capabilities on file '/bin/ping' (No data available)
## The value of the capability argument is not permitted for a file. Or
## the file is not a regular (non-symlink) file
## Therefore use echo_wrapper_ignore.
2024-07-22 11:06:07 -04:00
echo_wrapper_ignore verbose setcap -r "${fso}"
2024-01-02 06:17:16 -05:00
getcap_output="$(getcap "${fso}")"
if test -n "${getcap_output}"; then
exit_code=205
2024-07-23 12:46:47 -04:00
log error "Removing capabilities failed. File: '${fso}'" >&2
2024-01-02 06:17:16 -05:00
continue
fi
else
if ! capsh --print | grep --fixed-strings "Bounding set" | grep --quiet "${capability_from_config}"; then
2024-07-23 12:46:47 -04:00
log error "Capability from config does not exist: '${capability_from_config}'" >&2
2024-01-02 06:17:16 -05:00
continue
2019-12-21 04:08:35 -05:00
fi
2024-01-02 06:17:16 -05:00
## feature request: dpkg-statoverride: support for capabilities
## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580
2024-07-22 11:06:07 -04:00
echo_wrapper_audit verbose setcap "${capability_from_config}+ep" "${fso}"
2024-01-02 06:17:16 -05:00
fi
2024-07-23 12:46:47 -04:00
2024-01-02 06:17:16 -05:00
done <"${config_file}"
2024-07-23 12:46:47 -04:00
log info "END parsing config file: ${config_file}"
2024-01-02 06:17:16 -05:00
}
2019-12-21 04:08:35 -05:00
2024-01-02 06:17:16 -05:00
parse_config_folder() {
touch "${store_dir}/private/passwd"
chmod og-rwx "${store_dir}/private/passwd"
touch "${store_dir}/private/group"
chmod og-rwx "${store_dir}/private/group"
2019-12-21 04:08:35 -05:00
2024-01-02 06:17:16 -05:00
local passwd_file_contents_temp
## Query contents of password and group databases only once and buffer them
##
## If we don't buffer we sometimes get incorrect results when checking for
## entries using 'if getent passwd | grep --quiet '^root:'; ...' since
## 'grep' exits after the first match in this case causing 'getent' to
## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is
## set for this script.
passwd_file_contents_temp=$(getent passwd)
echo "${passwd_file_contents_temp}" | tee "${store_dir}/private/passwd" >/dev/null
group_file_contents_temp=$(getent group)
echo "${group_file_contents_temp}" | tee "${store_dir}/private/group" >/dev/null
2019-12-21 04:08:35 -05:00
2024-01-02 11:08:45 -05:00
#passwd_file_contents="$(cat "${store_dir}/private/passwd")"
#group_file_contents="$(cat "${store_dir}/private/group")"
2019-12-21 04:08:35 -05:00
2024-01-02 06:17:16 -05:00
shopt -s nullglob
for config_file in \
2024-01-02 07:34:29 -05:00
/etc/permission-hardener.d/*.conf \
/usr/local/etc/permission-hardener.d/*.conf \
2024-01-02 06:17:16 -05:00
/etc/permission-hardening.d/*.conf \
/usr/local/etc/permission-hardening.d/*.conf
do
set_file_perms
2024-07-23 12:46:47 -04:00
2024-01-02 06:17:16 -05:00
done
}
2019-12-20 05:59:05 -05:00
2024-01-02 06:17:16 -05:00
apply() {
check_root
make_store_dir
sanity_tests
parse_config_folder
2024-07-23 12:46:47 -04:00
log info "\
To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes:
2024-01-02 06:17:16 -05:00
sudo apt install --no-install-recommends meld
meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride"
2019-12-19 12:01:08 -05:00
}
2024-01-02 06:17:16 -05:00
spare() {
check_root
make_store_dir
remove_file="${1}"
exit_code=0
dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode"
dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode"
if test ! -f "${store_dir}/existing_mode/statoverride"; then
2024-07-24 09:15:02 -04:00
true "DEBUG: Stat file does not exist, hardening was not applied before."
2024-01-02 06:17:16 -05:00
return 0
fi
local line
2024-07-23 12:46:47 -04:00
while read -r line; do
2024-01-02 06:17:16 -05:00
## example line:
## root root 4755 /usr/lib/eject/dmcrypt-get-device
local owner group mode file_name
if ! read -r owner group mode file_name <<< "${line}"; then
exit_code=201
2024-07-23 12:46:47 -04:00
log error "Cannot parse line: ${line}" >&2
2024-01-02 06:17:16 -05:00
continue
fi
2024-07-23 12:46:47 -04:00
log info "Parsing line: owner=${owner} group=${group} mode=${mode} file_name='${file_name}'"
2024-01-02 06:17:16 -05:00
if test "${remove_file}" = "all"; then
verbose=""
remove_one=false
else
if test "${remove_file}" = "${file_name}"; then
verbose="--verbose"
remove_one=true
2024-01-02 11:08:45 -05:00
echo "${remove_one}" | tee "${store_dir}/remove_one" >/dev/null
2024-01-02 06:17:16 -05:00
else
2024-01-02 11:08:45 -05:00
echo "false" | tee "${store_dir}/remove_one" >/dev/null
continue
2019-12-20 08:02:30 -05:00
fi
2024-01-02 06:17:16 -05:00
fi
2019-12-23 00:36:41 -05:00
2024-01-02 06:17:16 -05:00
if test "${remove_one}" = "true"; then
set -o xtrace
fi
2019-12-08 11:49:28 -05:00
2024-01-02 06:17:16 -05:00
if test -e "${file_name}"; then
2024-01-02 11:08:45 -05:00
# shellcheck disable=SC2086
2024-01-02 06:17:16 -05:00
chown ${verbose} "${owner}:${group}" "${file_name}" || exit_code=202
## chmod need to be run after chown since chown removes suid.
## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature
2024-01-02 11:08:45 -05:00
# shellcheck disable=SC2086
2024-01-02 06:17:16 -05:00
chmod ${verbose} "${mode}" "${file_name}" || exit_code=203
else
2024-07-23 13:36:12 -04:00
log warn "File does not exist: ${file_name}"
2024-01-02 06:17:16 -05:00
fi
2020-12-01 05:14:48 -05:00
2024-01-02 06:17:16 -05:00
dpkg-statoverride --remove "${file_name}" &>/dev/null || true
# shellcheck disable=SC2086
dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --remove "${file_name}" &>/dev/null || true
# shellcheck disable=SC2086
dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" &>/dev/null || true
2019-12-20 03:11:11 -05:00
2024-01-02 06:17:16 -05:00
if test "${remove_one}" = "true"; then
set +o xtrace
break
fi
2019-12-23 02:29:47 -05:00
2024-01-02 06:17:16 -05:00
done < "${store_dir}/existing_mode/statoverride"
2019-12-21 04:08:35 -05:00
2024-01-02 06:17:16 -05:00
if test ! "${remove_file}" = "all"; then
2024-01-02 11:08:45 -05:00
if test "$(cat "${store_dir}/remove_one")" = "false"; then
2024-07-23 12:46:47 -04:00
log info "No file was removed.
2019-12-23 00:36:41 -05:00
2024-07-23 03:55:02 -04:00
File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if already done earlier.
2019-12-20 03:43:36 -05:00
2024-07-23 03:55:02 -04:00
This program expects the full path to the file. Example:
$0 disable /usr/bin/newgrp # absolute path: works
$0 disable newgrp # relative path: does not work
2019-12-08 11:49:28 -05:00
2024-01-02 06:17:16 -05:00
To remove all:
$0 disable all
2023-11-05 16:40:49 -05:00
2024-01-16 09:23:54 -05:00
This change might not be permanent. For full instructions, see:
2024-01-02 06:17:16 -05:00
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
2023-11-05 16:39:10 -05:00
2024-01-02 06:17:16 -05:00
To view list of changed by SUID Disabler and Permission Hardener:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener
2022-06-07 04:03:56 -04:00
2024-01-02 06:17:16 -05:00
For re-enabling any specific SUID binary:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries
For completely disabling SUID Disabler and Permission Hardener:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener"
fi
fi
2019-12-20 05:49:11 -05:00
}
2024-01-02 06:17:16 -05:00
check_root(){
if test "$(id -u)" != "0"; then
2024-07-23 12:46:47 -04:00
log error "Not running as root, aborting."
2024-01-02 06:17:16 -05:00
exit 1
fi
}
2019-12-20 02:01:36 -05:00
2024-01-02 06:17:16 -05:00
usage(){
echo "Usage: ${0##*/} enable
${0##*/} disable [FILE|all]
2023-11-06 16:36:22 -05:00
2024-01-02 06:17:16 -05:00
Examples:
${0##*/} enable
${0##*/} disable all
${0##*/} disable /usr/bin/newgrp" >&2
exit "${1}"
}
2023-11-06 16:36:22 -05:00
2024-01-02 06:17:16 -05:00
case "${1:-}" in
enable) shift; apply "$@";;
disable)
shift
case "${1:-}" in
2024-01-02 11:08:45 -05:00
"") usage 1;;
2024-01-02 06:17:16 -05:00
*) spare "${1}";;
esac
;;
-h|--help) usage 0;;
*) usage 1;;
esac
if test "${exit_code}" != "0"; then
2024-07-23 12:46:47 -04:00
log error "Exiting with non-zero exit code: '${exit_code}'" >&2
2019-12-20 11:05:05 -05:00
fi
2024-01-02 06:17:16 -05:00
exit "${exit_code}"