security-misc/etc/permission-hardening.d/30_default.conf

51 lines
1.4 KiB
Plaintext
Raw Normal View History

2019-12-19 12:01:33 -05:00
## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
2019-12-20 05:54:16 -05:00
## Please use "/etc/permission-hardening.d/50_user.conf" or
## "/usr/local/etc/permission-hardening.d/50_user.conf" for your custom
## configuration. When security-misc is updated, this file may be overwritten.
2019-12-08 11:50:11 -05:00
## File permission hardening.
##
## Syntax:
## [filename] [mode] [owner] [group] [capability]
##
2019-12-19 12:01:33 -05:00
## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
## argument.
2019-12-20 03:45:01 -05:00
2019-12-08 11:50:11 -05:00
/home/ 0755 root root
/home/user/ 0700 user user
/root/ 0700 root root
/boot/ 0700 root root
/etc/permission-hardening.conf 0600 root root
2019-12-19 12:01:33 -05:00
## Remove all SUID/SGID binaries/libraries.
/bin/ nosuid
/usr/bin/ nosuid
/usr/local/bin/ nosuid
/sbin/ nosuid
/usr/sbin/ nosuid
/usr/local/sbin/ nosuid
## Takes 1 minute to parse. No SUID binaries there by default.
## remount-secure mounts it with nosuid anyhow.
## Therefore no processing it here.
#/lib/ nosuid
2019-12-19 12:01:33 -05:00
/lib32/ nosuid
/lib64/ nosuid
/usr/lib/ nosuid
/usr/lib32/ nosuid
/usr/lib64/ nosuid
/usr/local/lib/ nosuid
/usr/local/lib32/ nosuid
/usr/local/lib64/ nosuid
## SUID whitelist.
/usr/bin/sudo 4755 root root
/usr/bin/bwrap 4755 root root
/usr/lib/policykit-1/polkit-agent-helper-1 4755 root root
/usr/lib/dbus-1.0/dbus-daemon-launch-helper 4754 root messagebus
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper 4755 root root
/usr/lib/x86_64-linux-gnu/utempter/utempter 2755 root utmp