security-misc/usr/lib/security-misc/permission-hardening

#!/bin/bash

## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

## https://forums.whonix.org/t/permission-hardening/8655
## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707

#set -x
set -e

exit_code=0

echo_wrapper() {
   echo "run: $@"
   "$@"
}

add_nosuid_statoverride_entry() {
  fso_to_process="${fso_without_trailing_slash}/"
  counter=0
  while read -r line; do
    true "line: $line"
    counter="$(( counter + 1 ))"
    if ! read -r file_name existing_mode owner group; then
      echo "ERROR: cannot parse line by 'stat' - line: '$line'" >&2
      continue
    fi

    ## -h file      True if file is a symbolic Link.
    ## -u file      True if file has its set-user-id bit set.
    ## -g file      True if file has its set-group-id bit set.

    if test -h "$file_name" ; then
      ## https://forums.whonix.org/t/kernel-hardening/7296/323
      true "skip symlink: $file_name"
      continue
    fi

    setuid=""
    setuid_output=""
    if test -u "$file_name" ; then
      setuid=true
      setuid_output="set-user-id"
    fi
    setguid=""
    setguid_output=""
    if test -g "$file_name"; then
      setguid=true
      setguid_output="set-group-id"
    fi

    if [ "$setuid" = "true" ] || [ "$setguid" = "true" ]; then
      string_length_of_existing_mode="${#existing_mode}"
      if [ "$string_length_of_existing_mode" = "4" ]; then
        new_mode="${existing_mode:1}"
      else
        new_mode="$existing_mode"
      fi

## Remove 'others' / 'group' execution ('chmod og-x /path/to/binary') rights for better usability?
## Make binaries such as 'su' fail closed rather than fail open if suid was removed from these?
## Are there suid or guid binaries which are still useful if suid / guid has been removed from these?
## https://forums.whonix.org/t/permission-hardening/8655/10
#       if [ "$new_mode" = "755" ]; then
#         new_mode=744
#       fi
#       if [ "$new_mode" = "754" ]; then
#         new_mode=744
#       fi
#       if [ "$new_mode" = "745" ]; then
#         new_mode=744
#       fi

      echo "INFO: $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'"

      is_whitelisted=""
      for white_list_entry in $whitelist ; do
        if [ "$file_name" = "$white_list_entry" ]; then
          is_whitelisted="true"
          ## Stop looping through the whitelist.
          break
        fi
      done

      if [ "$is_whitelisted" = "true" ]; then
          echo "INFO: skip whitelisted: '$file_name'"
          continue
      fi

      if dpkg-statoverride --list | grep -q "$file_name"; then
        if ! dpkg-statoverride --list | grep -q "$owner $group $new_mode $file_name"; then
          echo_wrapper dpkg-statoverride --remove "$file_name"
          echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name"
        fi
      else
        echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name"
      fi
    fi

  ## /lib will hit ARG_MAX.
  ## https://forums.whonix.org/t/kernel-hardening/7296/326
  done < <( find "$fso_to_process" -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} )

  echo "INFO: fso_to_process: '$fso_to_process' | counter: '$counter'"
}

set_file_perms() {
  while read -r line; do
    if [ "$line" = "" ]; then
      continue
    fi

    if [[ "$line" =~ ^# ]]; then
      continue
    fi

    if [[ "$line" =~ [0-9a-zA-Z/] ]]; then
      true OK
    else
      exit_code=200
      echo "ERROR: cannot parse line with invalid character: $line" >&2
      continue
    fi

    if ! read -r fso mode_from_config owner group capability <<< "$line" ; then
      exit_code=201
      echo "ERROR: cannot parse line: $line" >&2
      continue
    fi

    if ! [ -e "$fso" ]; then
      echo "INFO: fso: '$fso' - does not exist. This is likely normal."
      continue
    fi

    fso_without_trailing_slash="${fso%/}"

    if [ "$mode_from_config" = "whitelist" ]; then
      whitelist+="$fso_without_trailing_slash "
      continue
    fi

    ## Use dpkg-statoverride  so permissions are not reset during upgrades.

    nosuid=""
    if [ "$mode_from_config" = "nosuid" ]; then
      nosuid="true"

      ## If mode_from_config is "nosuid" the config does not set owner and
      ## group. Therefore do not enforce owner/group check.

      add_nosuid_statoverride_entry
    else
      string_length_of_mode_from_config="${#mode_from_config}"
      if [ "$string_length_of_mode_from_config" -gt "4" ]; then
         echo "ERROR: Mode '$mode_from_config' is invalid!" >&2
         continue
      fi
      if [ "$string_length_of_mode_from_config" -lt "3" ]; then
         echo "ERROR: Mode '$mode_from_config' is invalid!" >&2
         continue
      fi

      if ! getent passwd | grep -q "^${owner}:"; then
         echo "ERROR: User '$owner' does not exist!" >&2
         continue
      fi

      if ! getent group | grep -q "^${group}:"; then
         echo "ERROR: Group '$group' does not exist!" >&2
         continue
      fi

      ## Check there is an entry for the fso.
      if dpkg-statoverride --list | grep -q "$fso_without_trailing_slash"; then
        ## There is an fso entry. Check if owner/group/mode match.
        if dpkg-statoverride --list | grep -q "$owner $group $mode_from_config $fso_without_trailing_slash"; then
          ## The owner/group/mode matches. No further action required.
          true OK
        else
          ## The owner/group/mode do not match, therefore remove and re-add the entry to update it.
          ## fso_without_trailing_slash instead of fso to prevent
          ## "dpkg-statoverride: warning: stripping trailing /"
          echo_wrapper dpkg-statoverride --remove "$fso_without_trailing_slash"
          echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash"
        fi
      else
        ## There is no fso entry. Therefore add one.
        echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash"
      fi
    fi

    if [ "$capability" = "" ]; then
      continue
    fi

    if [ "$capability" = "none" ]; then
      echo_wrapper setcap -r "$fso"
    else
      if ! capsh --print | grep "Bounding set" | grep -q "$capability"; then
         echo "ERROR: Capability '$capability' does not exist!" >&2
         continue
      fi

      echo_wrapper setcap "${capability}+ep" "$fso"
    fi
  done < "$config_file"
}

parse_config_folder() {
  shopt -s nullglob
  for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do
    set_file_perms
  done
}

parse_config_folder

exit "$exit_code"
Create permission-hardening 2019-12-08 11:49:28 -05:00			`#!/bin/bash`

Support for removing SUID bits 2019-12-19 12:01:08 -05:00			`## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>`
			`## See the file COPYING for copying conditions.`

comment 2019-12-20 06:34:37 -05:00			`## https://forums.whonix.org/t/permission-hardening/8655`
			`## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707`

disable xtrace 2019-12-20 02:08:05 -05:00			`#set -x`
enable 'set -e' 2019-12-20 06:01:49 -05:00			`set -e`
Support for removing SUID bits 2019-12-19 12:01:08 -05:00
exit non-zero if some line cannot be parsed therefore make systemd notice this therefore allow the sysadmin to notice this 2019-12-20 02:01:36 -05:00			`exit_code=0`

add echo wrapper 2019-12-20 02:07:49 -05:00			`echo_wrapper() {`
			`echo "run: $@"`
use must manually enable permission-hardening.service until development finished 2019-12-20 05:22:59 -05:00			`"$@"`
add echo wrapper 2019-12-20 02:07:49 -05:00			`}`

refactoring 2019-12-20 04:08:46 -05:00			`add_nosuid_statoverride_entry() {`
count processed file system objects to be able to verify if any were "forgotten" 2019-12-20 08:54:56 -05:00			`fso_to_process="${fso_without_trailing_slash}/"`
			`counter=0`
refactoring 2019-12-20 04:08:46 -05:00			`while read -r line; do`
fix 2019-12-20 08:52:14 -05:00			`true "line: $line"`
count processed file system objects to be able to verify if any were "forgotten" 2019-12-20 08:54:56 -05:00			`counter="$(( counter + 1 ))"`
refactoring 2019-12-20 04:08:46 -05:00			`if ! read -r file_name existing_mode owner group; then`
output 2019-12-20 08:47:22 -05:00			`echo "ERROR: cannot parse line by 'stat' - line: '$line'" >&2`
refactoring 2019-12-20 04:08:46 -05:00			`continue`
			`fi`
Support for removing SUID bits 2019-12-19 12:01:08 -05:00
refactoring 2019-12-20 04:08:46 -05:00			`## -h file True if file is a symbolic Link.`
			`## -u file True if file has its set-user-id bit set.`
			`## -g file True if file has its set-group-id bit set.`
comment 2019-12-20 02:43:33 -05:00
refactoring 2019-12-20 04:08:46 -05:00			`if test -h "$file_name" ; then`
			`## https://forums.whonix.org/t/kernel-hardening/7296/323`
			`true "skip symlink: $file_name"`
			`continue`
			`fi`
skip symlinks https://forums.whonix.org/t/kernel-hardening/7296/323? 2019-12-20 02:57:57 -05:00
improve output if set-user-id / set-group-id is set 2019-12-20 05:37:33 -05:00			`setuid=""`
			`setuid_output=""`
			`if test -u "$file_name" ; then`
			`setuid=true`
			`setuid_output="set-user-id"`
			`fi`
			`setguid=""`
			`setguid_output=""`
			`if test -g "$file_name"; then`
			`setguid=true`
			`setguid_output="set-group-id"`
			`fi`

fix 2019-12-20 06:11:38 -05:00			`if [ "$setuid" = "true" ] \|\| [ "$setguid" = "true" ]; then`
refactoring 2019-12-20 04:08:46 -05:00			`string_length_of_existing_mode="${#existing_mode}"`
			`if [ "$string_length_of_existing_mode" = "4" ]; then`
			`new_mode="${existing_mode:1}"`
			`else`
			`new_mode="$existing_mode"`
			`fi`
check string length of permission variable https://forums.whonix.org/t/kernel-hardening/7296/322 2019-12-20 02:39:53 -05:00
comment 2019-12-20 06:33:41 -05:00			`## Remove 'others' / 'group' execution ('chmod og-x /path/to/binary') rights for better usability?`
			`## Make binaries such as 'su' fail closed rather than fail open if suid was removed from these?`
			`## Are there suid or guid binaries which are still useful if suid / guid has been removed from these?`
comment 2019-12-20 06:32:04 -05:00			`## https://forums.whonix.org/t/permission-hardening/8655/10`
			`# if [ "$new_mode" = "755" ]; then`
			`# new_mode=744`
			`# fi`
			`# if [ "$new_mode" = "754" ]; then`
			`# new_mode=744`
			`# fi`
			`# if [ "$new_mode" = "745" ]; then`
			`# new_mode=744`
			`# fi`

improve output if set-user-id / set-group-id is set 2019-12-20 05:37:33 -05:00			`echo "INFO: $setuid_output $setguid_output found - file_name: '$file_name' \| existing_mode: '$existing_mode' \| new_mode: '$new_mode'"`
Support for removing SUID bits 2019-12-19 12:01:08 -05:00
do not remove suid from whitelisted binaries ever https://forums.whonix.org/t/permission-hardening/8655/13 2019-12-20 08:13:23 -05:00			`is_whitelisted=""`
			`for white_list_entry in $whitelist ; do`
			`if [ "$file_name" = "$white_list_entry" ]; then`
			`is_whitelisted="true"`
			`## Stop looping through the whitelist.`
			`break`
			`fi`
			`done`

			`if [ "$is_whitelisted" = "true" ]; then`
			`echo "INFO: skip whitelisted: '$file_name'"`
			`continue`
			`fi`

refactoring 2019-12-20 04:08:46 -05:00			`if dpkg-statoverride --list \| grep -q "$file_name"; then`
			`if ! dpkg-statoverride --list \| grep -q "$owner $group $new_mode $file_name"; then`
			`echo_wrapper dpkg-statoverride --remove "$file_name"`
fix 2019-12-20 03:03:40 -05:00			`echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name"`
Support for removing SUID bits 2019-12-19 12:01:08 -05:00			`fi`
refactoring 2019-12-20 04:08:46 -05:00			`else`
			`echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name"`
Support for removing SUID bits 2019-12-19 12:01:08 -05:00			`fi`
refactoring 2019-12-20 04:08:46 -05:00			`fi`
minor 2019-12-20 05:59:05 -05:00
comment 2019-12-20 04:48:57 -05:00			`## /lib will hit ARG_MAX.`
			`## https://forums.whonix.org/t/kernel-hardening/7296/326`
count processed file system objects to be able to verify if any were "forgotten" 2019-12-20 08:54:56 -05:00			`done < <( find "$fso_to_process" -print0 \| xargs -I{} -0 stat -c "%n %a %U %G" {} )`

			`echo "INFO: fso_to_process: '$fso_to_process' \| counter: '$counter'"`
Support for removing SUID bits 2019-12-19 12:01:08 -05:00			`}`

Create permission-hardening 2019-12-08 11:49:28 -05:00			`set_file_perms() {`
read -r; refactoring as per https://mywiki.wooledge.org/BashFAQ/001 2019-12-09 02:23:43 -05:00			`while read -r line; do`
improve character whitelisting 2019-12-20 01:58:35 -05:00			`if [ "$line" = "" ]; then`
refactoring 2019-12-20 01:31:37 -05:00			`continue`
			`fi`
Create permission-hardening 2019-12-08 11:49:28 -05:00
improve character whitelisting 2019-12-20 01:58:35 -05:00			`if [[ "$line" =~ ^# ]]; then`
			`continue`
			`fi`

			`if [[ "$line" =~ [0-9a-zA-Z/] ]]; then`
			`true OK`
			`else`
exit non-zero if some line cannot be parsed therefore make systemd notice this therefore allow the sysadmin to notice this 2019-12-20 02:01:36 -05:00			`exit_code=200`
refactoring 2019-12-20 03:02:26 -05:00			`echo "ERROR: cannot parse line with invalid character: $line" >&2`
Support for removing SUID bits 2019-12-19 12:01:08 -05:00			`continue`
			`fi`

refactoring 2019-12-20 03:13:27 -05:00			`if ! read -r fso mode_from_config owner group capability <<< "$line" ; then`
exit non-zero if some line cannot be parsed therefore make systemd notice this therefore allow the sysadmin to notice this 2019-12-20 02:01:36 -05:00			`exit_code=201`
refactoring 2019-12-20 03:02:26 -05:00			`echo "ERROR: cannot parse line: $line" >&2`
use read (built-in) rather than awk (external) 2019-12-09 02:31:10 -05:00			`continue`
			`fi`
Create permission-hardening 2019-12-08 11:49:28 -05:00
refactoring 2019-12-20 03:40:47 -05:00			`if ! [ -e "$fso" ]; then`
output 2019-12-20 05:58:42 -05:00			`echo "INFO: fso: '$fso' - does not exist. This is likely normal."`
Create permission-hardening 2019-12-08 11:49:28 -05:00			`continue`
			`fi`

refactoring 2019-12-20 03:42:09 -05:00			`fso_without_trailing_slash="${fso%/}"`

do not remove suid from whitelisted binaries ever https://forums.whonix.org/t/permission-hardening/8655/13 2019-12-20 08:13:23 -05:00			`if [ "$mode_from_config" = "whitelist" ]; then`
			`whitelist+="$fso_without_trailing_slash "`
			`continue`
			`fi`

refactoring 2019-12-20 04:06:28 -05:00			`## Use dpkg-statoverride so permissions are not reset during upgrades.`

Support for removing SUID bits 2019-12-19 12:01:08 -05:00			`nosuid=""`
refactoring 2019-12-20 03:13:27 -05:00			`if [ "$mode_from_config" = "nosuid" ]; then`
Support for removing SUID bits 2019-12-19 12:01:08 -05:00			`nosuid="true"`
refactoring 2019-12-20 03:25:17 -05:00
			`## If mode_from_config is "nosuid" the config does not set owner and`
			`## group. Therefore do not enforce owner/group check.`
refactoring 2019-12-20 04:06:28 -05:00
refactoring 2019-12-20 04:08:46 -05:00			`add_nosuid_statoverride_entry`
refactoring 2019-12-20 03:24:07 -05:00			`else`
fix mode sanity check no longer use seq due to issue https://forums.whonix.org/t/permission-hardening/8655/13 2019-12-20 08:02:30 -05:00			`string_length_of_mode_from_config="${#mode_from_config}"`
			`if [ "$string_length_of_mode_from_config" -gt "4" ]; then`
			`echo "ERROR: Mode '$mode_from_config' is invalid!" >&2`
			`continue`
			`fi`
			`if [ "$string_length_of_mode_from_config" -lt "3" ]; then`
refactoring 2019-12-20 03:24:07 -05:00			`echo "ERROR: Mode '$mode_from_config' is invalid!" >&2`
			`continue`
			`fi`
Create permission-hardening 2019-12-08 11:49:28 -05:00
code simplification 2019-12-20 02:20:54 -05:00			`if ! getent passwd \| grep -q "^${owner}:"; then`
refactoring 2019-12-20 03:02:26 -05:00			`echo "ERROR: User '$owner' does not exist!" >&2`
code simplification 2019-12-20 02:20:54 -05:00			`continue`
			`fi`
Create permission-hardening 2019-12-08 11:49:28 -05:00
code simplification 2019-12-20 02:20:54 -05:00			`if ! getent group \| grep -q "^${group}:"; then`
refactoring 2019-12-20 03:02:26 -05:00			`echo "ERROR: Group '$group' does not exist!" >&2`
code simplification 2019-12-20 02:20:54 -05:00			`continue`
			`fi`
comment 2019-12-20 03:11:11 -05:00
refactoring 2019-12-20 04:06:28 -05:00			`## Check there is an entry for the fso.`
			`if dpkg-statoverride --list \| grep -q "$fso_without_trailing_slash"; then`
			`## There is an fso entry. Check if owner/group/mode match.`
refactoring 2019-12-20 04:20:05 -05:00			`if dpkg-statoverride --list \| grep -q "$owner $group $mode_from_config $fso_without_trailing_slash"; then`
			`## The owner/group/mode matches. No further action required.`
			`true OK`
			`else`
refactoring 2019-12-20 04:06:28 -05:00			`## The owner/group/mode do not match, therefore remove and re-add the entry to update it.`
			`## fso_without_trailing_slash instead of fso to prevent`
			`## "dpkg-statoverride: warning: stripping trailing /"`
			`echo_wrapper dpkg-statoverride --remove "$fso_without_trailing_slash"`
refactoring 2019-12-20 04:08:46 -05:00			`echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash"`
refactoring 2019-12-20 04:06:28 -05:00			`fi`
			`else`
			`## There is no fso entry. Therefore add one.`
refactoring 2019-12-20 04:08:46 -05:00			`echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash"`
Create permission-hardening 2019-12-08 11:49:28 -05:00			`fi`
			`fi`

refactoring 2019-12-20 03:43:36 -05:00			`if [ "$capability" = "" ]; then`
			`continue`
			`fi`
Create permission-hardening 2019-12-08 11:49:28 -05:00
refactoring 2019-12-20 03:43:36 -05:00			`if [ "$capability" = "none" ]; then`
			`echo_wrapper setcap -r "$fso"`
			`else`
			`if ! capsh --print \| grep "Bounding set" \| grep -q "$capability"; then`
			`echo "ERROR: Capability '$capability' does not exist!" >&2`
			`continue`
Create permission-hardening 2019-12-08 11:49:28 -05:00			`fi`
refactoring 2019-12-20 03:43:36 -05:00
			`echo_wrapper setcap "${capability}+ep" "$fso"`
Create permission-hardening 2019-12-08 11:49:28 -05:00			`fi`
refactoring 2019-12-20 03:46:50 -05:00			`done < "$config_file"`
Create permission-hardening 2019-12-08 11:49:28 -05:00			`}`

parse drop-in config folder rather than only one config file 2019-12-20 05:49:11 -05:00			`parse_config_folder() {`
			`shopt -s nullglob`
			`for config_file in /etc/permission-hardening.d/.conf /usr/local/etc/permission-hardening.d/.conf; do`
			`set_file_perms`
			`done`
			`}`

			`parse_config_folder`
exit non-zero if some line cannot be parsed therefore make systemd notice this therefore allow the sysadmin to notice this 2019-12-20 02:01:36 -05:00
			`exit "$exit_code"`