security-misc/usr/libexec/security-misc/permission-hardening

488 lines
19 KiB
Plaintext
Raw Normal View History

2019-12-08 11:49:28 -05:00
#!/bin/bash
2022-05-20 14:46:38 -04:00
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
2019-12-19 12:01:08 -05:00
## See the file COPYING for copying conditions.
2019-12-21 07:47:00 -05:00
## https://forums.whonix.org/t/disable-suid-binaries/7706
2019-12-20 06:34:37 -05:00
## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
2019-12-21 06:39:13 -05:00
## To view previous modes and how these were changed:
## meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride
2019-12-21 07:44:51 -05:00
## To undo:
## sudo /usr/libexec/security-misc/permission-hardening-undo
2019-12-21 07:44:51 -05:00
2019-12-20 02:08:05 -05:00
#set -x
2019-12-20 06:01:49 -05:00
set -e
2019-12-20 11:37:05 -05:00
set -o pipefail
2019-12-19 12:01:08 -05:00
exit_code=0
mkdir -p /var/lib/permission-hardening/existing_mode
mkdir -p /var/lib/permission-hardening/new_mode
dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode"
dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode"
2019-12-20 11:03:22 -05:00
echo_wrapper_ignore() {
echo "run: $@"
2019-12-20 11:27:43 -05:00
"$@" 2>/dev/null || true
2019-12-20 11:03:22 -05:00
}
2019-12-23 01:32:42 -05:00
echo_wrapper_silent_ignore() {
#echo "run: $@"
"$@" 2>/dev/null || true
}
2019-12-20 11:03:22 -05:00
echo_wrapper_audit() {
2019-12-20 02:07:49 -05:00
echo "run: $@"
2019-12-20 11:07:44 -05:00
return_code=0
"$@" || \
{ \
return_code="$?" ; \
exit_code=203 ; \
2019-12-21 05:54:07 -05:00
echo "ERROR: above command failed with exit code '$return_code'! calling function name: '${FUNCNAME[1]}'" >&2 ; \
2019-12-20 11:07:44 -05:00
};
2019-12-20 02:07:49 -05:00
}
echo_wrapper_silent_audit() {
2019-12-23 01:08:02 -05:00
#echo "run (debugging): $@"
return_code=0
"$@" || \
{ \
return_code="$?" ; \
exit_code=204 ; \
2019-12-21 05:54:07 -05:00
echo "ERROR: above command '$@' failed with exit code '$return_code'! calling function name: '${FUNCNAME[1]}'" >&2 ; \
};
}
2019-12-23 00:59:24 -05:00
sanity_tests() {
2019-12-23 01:08:02 -05:00
echo_wrapper_silent_audit which \
2019-12-23 01:09:57 -05:00
capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null
2019-12-23 00:59:24 -05:00
}
2019-12-20 04:08:46 -05:00
add_nosuid_statoverride_entry() {
local fso_to_process
fso_to_process="$fso"
local should_be_counter
should_be_counter="$(find "$fso_to_process" -perm /u=s,g=s | wc -l)" || true
local counter_actual
counter_actual=0
local line
while read -r line; do
true "line: $line"
counter_actual="$(( counter_actual + 1 ))"
local arr file_name existing_mode existing_owner existing_group
arr=($line)
file_name="${arr[0]}"
existing_mode="${arr[1]}"
existing_owner="${arr[2]}"
existing_group="${arr[3]}"
if [ "$arr" = "" ]; then
echo "ERROR: arr is empty. line: '$line'" >&2
continue
fi
if [ "$file_name" = "" ]; then
echo "ERROR: file_name is empty. line: '$line'" >&2
continue
fi
if [ "$existing_mode" = "" ]; then
echo "ERROR: existing_mode is empty. line: '$line'" >&2
continue
fi
if [ "$existing_owner" = "" ]; then
echo "ERROR: existing_owner is empty. line: '$line'" >&2
continue
fi
if [ "$existing_group" = "" ]; then
echo "ERROR: existing_group is empty. line: '$line'" >&2
continue
fi
2019-12-19 12:01:08 -05:00
## -h file True if file is a symbolic Link.
## -u file True if file has its set-user-id bit set.
## -g file True if file has its set-group-id bit set.
2019-12-20 02:43:33 -05:00
if test -h "$file_name" ; then
2019-12-24 18:09:37 -05:00
## https://forums.whonix.org/t/disable-suid-binaries/7706/14
true "skip symlink: $file_name"
continue
fi
if test -d "$file_name" ; then
true "skip directory: $file_name"
continue
fi
local setuid setuid_output setsgid setsgid_output
setuid=""
setuid_output=""
if test -u "$file_name" ; then
setuid=true
setuid_output="set-user-id"
fi
setsgid=""
setsgid_output=""
if test -g "$file_name" ; then
setsgid=true
setsgid_output="set-group-id"
fi
local setuid_or_setsgid
setuid_or_setsgid=""
if [ "$setuid" = "true" ] || [ "$setsgid" = "true" ]; then
setuid_or_setsgid=true
fi
if [ "$setuid_or_setsgid" = "" ]; then
continue
2019-12-20 04:08:46 -05:00
fi
## Remove suid / gid and execute permission for 'group' and 'others'.
## Similar to: chmod og-ugx /path/to/filename
## Removing execution permission is useful to make binaries such as 'su' fail closed rather
## than fail open if suid was removed from these.
## Do not remove read access since no security benefit and easier to manually undo for users.
## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these?
new_mode="744"
2019-12-20 06:32:04 -05:00
local is_exact_whitelisted
is_exact_whitelisted=""
for white_list_entry in $exact_white_list ; do
if [ "$file_name" = "$white_list_entry" ]; then
is_exact_whitelisted="true"
## Stop looping through the whitelist.
break
fi
done
local is_match_whitelisted
is_match_whitelisted=""
for matchwhite_list_entry in $match_white_list ; do
if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then
is_match_whitelisted="true"
## Stop looping through the match_white_list.
break
fi
done
local is_disable_whitelisted
is_disable_whitelisted=""
for disablematch_list_entry in $disable_white_list ; do
2019-12-23 02:35:13 -05:00
if echo "$file_name" | grep -q "$disablematch_list_entry" ; then
is_disable_whitelisted="true"
## Stop looping through the disablewhitelist.
break
fi
done
if [ "$whitelists_disable_all" = "true" ]; then
true "INFO: whitelists_disable_all=true - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
elif [ "$is_disable_whitelisted" = "true" ]; then
echo "INFO: white list disabled - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
else
if [ "$is_exact_whitelisted" = "true" ]; then
echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
continue
fi
if [ "$is_match_whitelisted" = "true" ]; then
echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'"
continue
fi
fi
echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'"
2019-12-20 10:02:46 -05:00
2019-12-21 05:58:50 -05:00
if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$file_name" >/dev/null ; then
2019-12-21 06:22:46 -05:00
true "OK Existing mode already saved previously. No need to save again."
else
## Save existing_mode in separate database.
## Not using --update as not intending to enforce existing_mode.
2019-12-21 05:54:39 -05:00
echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$file_name"
fi
## No need to check "dpkg-statoverride --list" for existing entries.
## If existing_mode was correct already, we would not have reached this point.
## Since existing_mode is incorrect, remove from dpkg-statoverride and re-add.
## Remove from real database.
2019-12-23 01:35:45 -05:00
echo_wrapper_silent_ignore dpkg-statoverride --remove "$file_name"
## Remove from separate database.
2019-12-23 01:32:42 -05:00
echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name"
## Add to real database and use --update to make changes on disk.
echo_wrapper_audit dpkg-statoverride --add --update "$existing_owner" "$existing_group" "$new_mode" "$file_name"
## Not using --update as this is only for recording.
2019-12-21 06:27:01 -05:00
echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$existing_owner" "$existing_group" "$new_mode" "$file_name"
2019-12-20 05:59:05 -05:00
## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'.
## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX.
## https://forums.whonix.org/t/disable-suid-binaries/7706/17
done < <( find "$fso_to_process" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} )
## Sanity test.
if [ ! "$should_be_counter" = "$counter_actual" ]; then
echo "INFO: fso_to_process: '$fso_to_process' | counter_actual : '$counter_actual'"
echo "INFO: fso_to_process: '$fso_to_process' | should_be_counter: '$should_be_counter'"
exit_code=202
echo "ERROR: counter does not check out." >&2
fi
2019-12-19 12:01:08 -05:00
}
2019-12-08 11:49:28 -05:00
set_file_perms() {
2019-12-23 00:36:41 -05:00
echo "INFO: START parsing config_file: '$config_file'"
local line
while read -r line || [[ -n "${line}" ]]; do
2019-12-23 00:36:41 -05:00
if [ "$line" = "" ]; then
continue
fi
2019-12-23 00:36:41 -05:00
if [[ "$line" =~ ^# ]]; then
2019-12-20 03:24:07 -05:00
continue
fi
2019-12-08 11:49:28 -05:00
2019-12-23 00:36:41 -05:00
if [[ "$line" =~ [0-9a-zA-Z/] ]]; then
true "OK line contains only white listed characters."
else
exit_code=200
2019-12-29 04:27:21 -05:00
echo "ERROR: cannot parse line with invalid character. line: '$line'" >&2
## Safer to exit with error in this case.
## https://forums.whonix.org/t/disable-suid-binaries/7706/59
exit "$exit_code"
2019-12-20 02:20:54 -05:00
fi
2019-12-08 11:49:28 -05:00
if [ "$line" = 'whitelists_disable_all=true' ]; then
whitelists_disable_all=true
echo "INFO: whitelists_disable_all=true - all whitelists disabled."
continue
fi
2019-12-23 00:36:41 -05:00
#global fso
local mode_from_config owner_from_config group_from_config capability_from_config
if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then
exit_code=201
2019-12-29 04:27:21 -05:00
echo "ERROR: cannot parse. line: '$line'" >&2
2019-12-29 04:41:23 -05:00
## Debugging.
2019-12-29 04:42:54 -05:00
du -hs /tmp || true
2019-12-29 04:43:32 -05:00
echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true
## Safer to exit with error in this case.
## https://forums.whonix.org/t/disable-suid-binaries/7706/59
exit "$exit_code"
2019-12-20 02:20:54 -05:00
fi
2019-12-20 03:11:11 -05:00
2019-12-23 00:36:41 -05:00
local fso_without_trailing_slash
fso_without_trailing_slash="${fso%/}"
if [ "$mode_from_config" = "disablewhitelist" ]; then
## TODO: test/add white spaces inside file name support
disable_white_list+="$fso "
continue
fi
if [ "$mode_from_config" = "exactwhitelist" ]; then
## TODO: test/add white spaces inside file name support
exact_white_list+="$fso "
continue
fi
2019-12-23 00:36:41 -05:00
if [ "$mode_from_config" = "matchwhitelist" ]; then
## TODO: test/add white spaces inside file name support
match_white_list+="$fso "
2019-12-23 00:36:41 -05:00
continue
fi
2019-12-23 00:36:41 -05:00
2019-12-23 00:59:43 -05:00
if [ ! -e "$fso" ]; then
2019-12-23 00:36:41 -05:00
echo "INFO: fso: '$fso' - does not exist. This is likely normal."
continue
fi
2019-12-23 00:36:41 -05:00
## Use dpkg-statoverride so permissions are not reset during upgrades.
if [ "$mode_from_config" = "nosuid" ]; then
## If mode_from_config is "nosuid" the config does not set owner and
## group. Therefore do not enforce owner/group check.
add_nosuid_statoverride_entry
2019-12-20 04:06:28 -05:00
else
2019-12-23 00:36:41 -05:00
local string_length_of_mode_from_config
string_length_of_mode_from_config="${#mode_from_config}"
if [ "$string_length_of_mode_from_config" -gt "4" ]; then
echo "ERROR: Mode '$mode_from_config' is invalid!" >&2
continue
fi
if [ "$string_length_of_mode_from_config" -lt "3" ]; then
echo "ERROR: Mode '$mode_from_config' is invalid!" >&2
continue
fi
if ! echo "${passwd_file_contents}" | grep -q "^${owner_from_config}:" ; then
2019-12-23 00:36:41 -05:00
echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2
continue
fi
if ! echo "${group_file_contents}" | grep -q "^${group_from_config}:" ; then
2019-12-23 00:36:41 -05:00
echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2
continue
fi
local mode_for_grep
mode_for_grep="$mode_from_config"
first_character_of_mode_from_config="${mode_from_config::1}"
if [ "$first_character_of_mode_from_config" = "0" ]; then
## Remove leading '0'.
mode_for_grep="${mode_from_config:1}"
fi
local stat_output
stat_output=""
if ! stat_output="$(stat -c "%n %a %U %G" "$fso_without_trailing_slash")" ; then
echo "ERROR: failed to run 'stat' for fso_without_trailing_slash: '$fso_without_trailing_slash'!" >&2
continue
fi
local arr file_name existing_mode existing_owner existing_group
arr=($stat_output)
file_name="${arr[0]}"
existing_mode="${arr[1]}"
existing_owner="${arr[2]}"
existing_group="${arr[3]}"
if [ "$arr" = "" ]; then
echo "ERROR: arr is empty. stat_output: '$stat_output' | line: '$line'" >&2
continue
fi
if [ "$file_name" = "" ]; then
echo "ERROR: file_name is empty. stat_output: '$stat_output' | line: '$line'" >&2
continue
fi
if [ "$existing_mode" = "" ]; then
echo "ERROR: existing_mode is empty. stat_output: '$stat_output' | line: '$line'" >&2
continue
fi
if [ "$existing_owner" = "" ]; then
echo "ERROR: existing_owner is empty. stat_output: '$stat_output' | line: '$line'" >&2
continue
fi
if [ "$existing_group" = "" ]; then
echo "ERROR: $existing_group is empty. stat_output: '$stat_output' | line: '$line'" >&2
continue
fi
## Check there is an entry for the fso.
##
## example: dpkg-statoverride --list | grep /home
## output:
## root root 755 /home
##
## dpkg-statoverride does not show leading '0'.
2019-12-23 01:20:56 -05:00
local dpkg_statoverride_list_output=""
local dpkg_statoverride_list_exit_code=0
dpkg_statoverride_list_output="$(dpkg-statoverride --list "$fso_without_trailing_slash")" || { dpkg_statoverride_list_exit_code=$? ; true; };
if [ "$dpkg_statoverride_list_exit_code" = "0" ]; then
2019-12-23 00:36:41 -05:00
true "There is an fso entry. Check if owner/group/mode match."
2019-12-23 01:20:56 -05:00
local grep_line
grep_line="$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash"
if echo "$dpkg_statoverride_list_output" | grep -q "$grep_line" ; then
2019-12-23 00:36:41 -05:00
true "OK The owner/group/mode matches. No further action required."
else
true "The owner/group/mode do not match, therefore remove and re-add the entry to update it."
## fso_without_trailing_slash instead of fso to prevent
## "dpkg-statoverride: warning: stripping trailing /"
if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then
true "OK Existing mode already saved previously. No need to save again."
else
## Save existing_mode in separate database.
## Not using --update as not intending to enforce existing_mode.
echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash"
fi
2019-12-23 01:35:45 -05:00
echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash"
2019-12-23 00:36:41 -05:00
## Remove from and add to real database.
2019-12-23 01:35:45 -05:00
echo_wrapper_silent_ignore dpkg-statoverride --remove "$fso_without_trailing_slash"
2019-12-23 00:36:41 -05:00
echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash"
## Save in separate database.
## Not using --update as this is only for saving.
echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash"
fi
else
true "There is no fso entry. Therefore add one."
if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then
true "OK Existing mode already saved previously. No need to save again."
else
## Save existing_mode in separate database.
## Not using --update as not intending to enforce existing_mode.
echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash"
fi
## Add to real database.
echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash"
## Save in separate database.
## Not using --update as this is only for saving.
echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash"
fi
2019-12-08 11:49:28 -05:00
fi
2019-12-23 00:36:41 -05:00
if [ "$capability_from_config" = "" ]; then
continue
2019-12-08 11:49:28 -05:00
fi
2019-12-20 03:43:36 -05:00
2019-12-23 00:36:41 -05:00
if [ "$capability_from_config" = "none" ]; then
## https://forums.whonix.org/t/disable-suid-binaries/7706/45
2021-01-29 23:15:52 -05:00
# sudo setcap -r /bin/ping 2>/dev/null
# Failed to set capabilities on file `/bin/ping' (No data available)
2019-12-23 00:36:41 -05:00
# The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
## Therefore use echo_wrapper_ignore.
echo_wrapper_ignore setcap -r "$fso"
getcap_output="$(getcap "$fso")"
if [ ! "$getcap_output" = "" ]; then
exit_code=205
echo "ERROR: removing capabilities for fso '$fso' failed!" >&2
continue
fi
2019-12-23 00:36:41 -05:00
else
if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config" ; then
echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2
continue
fi
2020-12-06 04:23:09 -05:00
## feature request: dpkg-statoverride: support for capabilities
## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580
2019-12-23 00:36:41 -05:00
echo_wrapper_audit setcap "${capability_from_config}+ep" "$fso"
fi
done < "$config_file"
echo "INFO: END parsing config_file: '$config_file'"
2019-12-08 11:49:28 -05:00
}
parse_config_folder() {
# Query contents of password and group databases only once and buffer them
#
# If we dont buffer we sometimes get incorrect results when checking for entries using
# `if getent passwd | grep -q '^root:'; …` since `grep` exits after the first match in
# this case causing `getent` to receive SIGPIPE, which then fails the pipeline since
# `set -o pipefail` is set for this script.
passwd_file_contents="$(getent passwd)"
group_file_contents="$(getent group)"
shopt -s nullglob
for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do
set_file_perms
done
}
2019-12-23 00:59:24 -05:00
sanity_tests
parse_config_folder
2019-12-20 11:05:05 -05:00
if [ ! "$exit_code" = "0" ]; then
2019-12-21 06:16:38 -05:00
echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2
2019-12-20 11:05:05 -05:00
fi
exit "$exit_code"