This commit is contained in:
Patrick Schleizer 2024-07-24 11:19:15 -04:00
parent c9fd2ceb61
commit 151ca659a9
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48

View File

@ -64,7 +64,7 @@ add_nosuid_statoverride_entry() {
local dummy_line local dummy_line
while IFS="" read -r -d "" dummy_line; do while IFS="" read -r -d "" dummy_line; do
log info "Test would parse line: ${dummy_line}" log info "Test would parse line: '${dummy_line}'"
should_be_counter=$((should_be_counter + 1)) should_be_counter=$((should_be_counter + 1))
done < <(find "${fso_to_process}" -perm /u=s,g=s -print0) done < <(find "${fso_to_process}" -perm /u=s,g=s -print0)
@ -77,7 +77,7 @@ add_nosuid_statoverride_entry() {
file_name="${line}" file_name="${line}"
if test -z "${file_name}"; then if test -z "${file_name}"; then
log error "File name is empty in line: ${line}" >&2 log error "File name is empty in line: '${line}'" >&2
continue continue
fi fi
@ -107,21 +107,21 @@ file_name_from_stat: '${file_name_from_stat}'" >&2
fi fi
if test -z "${existing_mode}"; then if test -z "${existing_mode}"; then
log error "Existing mode is empty in line: ${line}" >&2 log error "Existing mode is empty in line: '${line}'" >&2
continue continue
fi fi
if test -z "${existing_owner}"; then if test -z "${existing_owner}"; then
log error "Existing owner is empty in line: ${line}" >&2 log error "Existing owner is empty in line: '${line}'" >&2
continue continue
fi fi
if test -z "${existing_group}"; then if test -z "${existing_group}"; then
log error "Existing group is empty in line: ${line}" >&2 log error "Existing group is empty in line: '${line}'" >&2
continue continue
fi fi
## dpkg-statoverride: error: path may not contain newlines ## dpkg-statoverride: error: path may not contain newlines
if [[ "${file_name}" == *$'\n'* ]]; then if [[ "${file_name}" == *$'\n'* ]]; then
log warn "Skipping file name that contains newlines: ${file_name}" >&2 log warn "Skipping file name that contains newlines: '${file_name}'" >&2
continue continue
fi fi
@ -131,12 +131,12 @@ file_name_from_stat: '${file_name_from_stat}'" >&2
if test -h "${file_name}"; then if test -h "${file_name}"; then
## https://forums.whonix.org/t/disable-suid-binaries/7706/14 ## https://forums.whonix.org/t/disable-suid-binaries/7706/14
log info "Skip symlink: ${file_name}" log info "Skip symlink: '${file_name}'"
continue continue
fi fi
if test -d "${file_name}"; then if test -d "${file_name}"; then
log info "Skip directory: ${file_name}" log info "Skip directory: '${file_name}'"
continue continue
fi fi
@ -214,7 +214,7 @@ file_name_from_stat: '${file_name_from_stat}'" >&2
local clean_output_prefix clean_output local clean_output_prefix clean_output
clean_output_prefix="Managing (S|G)UID of line:" clean_output_prefix="Managing (S|G)UID of line:"
clean_output="setuid=${setuid_output} setgid=${setsgid_output} existing_mode=${existing_mode} new_mode=${new_mode} file='${file_name}'" clean_output="setuid='${setuid_output}' setgid='${setsgid_output}' existing_mode='${existing_mode}' new_mode='${new_mode}' file='${file_name}'"
if test "${whitelists_disable_all:-}" = "true"; then if test "${whitelists_disable_all:-}" = "true"; then
log info "${clean_output_prefix} whitelists_disable_all=true ${clean_output}" log info "${clean_output_prefix} whitelists_disable_all=true ${clean_output}"
elif test "${is_disable_whitelisted}" = "true"; then elif test "${is_disable_whitelisted}" = "true"; then
@ -225,7 +225,7 @@ file_name_from_stat: '${file_name_from_stat}'" >&2
continue continue
fi fi
if test "${is_match_whitelisted}" = "true"; then if test "${is_match_whitelisted}" = "true"; then
log info "${clean_output_prefix} is_match_whitelisted=true matchwhite_list_entry=${matchwhite_list_entry} ${clean_output}" log info "${clean_output_prefix} is_match_whitelisted=true matchwhite_list_entry='${matchwhite_list_entry}' ${clean_output}"
continue continue
fi fi
fi fi
@ -273,7 +273,7 @@ file_name_from_stat: '${file_name_from_stat}'" >&2
} }
set_file_perms() { set_file_perms() {
log info "START parsing config file: ${config_file}" log info "START parsing config file: '${config_file}'"
local line local line
while read -r line || test -n "${line}"; do while read -r line || test -n "${line}"; do
if test -z "${line}"; then if test -z "${line}"; then
@ -286,7 +286,7 @@ set_file_perms() {
if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then
exit_code=200 exit_code=200
log error "Line contains invalid characters: ${line}" >&2 log error "Line contains invalid characters: '${line}'" >&2
## Safer to exit with error in this case. ## Safer to exit with error in this case.
## https://forums.whonix.org/t/disable-suid-binaries/7706/59 ## https://forums.whonix.org/t/disable-suid-binaries/7706/59
exit "${exit_code}" exit "${exit_code}"
@ -311,7 +311,7 @@ set_file_perms() {
exit "${exit_code}" exit "${exit_code}"
fi fi
log info "Parsing line: fso=${fso} mode_from_config=${mode_from_config} owner_from_config=${owner_from_config} group_from_config=${group_from_config} capability_from_config=${capability_from_config}" log info "Parsing line: fso='${fso}' mode_from_config='${mode_from_config}' owner_from_config='${owner_from_config}' group_from_config='${group_from_config}' capability_from_config='${capability_from_config}'"
## Debugging. ## Debugging.
#echo "line: '${line}'" #echo "line: '${line}'"
@ -516,7 +516,7 @@ set_file_perms() {
fi fi
done <"${config_file}" done <"${config_file}"
log info "END parsing config file: ${config_file}" log info "END parsing config file: '${config_file}'"
} }
parse_config_folder() { parse_config_folder() {
@ -587,10 +587,10 @@ spare() {
local owner group mode file_name local owner group mode file_name
if ! read -r owner group mode file_name <<< "${line}"; then if ! read -r owner group mode file_name <<< "${line}"; then
exit_code=201 exit_code=201
log error "Cannot parse line: ${line}" >&2 log error "Cannot parse line: '${line}'" >&2
continue continue
fi fi
log info "Parsing line: owner=${owner} group=${group} mode=${mode} file_name='${file_name}'" log info "Parsing line: owner='${owner}' group='${group}' mode='${mode}' file_name='${file_name}'"
if test "${remove_file}" = "all"; then if test "${remove_file}" = "all"; then
verbose="" verbose=""
@ -618,7 +618,7 @@ spare() {
# shellcheck disable=SC2086 # shellcheck disable=SC2086
chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 chmod ${verbose} "${mode}" "${file_name}" || exit_code=203
else else
log info "File does not exist: ${file_name}" log info "File does not exist: '${file_name}'"
fi fi
dpkg-statoverride --remove "${file_name}" &>/dev/null || true dpkg-statoverride --remove "${file_name}" &>/dev/null || true