Merge branch 'master' into PAM-tmp-files-hardening

2024-10-01 08:25:45 -04:00 · 2023-11-03 12:08:50 -04:00 · 2023-11-03 12:08:50 -04:00 · 2a602e78d6
commit 2a602e78d6
parent 3ee4be652b ceffd2b3ee
6 changed files with 147 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -314,6 +314,8 @@ See:

 ### Strong user account separation

+#### Permission Lockdown
+
 Read, write and execute access for "others" are removed during package
 installation, upgrade or PAM `mkhomedir` for all users who have home
 folders in `/home` by running, for example:
@ -333,6 +335,30 @@ See:
 * `/usr/libexec/security-misc/permission-lockdown`
 * `/usr/share/pam-configs/mkhomedir-security-misc`

+#### umask
+
+Default `umask` is set to `027` for files created by non-root users
+such as for example user `user`.
+
+This is doing using pam module `pam_mkhomedir.so umask=027`.
+
+This means, files created by non-root users cannot be read by other
+non-root users by default. While Permission Lockdown already protects
+the `/home` folder, this protects other folders such as `/tmp`.
+
+`group` read permissions are not removed.
+This is unnecessary due to Debian's use of User Private Groups (UPGs).
+See also: https://wiki.debian.org/UserPrivateGroups
+
+Default `umask` is unchanged for root, because then configuration files
+created in `/etc` by the system administrator would be unreadable by
+"others" and break applications. Examples include `/etc/firefox-esr` and
+`/etc/thunderbird`.
+
+See:
+
+* `/usr/share/pam-configs/umask-security-misc`
+
 ### SUID / SGID removal and permission hardening

 Not enabled by default yet.
--- a/changelog.upstream
+++ b/changelog.upstream
@ -1,3 +1,77 @@
+commit cdd66ee3762c441843d421a9e6b11a20580ed7ac
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Nov 3 10:48:46 2023 -0400
+
+    wrap-and-sort
+
+commit c33a3d9aadcc4c0ff90f330239eff4b7c905a022
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Nov 3 10:44:48 2023 -0400
+
+    readme
+
+commit d71ac03d96c9861513ff56c68aec9090ef5c50bb
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Nov 3 10:36:15 2023 -0400
+
+    comment
+
+commit 8326aecdb460fffa450bbf3ec0b051010f87ee2a
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Nov 3 10:33:02 2023 -0400
+
+    bumped changelog version
+
+commit b85d48eb83005da8fd9edc658c71493f407e3670
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Nov 3 10:31:59 2023 -0400
+
+    do not change default umask for root
+    
+    since this causes permission issues in `/etc/`
+    
+    https://github.com/Kicksecure/security-misc/pull/151
+
+commit 07540db90d60b10cbd10881b0024d8e8871330de
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Nov 3 09:45:12 2023 -0400
+
+    Revert "Revert "set default umask to 027""
+    
+    This reverts commit f8913ceb2e2fdd274011377c41b5d08e7459e4af.
+
+commit f8913ceb2e2fdd274011377c41b5d08e7459e4af
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Nov 3 09:43:44 2023 -0400
+
+    Revert "set default umask to 027"
+    
+    This reverts commit cd216095eb8d9387437e653d7764ec765ce42a10.
+
+commit 43bd789c30a562aa60349d019107277a428aece8
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Nov 3 09:28:08 2023 -0400
+
+    bumped changelog version
+
+commit cd216095eb8d9387437e653d7764ec765ce42a10
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Nov 3 09:12:24 2023 -0400
+
+    set default umask to 027
+    
+    using package libpam-umask
+    
+    https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19
+    
+    https://github.com/Kicksecure/security-misc/pull/151
+
+commit a768f1f1ebfc29b0c0105f2965a4290f8dfd8e63
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Nov 1 12:26:21 2023 -0400
+
+    bumped changelog version
+
 commit bb14a058520b13e242fea9f3022c439c4677bd1d
 Merge: 5ed2a5c 44906e8
 Author: Patrick Schleizer <adrelanos@whonix.org>
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,21 @@
+security-misc (3:32.7-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Fri, 03 Nov 2023 16:06:43 +0000
+
+security-misc (3:32.6-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Fri, 03 Nov 2023 14:33:02 +0000
+
+security-misc (3:32.5-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Fri, 03 Nov 2023 13:28:08 +0000
+
 security-misc (3:32.4-1) unstable; urgency=medium

  * New upstream version (local package).
--- a/debian/control
+++ b/debian/control
@ -5,7 +5,10 @@ Source: security-misc
 Section: misc
 Priority: optional
 Maintainer: Patrick Schleizer <adrelanos@kicksecure.com>
-Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev, dh-apparmor
+Build-Depends: config-package-dev,
+               debhelper (>= 13),
+               debhelper-compat (= 13),
+               dh-apparmor
 Homepage: https://www.kicksecure.com/wiki/Security-misc
 Vcs-Browser: https://github.com/Kicksecure/security-misc
 Vcs-Git: https://github.com/Kicksecure/security-misc.git
@ -14,10 +17,22 @@ Rules-Requires-Root: no

 Package: security-misc
 Architecture: all
-Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin,
- apparmor-profile-dist, helper-scripts, libpam-modules-bin, libpam-tmpdir,
- secure-delete, dmsetup, ${misc:Depends}
 Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest
+Depends: adduser,
+         apparmor-profile-dist,
+         dmsetup,
+         helper-scripts,
+         libcap2-bin,
+         libglib2.0-bin,
+         libpam-modules-bin,
+         libpam-tmpdir,
+         libpam-runtime,
+         libpam-umask,
+         python3,
+         secure-delete,
+         sudo,
+         ${misc:Depends}
+Replaces: anon-gpg-tweaks, swappiness-lowest, tcp-timestamps-disable
 Description: Enhances Miscellaneous Security Settings
 https://github.com/Kicksecure/security-misc/blob/master/README.md
 .
--- a/usr/libexec/security-misc/permission-lockdown
+++ b/usr/libexec/security-misc/permission-lockdown
@ -48,6 +48,8 @@ home_folder_access_rights_lockdown() {
      ## https://unix.stackexchange.com/questions/156473/reasons-behind-the-default-groups-and-users-on-linux
      ## In short, this is useful for "file sharing". A if user1 wants to share data with user2 the command
      ## required to run is sudo addgroup user1 user2.
+      ## See also: user private groups UPGs
+      ## https://wiki.debian.org/UserPrivateGroups
      echo "$0: chmod o-rwx \"$folder_name\""
      chmod o-rwx "$folder_name"
      touch "/var/cache/security-misc/state-files/$user"
--- a/usr/share/pam-configs/umask-security-misc
+++ b/usr/share/pam-configs/umask-security-misc
@ -0,0 +1,8 @@
+Name: Restrict umask to 027 (by package security-misc)
+Default: yes
+Priority: 100
+Session-Type: Additional
+Session-Interactive-Only: yes
+Session:
+	[success=1 default=ignore]	pam_succeed_if.so uid eq 0
+	optional	pam_umask.so umask=027