Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-03-13 07:26:31 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'ArrayBolt3/arraybolt3/more-permission-hardener'

Browse Source
This commit is contained in:
Patrick Schleizer 2025-01-15 09:33:57 -05:00
commit 2dfd30a44a
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
4 changed files with 57 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
debian/security-misc.config vendored
View File

@ -22,6 +22,8 @@ true "
"
check_migrate_permission_hardener_state() {
local modified_pkg_data_str custom_hardening_arr config_file
## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded.
if [ ! -d '/var/lib/permission-hardener' ]; then
return 0
@ -82,7 +84,10 @@ check_migrate_permission_hardener_state() {
'/etc/permission-hardener.d/30_default.conf'
)
readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }')
## This will exit non-zero if some of the packages don't exist, but we
## don't care. The packages that *are* installed will still be scanned.
modified_pkg_data_str="$(dpkg -V security-misc user-sysmaint-split anon-apps-config)" || true
readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}")
## If the above `dpkg -V` command doesn't return any permission-hardener
## related lines, the array will contain no meaningful info, just a single
## blank element at the start. Set the array to be explicitly empty in

24
debian/security-misc.postinst vendored
View File

@ -38,6 +38,7 @@ permission_hardening() {
}
migrate_permission_hardener_state() {
local existing_mode_dir new_mode_dir dpkg_statoverride_list
## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded.
if [ ! -d '/var/lib/permission-hardener' ]; then
return 0
@ -48,8 +49,27 @@ migrate_permission_hardener_state() {
fi
mkdir --parents '/var/lib/security-misc/do_once'
mkdir --parents '/var/lib/permission-hardener-v2/existing_mode'
cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride'
existing_mode_dir='/var/lib/permission-hardener-v2/existing_mode'
new_mode_dir='/var/lib/permission-hardener-v2/new_mode'
mkdir --parents "${existing_mode_dir}";
mkdir --parents "${new_mode_dir}";
cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' "${existing_mode_dir}/statoverride"
cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' "${new_mode_dir}/statoverride"
dpkg_statoverride_list="$(dpkg-statoverride --admindir "${new_mode_dir}" --list)"
if [ "$(stat --format '%G' /usr/bin/sudo)" = 'sysmaint' ]; then
if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/sudo' ]]; then
dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/sudo'
fi
fi
if [ "$(stat --format '%G' /usr/bin/pkexec)" = 'sysmaint' ]; then
if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/pkexec' ]]; then
dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/pkexec'
fi
fi
touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
}

5
usr/bin/permission-hardener
View File

@ -612,6 +612,11 @@ commit_policy() {
-- "${policy_file_item}"
fi
done
log notice "\
To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes:
sudo apt install --no-install-recommends meld
meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride"
}
undo_policy_for_file() {

24
usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded Normal file
View File

@ -0,0 +1,24 @@
root root 700 /etc/cron.monthly
root root 700 /etc/sudoers.d
root shadow 744 /usr/bin/expiry
root root 755 /usr/bin/umount
root root 744 /usr/bin/gpasswd
root root 700 /usr/lib/modules
root root 744 /usr/bin/newgrp
root root 700 /etc/cron.weekly
root root 744 /usr/bin/su
root root 700 /etc/cron.daily
root root 755 /bin/ping
root root 644 /etc/motd
root _ssh 744 /usr/bin/ssh-agent
root root 700 /boot
root shadow 744 /usr/bin/chage
root root 744 /usr/lib/openssh/ssh-keysign
root root 744 /usr/bin/chsh
root root 755 /usr/bin/passwd
root root 744 /usr/bin/chfn
root root 600 /etc/permission-hardener.d
root root 700 /usr/src
root root 755 /usr/bin/mount
root root 644 /etc/issue
root root 700 /etc/cron.d