Merge remote-tracking branch 'github-whonix/master'

etc/permission-hardening.d/25_default_sudo.conf

@@ -0,0 +1,19 @@
+## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardening.d/20_user.conf" or
+## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+## This restricts the file permissions of the sudo executable so that a vulnerability
+## in the program will not be exploitable by any users not in the "sudo" group. sudo
+## is a very complex program and is setuid so vulnerabilities in it can allow privilege
+## escalation, regardless of other root access restrictions. For example, the following
+## buffer overflow vulnerability could have been exploited by any user on the system:
+## https://www.openwall.com/lists/oss-security/2021/01/26/3
+## With this restriction, only users explicitly permitted to use sudo by being added to
+## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a
+## compromised network-facing daemon (such as web servers, time synchronization daemons,
+## etc.)  running as its own user from exploiting sudo to escalate privileges.
+/usr/bin/sudo 4750 root sudo
+/bin/sudo 4750 root sudo