mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
Merge remote-tracking branch 'github-whonix/master'
This commit is contained in:
commit
30d1ce36af
19
etc/permission-hardening.d/25_default_sudo.conf
Normal file
19
etc/permission-hardening.d/25_default_sudo.conf
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||||
|
## See the file COPYING for copying conditions.
|
||||||
|
|
||||||
|
## Please use "/etc/permission-hardening.d/20_user.conf" or
|
||||||
|
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
|
||||||
|
## configuration. When security-misc is updated, this file may be overwritten.
|
||||||
|
|
||||||
|
## This restricts the file permissions of the sudo executable so that a vulnerability
|
||||||
|
## in the program will not be exploitable by any users not in the "sudo" group. sudo
|
||||||
|
## is a very complex program and is setuid so vulnerabilities in it can allow privilege
|
||||||
|
## escalation, regardless of other root access restrictions. For example, the following
|
||||||
|
## buffer overflow vulnerability could have been exploited by any user on the system:
|
||||||
|
## https://www.openwall.com/lists/oss-security/2021/01/26/3
|
||||||
|
## With this restriction, only users explicitly permitted to use sudo by being added to
|
||||||
|
## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a
|
||||||
|
## compromised network-facing daemon (such as web servers, time synchronization daemons,
|
||||||
|
## etc.) running as its own user from exploiting sudo to escalate privileges.
|
||||||
|
/usr/bin/sudo 4750 root sudo
|
||||||
|
/bin/sudo 4750 root sudo
|
Loading…
Reference in New Issue
Block a user