Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-02-02 15:54:45 -05:00
Code Issues Packages Projects Releases Wiki Activity

SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists

Browse Source 
`whitelists_disable_all=true`
This commit is contained in:
Patrick Schleizer 2020-12-01 05:02:34 -05:00
parent 318ab570aa
commit 36a471ebce
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
etc/permission-hardening.d/30_default.conf
View File

@ -15,6 +15,12 @@
## TODO: white spaces inside file name untested and probably will not work. ## TODO: white spaces inside file name untested and probably will not work.
######################################################################
# Global Settings
######################################################################
#whitelists_disable_all=true
###################################################################### ######################################################################
# SUID disablewhitelist # SUID disablewhitelist
###################################################################### ######################################################################

22
usr/lib/security-misc/permission-hardening
View File

@ -252,6 +252,12 @@ set_file_perms() {
exit "$exit_code" exit "$exit_code"
fi fi
if [ "$line" = 'whitelists_disable_all=true' ]; then
whitelists_disable_all=true
echo "INFO: whitelists_disable_all=true - all whitelists disabled."
continue
fi
#global fso #global fso
local mode_from_config owner_from_config group_from_config capability_from_config local mode_from_config owner_from_config group_from_config capability_from_config
if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then
@ -275,14 +281,22 @@ set_file_perms() {
fi fi
if [ "$mode_from_config" = "exactwhitelist" ]; then if [ "$mode_from_config" = "exactwhitelist" ]; then
## TODO: test/add white spaces inside file name support if [ "$whitelists_disable_all" = "true" ]; then
exact_white_list+="$fso " true "INFO: Not adding fso '$fso' to exact_white_list because whitelists_disable_all=true"
else
## TODO: test/add white spaces inside file name support
exact_white_list+="$fso "
fi
continue continue
fi fi
if [ "$mode_from_config" = "matchwhitelist" ]; then if [ "$mode_from_config" = "matchwhitelist" ]; then
## TODO: test/add white spaces inside file name support if [ "$whitelists_disable_all" = "true" ]; then
match_white_list+="$fso " true "INFO: Not adding fso '$fso' to matchwhitelist because whitelists_disable_all=true"
else
## TODO: test/add white spaces inside file name support
match_white_list+="$fso "
fi
continue continue
fi fi