From 5941195e96880b8beb2a791d3c21f3a4c6d429eb Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 7 Jan 2025 14:10:46 -0600 Subject: [PATCH] Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory --- usr/lib/permission-hardener.d/25_default_passwd.conf | 1 - usr/lib/permission-hardener.d/25_default_sudo.conf | 1 - .../25_default_whitelist_bubblewrap.conf | 1 - usr/lib/permission-hardener.d/25_default_whitelist_mount.conf | 4 ---- .../permission-hardener.d/25_default_whitelist_policykit.conf | 2 -- usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf | 1 - 6 files changed, 10 deletions(-) diff --git a/usr/lib/permission-hardener.d/25_default_passwd.conf b/usr/lib/permission-hardener.d/25_default_passwd.conf index ef4a1d9..fb34f38 100644 --- a/usr/lib/permission-hardener.d/25_default_passwd.conf +++ b/usr/lib/permission-hardener.d/25_default_passwd.conf @@ -11,4 +11,3 @@ # # See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd /usr/bin/passwd 0755 root root -/bin/passwd 0755 root root diff --git a/usr/lib/permission-hardener.d/25_default_sudo.conf b/usr/lib/permission-hardener.d/25_default_sudo.conf index 74aedca..e575449 100644 --- a/usr/lib/permission-hardener.d/25_default_sudo.conf +++ b/usr/lib/permission-hardener.d/25_default_sudo.conf @@ -17,4 +17,3 @@ ## compromised network-facing daemon (such as web servers, time synchronization daemons, ## etc.) running as its own user from exploiting sudo to escalate privileges. #/usr/bin/sudo 4750 root sudo -#/bin/sudo 4750 root sudo diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf index 7c44b1a..f1e873f 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf @@ -6,4 +6,3 @@ ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/bwrap exactwhitelist -/bin/bwrap exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf index bf86ba9..ac5e9d1 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf @@ -8,14 +8,10 @@ ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 ## Protect from 'chmod -x' (and SUID removal). ## SUID will be removed below in separate step. -/bin/mount exactwhitelist /usr/bin/mount exactwhitelist -/bin/umount exactwhitelist /usr/bin/umount exactwhitelist ## Remove SUID from 'mount' but keep executable. ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 -/bin/mount 755 root root /usr/bin/mount 755 root root -/bin/umount 755 root root /usr/bin/umount 755 root root diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf index beb7531..8133fab 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf @@ -6,9 +6,7 @@ ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/pkexec exactwhitelist -/bin/pkexec exactwhitelist /usr/bin/pkexec.security-misc-orig exactwhitelist -/bin/pkexec.security-misc-orig exactwhitelist ## TODO: research ## match both: diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf index a68564d..ee68aba 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf @@ -6,4 +6,3 @@ ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/sudo exactwhitelist -/bin/sudo exactwhitelist