From 1708a03e1edda821ef091f10c46d32f740511d38 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Thu, 28 Nov 2024 15:20:57 -0600 Subject: [PATCH 1/3] Enable umask hardening --- README.md | 14 +++++++++----- etc/sudoers.d/security-misc | 5 +++++ usr/share/pam-configs/umask-security-misc | 8 ++++++++ 3 files changed, 22 insertions(+), 5 deletions(-) create mode 100644 usr/share/pam-configs/umask-security-misc diff --git a/README.md b/README.md index c23d261..6117830 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ Kernel space: - Force the kernel to panic on both "oopses", which can potentially indicate and thwart certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. - + - Optional - Force immediate reboot on the occurrence of a single kernel panic and also (when using Linux kernel >= 6.2) limit the number of allowed panics to one. @@ -573,9 +573,7 @@ See: #### umask Default `umask` is set to `027` for files created by non-root users such as -user `user`. Broken. Disabled. See: - -* https://github.com/Kicksecure/security-misc/issues/184 +user `user`. This is done using the PAM module `pam_mkhomedir.so umask=027`. @@ -589,7 +587,13 @@ https://wiki.debian.org/UserPrivateGroups Default `umask` is unchanged for root because then configuration files created in `/etc` by the system administrator would be unreadable by "others" and break -applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. +applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. The +`umask` is also set to 022 via `sudoers` configuration, so that files created +as root are world-readable even when using commands such as `sudo vi +/etc/file` or `sudo -i; touch /etc/file`. + +`umask` is set to 022 rather than 027 when using `sudo`, so that commands such +as `sudo vi /etc/configfile` and `sudo -i; touch /etc/file` See: diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index 7084b1f..591eede 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -3,3 +3,8 @@ user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops %sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops + +## Use a more open umask when executing commands with sudo +## Can be overridden on a per-user basis using .[z]profile if desirable +Defaults umask_override +Defaults umask=0022 diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc new file mode 100644 index 0000000..6436a56 --- /dev/null +++ b/usr/share/pam-configs/umask-security-misc @@ -0,0 +1,8 @@ +Name: Restrict umask to 027 (by package security-misc) +Default: yes +Priority: 100 +Session-Type: Additional +Session-Interactive-Only: yes +Session: + [success=1 default=ignore] pam_succeed_if.so uid eq 0 + optional pam_umask.so umask=027 From 93b51819d4693955936456916188b4118fe68a66 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 6 Dec 2024 09:47:08 -0500 Subject: [PATCH 2/3] permission hardener mount chmod change from `745` to `755` https://github.com/Kicksecure/security-misc/issues/284 --- etc/permission-hardener.d/25_default_whitelist_mount.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/permission-hardener.d/25_default_whitelist_mount.conf b/etc/permission-hardener.d/25_default_whitelist_mount.conf index 54b22a6..08965b8 100644 --- a/etc/permission-hardener.d/25_default_whitelist_mount.conf +++ b/etc/permission-hardener.d/25_default_whitelist_mount.conf @@ -13,5 +13,5 @@ ## Remove SUID from 'mount' but keep executable. ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 -/bin/mount 745 root root -/usr/bin/mount 745 root root +/bin/mount 755 root root +/usr/bin/mount 755 root root From 5b88e92e5c4b951e659e1574fc248bd11158dfb2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 6 Dec 2024 09:48:58 -0500 Subject: [PATCH 3/3] permission hardner: treat `mount` the same way we treat `umount` Thanks to @the-moog for the bug report! fixes https://github.com/Kicksecure/security-misc/issues/284 --- etc/permission-hardener.d/25_default_whitelist_mount.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/permission-hardener.d/25_default_whitelist_mount.conf b/etc/permission-hardener.d/25_default_whitelist_mount.conf index 08965b8..c0a4f96 100644 --- a/etc/permission-hardener.d/25_default_whitelist_mount.conf +++ b/etc/permission-hardener.d/25_default_whitelist_mount.conf @@ -10,8 +10,12 @@ ## SUID will be removed below in separate step. /bin/mount exactwhitelist /usr/bin/mount exactwhitelist +/bin/umount exactwhitelist +/usr/bin/umount exactwhitelist ## Remove SUID from 'mount' but keep executable. ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 /bin/mount 755 root root /usr/bin/mount 755 root root +/bin/umount 755 root root +/usr/bin/umount 755 root root