Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-05-11 16:25:00 -04:00
Code Issues Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'github-kicksecure/master'

Browse source
This commit is contained in:
Patrick Schleizer 2024-12-19 00:17:44 -05:00
commit 4f681be774
No known key found for this signature in database
GPG key ID: CB8D50BB77BB3C48
4 changed files with 28 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

14
README.md
View file

@ -46,7 +46,7 @@ Kernel space:
- Force the kernel to panic on both "oopses", which can potentially indicate and thwart - Force the kernel to panic on both "oopses", which can potentially indicate and thwart
certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path.
- Optional - Force immediate reboot on the occurrence of a single kernel panic and also - Optional - Force immediate reboot on the occurrence of a single kernel panic and also
(when using Linux kernel >= 6.2) limit the number of allowed panics to one. (when using Linux kernel >= 6.2) limit the number of allowed panics to one.
@ -573,9 +573,7 @@ See:
#### umask #### umask
Default `umask` is set to `027` for files created by non-root users such as Default `umask` is set to `027` for files created by non-root users such as
user `user`. Broken. Disabled. See: user `user`.
* https://github.com/Kicksecure/security-misc/issues/184
This is done using the PAM module `pam_mkhomedir.so umask=027`. This is done using the PAM module `pam_mkhomedir.so umask=027`.
@ -589,7 +587,13 @@ https://wiki.debian.org/UserPrivateGroups
Default `umask` is unchanged for root because then configuration files created Default `umask` is unchanged for root because then configuration files created
in `/etc` by the system administrator would be unreadable by "others" and break in `/etc` by the system administrator would be unreadable by "others" and break
applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. The
`umask` is also set to 022 via `sudoers` configuration, so that files created
as root are world-readable even when using commands such as `sudo vi
/etc/file` or `sudo -i; touch /etc/file`.
`umask` is set to 022 rather than 027 when using `sudo`, so that commands such
as `sudo vi /etc/configfile` and `sudo -i; touch /etc/file`
See: See:

8
etc/permission-hardener.d/25_default_whitelist_mount.conf
View file

@ -10,8 +10,12 @@
## SUID will be removed below in separate step. ## SUID will be removed below in separate step.
/bin/mount exactwhitelist /bin/mount exactwhitelist
/usr/bin/mount exactwhitelist /usr/bin/mount exactwhitelist
/bin/umount exactwhitelist
/usr/bin/umount exactwhitelist
## Remove SUID from 'mount' but keep executable. ## Remove SUID from 'mount' but keep executable.
## https://forums.whonix.org/t/disable-suid-binaries/7706/61 ## https://forums.whonix.org/t/disable-suid-binaries/7706/61
/bin/mount 745 root root /bin/mount 755 root root
/usr/bin/mount 745 root root /usr/bin/mount 755 root root
/bin/umount 755 root root
/usr/bin/umount 755 root root

5
etc/sudoers.d/security-misc
View file

@ -4,3 +4,8 @@
## Neither of these are needed. ## Neither of these are needed.
#user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops #user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops #%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
## Use a more open umask when executing commands with sudo
## Can be overridden on a per-user basis using .[z]profile if desirable
Defaults umask_override
Defaults umask=0022

8
usr/share/pam-configs/umask-security-misc Normal file
View file

@ -0,0 +1,8 @@
Name: Restrict umask to 027 (by package security-misc)
Default: yes
Priority: 100
Session-Type: Additional
Session-Interactive-Only: yes
Session:
[success=1 default=ignore] pam_succeed_if.so uid eq 0
optional pam_umask.so umask=027