Merge branch 'master' into sysctl-initramfs

2025-02-02 12:44:40 -05:00 · 2020-01-15 11:02:03 +00:00 · 2020-01-15 11:02:03 +00:00 · 528c5fc4c4
commit 528c5fc4c4
parent 9dc43eae38 80159545a5
9 changed files with 167 additions and 16 deletions
--- a/README.md
+++ b/README.md
@ -99,6 +99,9 @@ a target for ROP.
 * The vivid kernel module is blacklisted as it's only required for testing
 and has been the cause of multiple vulnerabilities.

+* The kernel panics on oopses to prevent it from continuing to run a flawed
+process and to deter brute forcing.
+
 Improve Entropy Collection

 * Load jitterentropy_rng kernel module.
--- a/changelog.upstream
+++ b/changelog.upstream
@ -1,3 +1,61 @@
+commit 660837dc380440f6b00d3baf9395222376163b3b
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Tue Jan 14 09:25:32 2020 -0500
+
+    fix case when user "user" does not exists
+
+commit 18c726c3eebc93f69062f1e4c1d3c7ab394985c3
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Tue Jan 14 09:23:02 2020 -0500
+
+    comment
+
+commit b8652681e741236af2e20876d7103b2dfb0ae9bf
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Tue Jan 14 09:21:47 2020 -0500
+
+    fix legacy
+
+commit cc21f912a372faef8322801e9a48882f29159c2d
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Tue Jan 14 09:20:36 2020 -0500
+
+    bumped changelog version
+
+commit 2078cd237f2aaad8d68c1c5eab3f9942460ecd3c
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Tue Jan 14 09:18:30 2020 -0500
+
+    readme
+
+commit c377c5ff83437a5447ecc9c873150421f4f1e691
+Merge: 8341242 539f24b
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Tue Jan 14 09:01:38 2020 -0500
+
+    Merge remote-tracking branch 'origin/master'
+
+commit 539f24b65ee7739487d8038fcb1fdfb1ed62ab22
+Merge: 8341242 0953bbe
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Tue Jan 14 14:01:17 2020 +0000
+
+    Merge pull request #54 from madaidan/panic_on_oops
+    
+    Document panic_on_oops
+
+commit 0953bbe1d7f3e789aef2218a65c14c586dab4bcb
+Author: madaidan <50278627+madaidan@users.noreply.github.com>
+Date:   Mon Jan 13 21:05:35 2020 +0000
+
+    Update control
+
+commit 8341242abc342d9cbd82afe12f512daf73a9e59a
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Sat Jan 11 15:19:29 2020 -0500
+
+    bumped changelog version
+
 commit 130a4cf6d433f4d862e10e31abbc2b1f3b1614d2
 Author: Patrick Schleizer <adrelanos@riseup.net>
 Date:   Sat Jan 11 15:17:06 2020 -0500
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,15 @@
+security-misc (3:14.5-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@riseup.net>  Tue, 14 Jan 2020 14:28:28 +0000
+
+security-misc (3:14.4-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@riseup.net>  Tue, 14 Jan 2020 14:20:36 +0000
+
 security-misc (3:14.3-1) unstable; urgency=medium

  * New upstream version (local package).
--- a/debian/control
+++ b/debian/control
@ -119,6 +119,9 @@ Description: enhances misc security settings
 .
  * An initramfs hook sets the sysctl values in /etc/sysctl.d before init
 is executed so our hardening is enabled as early as possible.
+ .
+  * The kernel panics on oopses to prevent it from continuing to run a flawed
+ process and to deter brute forcing.
 .
 Improve Entropy Collection
 .
--- a/debian/security-misc.preinst
+++ b/debian/security-misc.preinst
@ -102,7 +102,7 @@ console_users_check() {
   fi

   console_users="$(getent group console | cut -d: -f4)"
-   ## example ssh_users:
+   ## example console_users:
   ## user
   console_unrestricted_users="$(getent group console-unrestricted | cut -d: -f4)"

@ -150,7 +150,7 @@ legacy() {
      continue_yes=true
   fi

-   if [ "$continue_yes" = "yes" ]; then
+   if [ ! "$continue_yes" = "yes" ]; then
      return 0
   fi

@ -165,6 +165,11 @@ legacy() {

   user_to_be_created=user

+   if ! id "$user_to_be_created" &>/dev/null ; then
+      true "INFO: user '$user_to_be_created' does not exist. Skipping addgroup console and pam-auth-update."
+      return 0
+   fi
+
   addgroup "$user_to_be_created" console

   pam-auth-update --enable console-lockdown-security-misc
--- a/etc/sudoers.d/pkexec-security-misc
+++ b/etc/sudoers.d/pkexec-security-misc
@ -0,0 +1,11 @@
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## REVIEW: is it ok that users can find out the PATH setting of root?
+%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path
+
+## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be
+## set. Would otherwise error out with the following error message:
+## "This program must only be run through pkexec"
+## REVIEW: Can bad things be done by spoofing PKEXEC_UID?
+Defaults:ALL env_keep += "PKEXEC_UID"
--- a/etc/sudoers.d/security-misc
+++ b/etc/sudoers.d/security-misc
@ -3,5 +3,3 @@

 user ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops
 %sudo ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops
-
-%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path
--- a/etc/sudoers.d/xfce-security-misc
+++ b/etc/sudoers.d/xfce-security-misc
@ -0,0 +1,19 @@
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764
+## /usr/share/polkit-1/actions/org.xfce.power.policy
+
+## Feel free to out comment this if you are not using xfce4-power-manager or XFCE.
+
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]]
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]]
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]][[\:digit\:]]
+
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]]
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]]
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]][[\:digit\:]]
+
+## XXX: Should we allow this?
+#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --suspend
+#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --hibernate
--- a/usr/bin/pkexec.security-misc
+++ b/usr/bin/pkexec.security-misc
@ -10,14 +10,26 @@

 set -e

+my_real_path="$(realpath "$0")" || true
+identifier="$my_real_path wrapper"
+exec > >(systemd-cat --identifier="$identifier output by program:") 2>&1
+
+log_to_journal() {
+   echo "$@" | systemd-cat --identifier="$identifier output by wrapper:" || true
+}
+
+log_to_journal "$0 $@"
+log_to_journal "DISPLAY: '$DISPLAY'"
+my_pstree="$(pstree -p $$)" || true
+log_to_journal "my_pstree: '$my_pstree'"
+
 ## If hidepid is not in use, just use pkexec normally.
 if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then
   pkexec.security-misc-orig "$@"
   exit $?
 fi

-## Prefer lxqt-sudo.
-use_sudo=false
+switch_user=false

 original_args="$@"

@ -55,7 +67,8 @@ do
            else
               shift 2
            fi
-            use_sudo=true
+            switch_user=true
+            maybe_switch_to_user="--user $user_pkexec_wrapper"
            ;;
         --)
            shift
@ -70,20 +83,49 @@ done
 ## If there are input files (for example) that follow the options, they
 ## will remain in the "$@" positional parameters.

+if [ "$PKEXEC_UID" = "" ]; then
+   if [ ! "$user_pkexec_wrapper" = "" ]; then
+      PKEXEC_UID="$user_pkexec_wrapper"
+   elif [ ! "$SUDO_USER" = "" ]; then
+      PKEXEC_UID="$SUDO_USER"
+   else
+      PKEXEC_UID="$(whoami)"
+   fi
+fi
+export PKEXEC_UID
+
 if [[ "$@" = "" ]]; then
   ## Call original pkexec in case there are no arguments.
   pkexec.security-misc-orig $original_args
   exit $?
 fi

+exit_code=0
+
+## lxqt-sudo does not check /etc/sudoers / /etc/sudoers.d exceptions.
+## Therefore use 'sudo -l' to see if there is any already existing sudoers exception.
+if sudo -l --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" ; then
+   log_to_journal "sudoers exception: yes"
+   sudo --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; };
+   log_to_journal "sudo --user | exit_code: '$exit_code'"
+   exit "$exit_code"
+fi
+
+log_to_journal "sudoers exception: no"
+
+if [ "$switch_user" = "true" ]; then
+   ## 'sudo --user user' clears environment variables such as PATH.
+   lxqt-sudo sudo $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; };
+else
   ## set PATH same as root
   ## This is required for gdebi.
   ## REVIEW: is it ok that users can find out the PATH setting of root?
+   ## lxqt-sudo does not clear environment variable PATH.
   PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)"
   export PATH
-
-if [ "$use_sudo" = "true" ]; then
-   lxqt-sudo sudo --user "$user_pkexec_wrapper" --set-home "$@"
-else
-   lxqt-sudo "$@"
+   lxqt-sudo "$@" || { exit_code=$? ; true; };
 fi
+
+log_to_journal "exit_code: '$exit_code'"
+
+exit "$exit_code"