Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-02-13 06:41:22 -05:00
Code Issues Packages Projects Releases Wiki Activity

Make permission-hardener always apply changes to real files, not symlinks

Browse Source
This commit is contained in:
Aaron Rainbolt 2025-01-21 21:05:03 -06:00
parent ed767e00b0
commit 5e60416c86
No known key found for this signature in database
GPG Key ID: A709160D73C79109
3 changed files with 25 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
usr/bin/permission-hardener
View File

@ -168,6 +168,12 @@ line: '${processed_config_line}'
log error "Existing group is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 log error "Existing group is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2
return 1 return 1
fi fi
## If a symlink was passed as input, return the original file's path rather
## than the symlink to avoid problems stemming from using the wrong path
if [ -h "${file_name_from_stat}" ]; then
file_name_from_stat="$(realpath "${file_name_from_stat}")"
fi
} }
print_usage(){ print_usage(){
@ -194,6 +200,10 @@ add_to_policy() {
file_capabilities="${5:-}" file_capabilities="${5:-}"
updated_entry=false updated_entry=false
if [ -h "${file_name}" ]; then
file_name="$(realpath "${file_name}")" || return 1
fi
for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do
if [ "${policy_file_list[policy_idx]}" = "${file_name}" ]; then if [ "${policy_file_list[policy_idx]}" = "${file_name}" ]; then
policy_mode_list[policy_idx]="${file_mode}" policy_mode_list[policy_idx]="${file_mode}"
@ -279,7 +289,7 @@ load_early_nosuid_policy() {
local new_mode local new_mode
new_mode='744' new_mode='744'
add_to_policy "${find_list_item}" "${new_mode}" "${existing_owner}" \ add_to_policy "${file_name_from_stat}" "${new_mode}" "${existing_owner}" \
"${existing_group}" "${existing_group}"
done < <(safe_echo_nonewline "${target_file}" \ done < <(safe_echo_nonewline "${target_file}" \
| find -files0-from - -perm /u=s,g=s -print0) | find -files0-from - -perm /u=s,g=s -print0)
@ -468,7 +478,7 @@ load_state() {
if [ -z "${file_name_from_stat}" ]; then if [ -z "${file_name_from_stat}" ]; then
continue continue
fi fi
state_file_list+=( "${policy_file_item}" ) state_file_list+=( "${file_name_from_stat}" )
state_user_owner_list+=( "${existing_owner}" ) state_user_owner_list+=( "${existing_owner}" )
state_group_owner_list+=( "${existing_group}" ) state_group_owner_list+=( "${existing_group}" )
state_mode_list+=( "${existing_mode}" ) state_mode_list+=( "${existing_mode}" )
@ -476,7 +486,7 @@ load_state() {
echo_wrapper_audit silent dpkg-statoverride \ echo_wrapper_audit silent dpkg-statoverride \
${dpkg_admindir_parameter_existing_mode} \ ${dpkg_admindir_parameter_existing_mode} \
--add "${existing_owner}" "${existing_group}" "${existing_mode}" \ --add "${existing_owner}" "${existing_group}" "${existing_mode}" \
"${policy_file_item}" "${file_name_from_stat}"
done done
## Fix up nosuid policies using state information ## Fix up nosuid policies using state information
@ -557,26 +567,26 @@ commit_policy() {
continue continue
fi fi
## Remove and reapply in main list ## Remove and reapply in main list
if [[ "${orig_main_statoverride_db}" =~ "${state_file_item}" ]]; then if [[ "${orig_main_statoverride_db}" =~ "${file_name_from_stat}" ]]; then
echo_wrapper_ignore silent dpkg-statoverride --remove \ echo_wrapper_ignore silent dpkg-statoverride --remove \
"${state_file_item}" "${file_name_from_stat}"
fi fi
echo_wrapper_audit verbose dpkg-statoverride --add --update \ echo_wrapper_audit verbose dpkg-statoverride --add --update \
"${state_user_owner_item}" "${state_group_owner_item}" \ "${state_user_owner_item}" "${state_group_owner_item}" \
"${state_mode_item}" "${state_file_item}" "${state_mode_item}" "${file_name_from_stat}"
## Update item in secondary list ## Update item in secondary list
if [[ "${orig_new_statoverride_db}" =~ "${state_file_item}" ]]; then if [[ "${orig_new_statoverride_db}" =~ "${file_name_from_stat}" ]]; then
# shellcheck disable=SC2086 # shellcheck disable=SC2086
echo_wrapper_ignore silent dpkg-statoverride \ echo_wrapper_ignore silent dpkg-statoverride \
${dpkg_admindir_parameter_new_mode} --remove \ ${dpkg_admindir_parameter_new_mode} --remove \
"${state_file_item}" "${file_name_from_stat}"
fi fi
# shellcheck disable=SC2086 # shellcheck disable=SC2086
echo_wrapper_audit verbose dpkg-statoverride \ echo_wrapper_audit verbose dpkg-statoverride \
${dpkg_admindir_parameter_new_mode} --add \ ${dpkg_admindir_parameter_new_mode} --add \
"${state_user_owner_item}" "${state_group_owner_item}" \ "${state_user_owner_item}" "${state_group_owner_item}" \
"${state_mode_item}" "${state_file_item}" "${state_mode_item}" "${file_name_from_stat}"
fi fi
done done
@ -805,7 +815,7 @@ print_fs_audit() {
output_stat "${state_file_item}" output_stat "${state_file_item}"
if [ -z "${file_name_from_stat}" ]; then if [ -z "${file_name_from_stat}" ]; then
echo "... '${state_file_item}' does not exist" echo "... '${file_name_from_stat}' does not exist"
continue continue
fi fi
@ -823,7 +833,7 @@ print_fs_audit() {
fi fi
echo "^^^ ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" echo "^^^ ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}"
echo "vvv ${state_file_item} ${state_user_owner_item}:${state_group_owner_item} ${state_mode_item}" echo "vvv ${file_name_from_stat} ${state_user_owner_item}:${state_group_owner_item} ${state_mode_item}"
else else
echo "*** ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" echo "*** ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}"
fi fi

4
usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded
View File

@ -15,7 +15,7 @@ root root 644 /etc/hosts.allow
root root 700 /root root root 700 /root
root root 755 /etc/cron.daily root root 755 /etc/cron.daily
root root 755 /bin/ping root root 755 /bin/ping
root root 777 /etc/motd root root 777 /etc/motd.kicksecure
root root 755 /boot root root 755 /boot
root root 755 /home root root 755 /home
root shadow 2755 /usr/bin/chage root shadow 2755 /usr/bin/chage
@ -27,7 +27,7 @@ root root 755 /etc/permission-hardener.d
root root 644 /etc/passwd root root 644 /etc/passwd
root root 755 /usr/src root root 755 /usr/src
root root 4755 /usr/bin/mount root root 4755 /usr/bin/mount
root root 777 /etc/issue root root 777 /etc/issue.kicksecure
root root 755 /etc/cron.d root root 755 /etc/cron.d
root root 4755 /usr/bin/sudo root root 4755 /usr/bin/sudo
root root 4755 /usr/bin/pkexec root root 4755 /usr/bin/pkexec

4
usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded
View File

@ -9,7 +9,7 @@ root root 700 /etc/cron.weekly
root root 744 /usr/bin/su root root 744 /usr/bin/su
root root 700 /etc/cron.daily root root 700 /etc/cron.daily
root root 755 /bin/ping root root 755 /bin/ping
root root 644 /etc/motd root root 644 /etc/motd.kicksecure
root _ssh 744 /usr/bin/ssh-agent root _ssh 744 /usr/bin/ssh-agent
root root 700 /boot root root 700 /boot
root shadow 744 /usr/bin/chage root shadow 744 /usr/bin/chage
@ -20,5 +20,5 @@ root root 744 /usr/bin/chfn
root root 600 /etc/permission-hardener.d root root 600 /etc/permission-hardener.d
root root 700 /usr/src root root 700 /usr/src
root root 755 /usr/bin/mount root root 755 /usr/bin/mount
root root 644 /etc/issue root root 644 /etc/issue.kicksecure
root root 700 /etc/cron.d root root 700 /etc/cron.d