From 9fd8e1c9b0250c9e00b555838bd381f162dfd8c4 Mon Sep 17 00:00:00 2001 From: Kuri Schlarb <246386+ntninja@users.noreply.github.com> Date: Tue, 7 Jun 2022 08:03:56 +0000 Subject: [PATCH 1/4] permission-hardening: Fix issue with pipelining failures causing incorrect user/group lookup results --- usr/libexec/security-misc/permission-hardening | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/permission-hardening b/usr/libexec/security-misc/permission-hardening index c0572c2..71c4f72 100755 --- a/usr/libexec/security-misc/permission-hardening +++ b/usr/libexec/security-misc/permission-hardening @@ -318,12 +318,12 @@ set_file_perms() { continue fi - if ! getent passwd | grep -q "^${owner_from_config}:" ; then + if ! echo "${passwd_file_contents}" | grep -q "^${owner_from_config}:" ; then echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2 continue fi - if ! getent group | grep -q "^${group_from_config}:" ; then + if ! echo "${group_file_contents}" | grep -q "^${group_from_config}:" ; then echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2 continue fi @@ -462,6 +462,15 @@ set_file_perms() { } parse_config_folder() { + # Query contents of password and group databases only once and buffer them + # + # If we don’t buffer we sometimes get incorrect results when checking for entries using + # `if getent passwd | grep -q '^root:'; …` since `grep` exits after the first match in + # this case causing `getent` to receive SIGPIPE, which then fails the pipeline since + # `set -o pipefail` is set for this script. + passwd_file_contents="$(getent passwd)" + group_file_contents="$(getent group)" + shopt -s nullglob for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do set_file_perms From 3910e4ee159d8b5f80c5086915583e4e20ecd6fe Mon Sep 17 00:00:00 2001 From: Kuri Schlarb <246386+ntninja@users.noreply.github.com> Date: Tue, 7 Jun 2022 08:11:51 +0000 Subject: [PATCH 2/4] permission-hardening: Keep `passwd` executable but non-SetUID --- etc/permission-hardening.d/25_default_passwd.conf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 etc/permission-hardening.d/25_default_passwd.conf diff --git a/etc/permission-hardening.d/25_default_passwd.conf b/etc/permission-hardening.d/25_default_passwd.conf new file mode 100644 index 0000000..19c2a4d --- /dev/null +++ b/etc/permission-hardening.d/25_default_passwd.conf @@ -0,0 +1,14 @@ +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +# Keep the `passwd` utility executable to prevent issues with the +# /usr/libexec/security-misc/pam-abort-on-locked-password script blocking +# user logins with `su` and KScreenLocker +# +# See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd +/usr/bin/passwd 0755 root root +/bin/passwd 0755 root root From 2bdda9d0a0a289dafb260c926d29df274c9a67da Mon Sep 17 00:00:00 2001 From: Kuri Schlarb <246386+ntninja@users.noreply.github.com> Date: Tue, 7 Jun 2022 08:18:05 +0000 Subject: [PATCH 3/4] permssion-hardening: Do not skip config file lines without trailing newline (ancient bash bug) --- usr/libexec/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/permission-hardening b/usr/libexec/security-misc/permission-hardening index 71c4f72..9d78068 100755 --- a/usr/libexec/security-misc/permission-hardening +++ b/usr/libexec/security-misc/permission-hardening @@ -235,7 +235,7 @@ add_nosuid_statoverride_entry() { set_file_perms() { echo "INFO: START parsing config_file: '$config_file'" local line - while read -r line; do + while read -r line || [[ -n "${line}" ]]; do if [ "$line" = "" ]; then continue fi From 6e8f584d88333d3a6fec1318ba92f76e328bf7ce Mon Sep 17 00:00:00 2001 From: Kuri Schlarb <246386+ntninja@users.noreply.github.com> Date: Wed, 8 Jun 2022 05:29:42 +0000 Subject: [PATCH 4/4] permission-hardening: Keep `pam_unix.so` password checking helper SetGID shadow --- .../25_default_whitelist_unix_chkpwd.conf | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf diff --git a/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf b/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf new file mode 100644 index 0000000..15ff326 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf @@ -0,0 +1,11 @@ +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## required for performing password validation from unprivileged user +## processes such as KScreenLocker’s unlock prompt +/usr/sbin/unix_chkpwd exactwhitelist +/sbin/unix_chkpwd exactwhitelist