From abf72c2ee4286ec069f75e66acf05a42f3645c89 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 2 Jan 2024 13:34:29 +0100 Subject: [PATCH] Rename file permission hardening script Hardener as the script is the agent that is hardening the file permissions. --- README.md | 10 +++++----- debian/security-misc.postinst | 6 +++--- .../25_default_passwd.conf | 4 ++-- .../25_default_sudo.conf | 4 ++-- .../25_default_whitelist_bubblewrap.conf | 4 ++-- .../25_default_whitelist_chromium.conf | 4 ++-- .../25_default_whitelist_dbus.conf | 4 ++-- .../25_default_whitelist_firejail.conf | 4 ++-- .../25_default_whitelist_fuse.conf | 4 ++-- .../25_default_whitelist_hardened_malloc.conf | 4 ++-- .../25_default_whitelist_mount.conf | 4 ++-- .../25_default_whitelist_pam.conf | 4 ++-- .../25_default_whitelist_policykit.conf | 4 ++-- .../25_default_whitelist_qubes.conf | 4 ++-- .../25_default_whitelist_selinux.conf | 4 ++-- .../25_default_whitelist_spice.conf | 4 ++-- .../25_default_whitelist_ssh.conf | 4 ++-- .../25_default_whitelist_sudo.conf | 4 ++-- .../25_default_whitelist_unix_chkpwd.conf | 4 ++-- .../25_default_whitelist_virtualbox.conf | 4 ++-- .../30_default.conf | 8 ++++---- lib/systemd/system-preset/50-security-misc.preset | 2 +- ...n-hardening.service => permission-hardener.service} | 2 +- usr/bin/{permission-hardening => permission-hardener} | 9 ++++----- 24 files changed, 54 insertions(+), 55 deletions(-) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_passwd.conf (80%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_sudo.conf (89%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_bubblewrap.conf (66%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_chromium.conf (63%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_dbus.conf (64%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_firejail.conf (74%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_fuse.conf (72%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_hardened_malloc.conf (68%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_mount.conf (81%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_pam.conf (69%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_policykit.conf (79%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_qubes.conf (81%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_selinux.conf (64%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_spice.conf (65%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_ssh.conf (69%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_sudo.conf (65%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_unix_chkpwd.conf (74%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_virtualbox.conf (77%) rename etc/{permission-hardening.d => permission-hardener.d}/30_default.conf (94%) rename lib/systemd/system/{permission-hardening.service => permission-hardener.service} (93%) rename usr/bin/{permission-hardening => permission-hardener} (99%) diff --git a/README.md b/README.md index 4ac4fb6..a46b30a 100644 --- a/README.md +++ b/README.md @@ -430,23 +430,23 @@ include but are not limited to: - Protecting the information of sudoers from others. - Protecting various system relevant files and modules. -##### permission-hardening ##### +##### permission-hardener ##### `permission-hardener` removes SUID / SGID bits from non-essential binaries as these are often used in privilege escalation attacks. It runs at package installation and upgrade time. There is also an optional systemd unit which does the same at boot time that -can be enabled by running `systemctl enable permission-hardening.service` as +can be enabled by running `systemctl enable permission-hardener.service` as root. The hardening at boot time is not the default because this slows down the boot too much. See: -* `/usr/bin/permission-hardening` +* `/usr/bin/permission-hardener` * `debian/security-misc.postinst` -* `/lib/systemd/system/permission-hardening.service` -* `/etc/permission-hardening.d` +* `/lib/systemd/system/permission-hardener.service` +* `/etc/permission-hardener.d` * https://forums.whonix.org/t/disable-suid-binaries/7706 * https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 7cd54c2..da358e3 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -20,8 +20,8 @@ permission_hardening() { echo "Running SUID Disabler and Permission Hardener... See also:" echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" echo "" - echo "$0: INFO: running: permission-hardening" - if ! permission-hardening ; then + echo "$0: INFO: running: permission-hardener" + if ! permission-hardener ; then echo "$0: ERROR: Permission hardening failed." >&2 return 0 fi @@ -59,7 +59,7 @@ esac pam-auth-update --package /usr/libexec/security-misc/permission-lockdown -permission_hardening +permission_hardener ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: diff --git a/etc/permission-hardening.d/25_default_passwd.conf b/etc/permission-hardener.d/25_default_passwd.conf similarity index 80% rename from etc/permission-hardening.d/25_default_passwd.conf rename to etc/permission-hardener.d/25_default_passwd.conf index 32fd72e..dcd403f 100644 --- a/etc/permission-hardening.d/25_default_passwd.conf +++ b/etc/permission-hardener.d/25_default_passwd.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. # Keep the `passwd` utility executable to prevent issues with the diff --git a/etc/permission-hardening.d/25_default_sudo.conf b/etc/permission-hardener.d/25_default_sudo.conf similarity index 89% rename from etc/permission-hardening.d/25_default_sudo.conf rename to etc/permission-hardener.d/25_default_sudo.conf index 67be9ac..6a1cf21 100644 --- a/etc/permission-hardening.d/25_default_sudo.conf +++ b/etc/permission-hardener.d/25_default_sudo.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## https://forums.whonix.org/t/restrict-root-access/7658/116 diff --git a/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf b/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf similarity index 66% rename from etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf rename to etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf index 2ffc8c2..071e724 100644 --- a/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf +++ b/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/bwrap exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_chromium.conf b/etc/permission-hardener.d/25_default_whitelist_chromium.conf similarity index 63% rename from etc/permission-hardening.d/25_default_whitelist_chromium.conf rename to etc/permission-hardener.d/25_default_whitelist_chromium.conf index 5244b2c..db6f8ea 100644 --- a/etc/permission-hardening.d/25_default_whitelist_chromium.conf +++ b/etc/permission-hardener.d/25_default_whitelist_chromium.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. chrome-sandbox matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_dbus.conf b/etc/permission-hardener.d/25_default_whitelist_dbus.conf similarity index 64% rename from etc/permission-hardening.d/25_default_whitelist_dbus.conf rename to etc/permission-hardener.d/25_default_whitelist_dbus.conf index e1325ff..2997915 100644 --- a/etc/permission-hardening.d/25_default_whitelist_dbus.conf +++ b/etc/permission-hardener.d/25_default_whitelist_dbus.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. dbus-daemon-launch-helper matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_firejail.conf b/etc/permission-hardener.d/25_default_whitelist_firejail.conf similarity index 74% rename from etc/permission-hardening.d/25_default_whitelist_firejail.conf rename to etc/permission-hardener.d/25_default_whitelist_firejail.conf index 99608df..a56cb23 100644 --- a/etc/permission-hardening.d/25_default_whitelist_firejail.conf +++ b/etc/permission-hardener.d/25_default_whitelist_firejail.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## There is a controversy about firejail but those who choose to install it diff --git a/etc/permission-hardening.d/25_default_whitelist_fuse.conf b/etc/permission-hardener.d/25_default_whitelist_fuse.conf similarity index 72% rename from etc/permission-hardening.d/25_default_whitelist_fuse.conf rename to etc/permission-hardener.d/25_default_whitelist_fuse.conf index 1293214..4affc6a 100644 --- a/etc/permission-hardening.d/25_default_whitelist_fuse.conf +++ b/etc/permission-hardener.d/25_default_whitelist_fuse.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## required for AppImages such as electrum Bitcoin wallet diff --git a/etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf b/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf similarity index 68% rename from etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf rename to etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf index 4934ff0..6cc01fe 100644 --- a/etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf +++ b/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. libhardened_malloc.so matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_mount.conf b/etc/permission-hardener.d/25_default_whitelist_mount.conf similarity index 81% rename from etc/permission-hardening.d/25_default_whitelist_mount.conf rename to etc/permission-hardener.d/25_default_whitelist_mount.conf index 1557318..ce7d014 100644 --- a/etc/permission-hardening.d/25_default_whitelist_mount.conf +++ b/etc/permission-hardener.d/25_default_whitelist_mount.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 diff --git a/etc/permission-hardening.d/25_default_whitelist_pam.conf b/etc/permission-hardener.d/25_default_whitelist_pam.conf similarity index 69% rename from etc/permission-hardening.d/25_default_whitelist_pam.conf rename to etc/permission-hardener.d/25_default_whitelist_pam.conf index bf518ff..7348e0c 100644 --- a/etc/permission-hardening.d/25_default_whitelist_pam.conf +++ b/etc/permission-hardener.d/25_default_whitelist_pam.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## Without this, Xfce fails to start with a dbus-launch error. diff --git a/etc/permission-hardening.d/25_default_whitelist_policykit.conf b/etc/permission-hardener.d/25_default_whitelist_policykit.conf similarity index 79% rename from etc/permission-hardening.d/25_default_whitelist_policykit.conf rename to etc/permission-hardener.d/25_default_whitelist_policykit.conf index fb4fa86..032c6b2 100644 --- a/etc/permission-hardening.d/25_default_whitelist_policykit.conf +++ b/etc/permission-hardener.d/25_default_whitelist_policykit.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/pkexec exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_qubes.conf b/etc/permission-hardener.d/25_default_whitelist_qubes.conf similarity index 81% rename from etc/permission-hardening.d/25_default_whitelist_qubes.conf rename to etc/permission-hardener.d/25_default_whitelist_qubes.conf index 7a5c968..ad8592a 100644 --- a/etc/permission-hardening.d/25_default_whitelist_qubes.conf +++ b/etc/permission-hardener.d/25_default_whitelist_qubes.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## TODO: research diff --git a/etc/permission-hardening.d/25_default_whitelist_selinux.conf b/etc/permission-hardener.d/25_default_whitelist_selinux.conf similarity index 64% rename from etc/permission-hardening.d/25_default_whitelist_selinux.conf rename to etc/permission-hardener.d/25_default_whitelist_selinux.conf index f0464b9..2a5686a 100644 --- a/etc/permission-hardening.d/25_default_whitelist_selinux.conf +++ b/etc/permission-hardener.d/25_default_whitelist_selinux.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. /utempter/utempter matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_spice.conf b/etc/permission-hardener.d/25_default_whitelist_spice.conf similarity index 65% rename from etc/permission-hardening.d/25_default_whitelist_spice.conf rename to etc/permission-hardener.d/25_default_whitelist_spice.conf index 394b173..a8b7f7a 100644 --- a/etc/permission-hardening.d/25_default_whitelist_spice.conf +++ b/etc/permission-hardener.d/25_default_whitelist_spice.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. spice-client-glib-usb-acl-helper matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_ssh.conf b/etc/permission-hardener.d/25_default_whitelist_ssh.conf similarity index 69% rename from etc/permission-hardening.d/25_default_whitelist_ssh.conf rename to etc/permission-hardener.d/25_default_whitelist_ssh.conf index 678b2f6..f7ef445 100644 --- a/etc/permission-hardening.d/25_default_whitelist_ssh.conf +++ b/etc/permission-hardener.d/25_default_whitelist_ssh.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## TODO: research diff --git a/etc/permission-hardening.d/25_default_whitelist_sudo.conf b/etc/permission-hardener.d/25_default_whitelist_sudo.conf similarity index 65% rename from etc/permission-hardening.d/25_default_whitelist_sudo.conf rename to etc/permission-hardener.d/25_default_whitelist_sudo.conf index 07051dd..a7b0fd2 100644 --- a/etc/permission-hardening.d/25_default_whitelist_sudo.conf +++ b/etc/permission-hardener.d/25_default_whitelist_sudo.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/sudo exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf b/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf similarity index 74% rename from etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf rename to etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf index c086dab..dc1fb5a 100644 --- a/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf +++ b/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## required for performing password validation from unprivileged user diff --git a/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf b/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf similarity index 77% rename from etc/permission-hardening.d/25_default_whitelist_virtualbox.conf rename to etc/permission-hardener.d/25_default_whitelist_virtualbox.conf index dbd5737..17701d9 100644 --- a/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf +++ b/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## TODO: research diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardener.d/30_default.conf similarity index 94% rename from etc/permission-hardening.d/30_default.conf rename to etc/permission-hardener.d/30_default.conf index b6e4aeb..2ba3dee 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardener.d/30_default.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## File permission hardening. @@ -60,8 +60,8 @@ /home/ 0755 root root /root/ 0700 root root /boot/ 0700 root root -/etc/permission-hardening.d 0600 root root -/usr/local/etc/permission-hardening.d 0600 root root +/etc/permission-hardener.d 0600 root root +/usr/local/etc/permission-hardener.d 0600 root root /lib/modules/ 0700 root root /usr/src 0700 root root /etc/cups/cupsd.conf 0400 root root diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset index 201369d..a852419 100644 --- a/lib/systemd/system-preset/50-security-misc.preset +++ b/lib/systemd/system-preset/50-security-misc.preset @@ -5,7 +5,7 @@ disable hide-hardware-info.service ## Disable for now until development finished / tested. -disable permission-hardening.service +disable permission-hardener.service ## Disable for now until development finished / tested. ## https://github.com/Kicksecure/security-misc/pull/152 diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardener.service similarity index 93% rename from lib/systemd/system/permission-hardening.service rename to lib/systemd/system/permission-hardener.service index 9891b72..912e6c7 100644 --- a/lib/systemd/system/permission-hardening.service +++ b/lib/systemd/system/permission-hardener.service @@ -13,7 +13,7 @@ After=local-fs.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart=permission-hardening +ExecStart=permission-hardener [Install] WantedBy=sysinit.target diff --git a/usr/bin/permission-hardening b/usr/bin/permission-hardener similarity index 99% rename from usr/bin/permission-hardening rename to usr/bin/permission-hardener index 7673dd7..d2a7ccc 100755 --- a/usr/bin/permission-hardening +++ b/usr/bin/permission-hardener @@ -6,13 +6,10 @@ ## https://forums.whonix.org/t/disable-suid-binaries/7706 ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 -## To undo: -## sudo permission-hardening disable - set -o errexit -o nounset -o pipefail exit_code=0 -store_dir="/var/lib/permission-hardening" +store_dir="/var/lib/permission-hardener" dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" @@ -507,6 +504,8 @@ parse_config_folder() { shopt -s nullglob for config_file in \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ /etc/permission-hardening.d/*.conf \ /usr/local/etc/permission-hardening.d/*.conf do @@ -620,7 +619,7 @@ spare() { To remove all: $0 disable all - This change might not be permanent (because of the permission-hardening.service systemd unit). For full instructions, see: + This change might not be permanent (because of the permission-hardener.service systemd unit). For full instructions, see: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener To view list of changed by SUID Disabler and Permission Hardener: