Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists"

This reverts commit 36a471ebce.
2024-10-01 08:25:45 -04:00 · 2020-12-01 05:10:26 -05:00 · 2020-12-01 05:10:26 -05:00 · b09cc0de6a
commit b09cc0de6a
parent 704f0500ba
2 changed files with 4 additions and 24 deletions
--- a/etc/permission-hardening.d/30_default.conf
+++ b/etc/permission-hardening.d/30_default.conf
@ -15,12 +15,6 @@

 ## TODO: white spaces inside file name untested and probably will not work.

-######################################################################
-# Global Settings
-######################################################################
-
-#whitelists_disable_all=true
-
 ######################################################################
 # SUID disablewhitelist
 ######################################################################
--- a/usr/lib/security-misc/permission-hardening
+++ b/usr/lib/security-misc/permission-hardening
@ -252,12 +252,6 @@ set_file_perms() {
         exit "$exit_code"
      fi

-      if [ "$line" = 'whitelists_disable_all=true' ]; then
-         whitelists_disable_all=true
-         echo "INFO: whitelists_disable_all=true - all whitelists disabled."
-         continue
-      fi
-
      #global fso
      local mode_from_config owner_from_config group_from_config capability_from_config
      if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then
@ -281,22 +275,14 @@ set_file_perms() {
      fi

      if [ "$mode_from_config" = "exactwhitelist" ]; then
-         if [ "$whitelists_disable_all" = "true" ]; then
-            true "INFO: Not adding fso '$fso' to exact_white_list because whitelists_disable_all=true"
-         else
-            ## TODO: test/add white spaces inside file name support
-            exact_white_list+="$fso "
-         fi
+         ## TODO: test/add white spaces inside file name support
+         exact_white_list+="$fso "
         continue
      fi

      if [ "$mode_from_config" = "matchwhitelist" ]; then
-         if [ "$whitelists_disable_all" = "true" ]; then
-            true "INFO: Not adding fso '$fso' to matchwhitelist because whitelists_disable_all=true"
-         else
-            ## TODO: test/add white spaces inside file name support
-            match_white_list+="$fso "
-         fi
+         ## TODO: test/add white spaces inside file name support
+         match_white_list+="$fso "
         continue
      fi