From 94dc9da4ab8fb93760dbb3b325bdeaa155e492cb Mon Sep 17 00:00:00 2001 From: Ashlen Date: Tue, 20 May 2025 17:07:51 -0600 Subject: [PATCH 01/12] fix(permission-hardener): ssh-agent gets 755 perms Replace the commented-out matchwhitelist entry for ssh-agent with an explicit permission entry (755) for /usr/bin/ssh-agent. When ssh-agent's matchwhitelist entry was commented out in commit 7a5f8b87af, permission-hardener began resetting it to restrictive defaults (744), preventing non-root users from executing ssh-agent. This broke split SSH functionality in Qubes OS for me because I was using Kicksecure in the vault qube, and ssh-agent runs under a non-root user in that configuration (see https://forum.qubes-os.org/t/split-ssh/19060). As noted in the comment, Debian installs with 2755 permissions as a way to mitigate ptrace attacks, but this rationale doesn't apply due to kernel.yama.ptrace_scope=2 being set in Kicksecure. --- .../25_default_whitelist_ssh.conf | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 8688dfe..5415197 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -5,11 +5,21 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## Used for SSH client key management +## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html +## Debian installs ssh-agent with setgid permissions (2755) and with +## _ssh as the group to prevent ptrace attacks that could extract +## private keys from the agent's memory. However, as Kicksecure makes use +## of kernel.yama.ptrace_scope=2 by default, this is not a concern. +## +## ssh-agent is often run under non-root users, so 755 permissions make +## sense here to avoid breakage. +/usr/bin/ssh-agent 755 root root + ## Used only for SSH host-based authentication ## https://linux.die.net/man/8/ssh-keysign ## Needed to allow access to the machine's host key for use in the ## authentication process. This is a non-default method of authenticating to ## SSH, and is likely rarely used, thus this should be safe to disable. -#ssh-agent matchwhitelist #ssh-keysign matchwhitelist #/usr/lib/openssh matchwhitelist From 7a079c3de8bd8b4e026a1bd1b932a04610a1e386 Mon Sep 17 00:00:00 2001 From: Ashlen Date: Tue, 20 May 2025 18:41:48 -0600 Subject: [PATCH 02/12] fix(permission-hardener): add exactwhitelist here Without this, the permissions for ssh-agent won't be changed properly. --- usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 5415197..767cd08 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -14,6 +14,7 @@ ## ## ssh-agent is often run under non-root users, so 755 permissions make ## sense here to avoid breakage. +/usr/bin/ssh-agent exactwhitelist /usr/bin/ssh-agent 755 root root ## Used only for SSH host-based authentication From e14b81b15e479afbc4820a2b9bb60f3cf65bfb12 Mon Sep 17 00:00:00 2001 From: Ashlen Date: Tue, 20 May 2025 21:34:03 -0600 Subject: [PATCH 03/12] perf(permission-hardener): optimize string match MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace subprocess grep calls with bash substring matching in check_nosuid_whitelist function. This eliminates ~10k unneeded subprocess spawns that were causing significant performance degradation. In testing, it improves overall script execution speed by an order of magnitude: Before patch: $ sudo hyperfine -- './permission-hardener enable' Benchmark 1: ./permission-hardener enable Time (mean ± σ): 11.906 s ± 0.974 s [User: 3.639 s, System: 8.728 s] Range (min … max): 10.430 s … 14.090 s 10 runs After patch: $ sudo hyperfine -- './permission-hardener enable' Benchmark 1: ./permission-hardener enable Time (mean ± σ): 802.8 ms ± 178.5 ms [User: 283.0 ms, System: 471.9 ms] Range (min … max): 639.4 ms … 1092.3 ms 10 runs --- usr/bin/permission-hardener | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 9f70834..b871fdc 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -256,8 +256,7 @@ check_nosuid_whitelist() { [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]] && return 1 for match_white_list_entry in "${policy_match_white_list[@]:-}"; do - if safe_echo "${target_file}" \ - | grep --quiet --fixed-strings -- "${match_white_list_entry}"; then + if [[ "${target_file}" == *"${match_white_list_entry}"* ]]; then return 1 fi done From abb2207313810966dad381c3a9f637c445a5834d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 27 May 2025 15:51:50 +0000 Subject: [PATCH 04/12] bumped changelog version --- changelog.upstream | 48 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 54 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index fa55e48..bc31fbb 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit 45016146f7c77d383f2254d19dc66ba9b883b8f2 +Merge: ace45d7 395169f +Author: Patrick Schleizer +Date: Tue May 27 11:03:23 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 395169fbce1854bfed727d1784f4e5c0d8e7c6ff +Merge: ace45d7 e14b81b +Author: Patrick Schleizer +Date: Tue May 27 10:58:50 2025 -0400 + + Merge pull request #308 from maybebyte/permission-hardener-speedboost + + perf(permission-hardener): optimize string match + +commit ace45d7c95ed6b83c1897f76da5af4a0c97cab10 +Author: Patrick Schleizer +Date: Wed May 21 22:06:02 2025 +0000 + + bumped changelog version + commit 142ea2118989faddafa17db48efed379c4ac3f45 Author: Patrick Schleizer Date: Wed May 21 12:42:16 2025 -0400 @@ -116,6 +138,32 @@ Date: Wed May 21 06:55:09 2025 -0400 pam-info: fix, consistently write errors and warnings to stderr +commit e14b81b15e479afbc4820a2b9bb60f3cf65bfb12 +Author: Ashlen +Date: Tue May 20 21:34:03 2025 -0600 + + perf(permission-hardener): optimize string match + + Replace subprocess grep calls with bash substring matching in + check_nosuid_whitelist function. This eliminates ~10k unneeded + subprocess spawns that were causing significant performance + degradation. + + In testing, it improves overall script execution speed by an + order of magnitude: + + Before patch: + $ sudo hyperfine -- './permission-hardener enable' + Benchmark 1: ./permission-hardener enable + Time (mean ± σ): 11.906 s ± 0.974 s [User: 3.639 s, System: 8.728 s] + Range (min … max): 10.430 s … 14.090 s 10 runs + + After patch: + $ sudo hyperfine -- './permission-hardener enable' + Benchmark 1: ./permission-hardener enable + Time (mean ± σ): 802.8 ms ± 178.5 ms [User: 283.0 ms, System: 471.9 ms] + Range (min … max): 639.4 ms … 1092.3 ms 10 runs + commit 19d7e1af5d7acf6eb3a20fe3ebf5f14cef041f92 Author: Patrick Schleizer Date: Tue May 20 11:40:27 2025 +0000 diff --git a/debian/changelog b/debian/changelog index 4507e57..d86926c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:45.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 27 May 2025 15:51:50 +0000 + security-misc (3:45.7-1) unstable; urgency=medium * New upstream version (local package). From 5195977be474e29a29b6392306e909e9f2d05ada Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 27 May 2025 11:57:21 -0400 Subject: [PATCH 05/12] protect against grep pipefail --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index b871fdc..2d9a729 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -626,7 +626,7 @@ commit_policy() { else if ! capsh --print \ | grep --fixed-strings -- "Bounding set" \ - | grep --quiet -- "${policy_capability_item}"; then + | grep -- "${policy_capability_item}" >/dev/null; then log error \ "Capability from config does not exist: '${policy_capability_item}'" \ >&2 From e96677486201ebddc145af7962ad5e89f6fa253b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 27 May 2025 19:41:25 +0000 Subject: [PATCH 06/12] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index bc31fbb..51fb35c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 5195977be474e29a29b6392306e909e9f2d05ada +Author: Patrick Schleizer +Date: Tue May 27 11:57:21 2025 -0400 + + protect against grep pipefail + +commit abb2207313810966dad381c3a9f637c445a5834d +Author: Patrick Schleizer +Date: Tue May 27 15:51:50 2025 +0000 + + bumped changelog version + commit 45016146f7c77d383f2254d19dc66ba9b883b8f2 Merge: ace45d7 395169f Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index d86926c..5a1e957 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:45.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 27 May 2025 19:41:25 +0000 + security-misc (3:45.8-1) unstable; urgency=medium * New upstream version (local package). From 3559bc86b7aed8122ff7996ce0ab4a65bdaf05c0 Mon Sep 17 00:00:00 2001 From: Ashlen Date: Tue, 27 May 2025 15:32:41 -0600 Subject: [PATCH 07/12] fix(permission-hardener): ssh-agent gets 2755 perms Change from exactwhitelist to matchwhitelist. Discussion revealed that there's a good reason to leave setgid in here, which is essentially defense-in-depth (sometimes users may want to revert Kicksecure's default of kernel.yama.ptrace_scope=2, e.g. to debug a program, and Kicksecure should not be less secure than vanilla Debian in that situation). --- .../25_default_whitelist_ssh.conf | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 767cd08..2b55bd2 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -8,14 +8,9 @@ ## Used for SSH client key management ## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html ## Debian installs ssh-agent with setgid permissions (2755) and with -## _ssh as the group to prevent ptrace attacks that could extract -## private keys from the agent's memory. However, as Kicksecure makes use -## of kernel.yama.ptrace_scope=2 by default, this is not a concern. -## -## ssh-agent is often run under non-root users, so 755 permissions make -## sense here to avoid breakage. -/usr/bin/ssh-agent exactwhitelist -/usr/bin/ssh-agent 755 root root +## _ssh as the group to help mitigate ptrace attacks that could extract +## private keys from the agent's memory. +ssh-agent matchwhitelist ## Used only for SSH host-based authentication ## https://linux.die.net/man/8/ssh-keysign From d5edc243ac2db861f1600d3906a02494eaf9a824 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 28 May 2025 12:12:00 +0000 Subject: [PATCH 08/12] bumped changelog version --- changelog.upstream | 77 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 83 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 51fb35c..253259a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,52 @@ +commit eda1d0aef640af1ea73c72d6caa876733de4e5a0 +Merge: e966774 5a10ad0 +Author: Patrick Schleizer +Date: Wed May 28 07:22:16 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 5a10ad031d67acc8fa4c16f9e2db191bde559caa +Merge: e966774 3559bc8 +Author: Patrick Schleizer +Date: Wed May 28 07:21:31 2025 -0400 + + Merge pull request #307 from maybebyte/ssh-agent-to-allowlist + + fix(permission-hardener): ssh-agent gets 2755 perms + +commit 3559bc86b7aed8122ff7996ce0ab4a65bdaf05c0 +Author: Ashlen +Date: Tue May 27 15:32:41 2025 -0600 + + fix(permission-hardener): ssh-agent gets 2755 perms + + Change from exactwhitelist to matchwhitelist. Discussion revealed that + there's a good reason to leave setgid in here, which is essentially + defense-in-depth (sometimes users may want to revert Kicksecure's + default of kernel.yama.ptrace_scope=2, e.g. to debug a program, and + Kicksecure should not be less secure than vanilla Debian in that + situation). + +commit c59b2e4bc53cad4c9cc90ddd5abaca0705ccff90 +Merge: 017ee29 e966774 +Author: maybebyte <99762926+maybebyte@users.noreply.github.com> +Date: Tue May 27 20:33:07 2025 +0000 + + Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist + +commit e96677486201ebddc145af7962ad5e89f6fa253b +Author: Patrick Schleizer +Date: Tue May 27 19:41:25 2025 +0000 + + bumped changelog version + +commit 017ee29eb39d84edc89f128a633a619cad852241 +Merge: 7a079c3 abb2207 +Author: maybebyte <99762926+maybebyte@users.noreply.github.com> +Date: Tue May 27 18:25:47 2025 +0000 + + Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist + commit 5195977be474e29a29b6392306e909e9f2d05ada Author: Patrick Schleizer Date: Tue May 27 11:57:21 2025 -0400 @@ -176,6 +225,34 @@ Date: Tue May 20 21:34:03 2025 -0600 Time (mean ± σ): 802.8 ms ± 178.5 ms [User: 283.0 ms, System: 471.9 ms] Range (min … max): 639.4 ms … 1092.3 ms 10 runs +commit 7a079c3de8bd8b4e026a1bd1b932a04610a1e386 +Author: Ashlen +Date: Tue May 20 18:41:48 2025 -0600 + + fix(permission-hardener): add exactwhitelist here + + Without this, the permissions for ssh-agent won't be changed properly. + +commit 94dc9da4ab8fb93760dbb3b325bdeaa155e492cb +Author: Ashlen +Date: Tue May 20 17:07:51 2025 -0600 + + fix(permission-hardener): ssh-agent gets 755 perms + + Replace the commented-out matchwhitelist entry for ssh-agent with an + explicit permission entry (755) for /usr/bin/ssh-agent. + + When ssh-agent's matchwhitelist entry was commented out in commit + 7a5f8b87af, permission-hardener began resetting it to restrictive + defaults (744), preventing non-root users from executing ssh-agent. This + broke split SSH functionality in Qubes OS for me because I was using + Kicksecure in the vault qube, and ssh-agent runs under a non-root user in + that configuration (see https://forum.qubes-os.org/t/split-ssh/19060). + + As noted in the comment, Debian installs with 2755 permissions as a way + to mitigate ptrace attacks, but this rationale doesn't apply due to + kernel.yama.ptrace_scope=2 being set in Kicksecure. + commit 19d7e1af5d7acf6eb3a20fe3ebf5f14cef041f92 Author: Patrick Schleizer Date: Tue May 20 11:40:27 2025 +0000 diff --git a/debian/changelog b/debian/changelog index 5a1e957..2f1be9f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:46.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 28 May 2025 12:12:00 +0000 + security-misc (3:45.9-1) unstable; urgency=medium * New upstream version (local package). From 3e102df76583a14b5efc18238aefbf539ab0d8a1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 28 May 2025 08:37:03 -0400 Subject: [PATCH 09/12] fix --- usr/libexec/security-misc/pam-info | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index a42effa..6d772ca 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -111,6 +111,7 @@ if [ "$PAM_USER" = 'sysmaint' ]; then fi fi +kernel_cmdline="" if test -f /proc/cmdline; then kernel_cmdline="$(cat -- /proc/cmdline)" fi From 5159de63438e8c1274658e7175a80fb693d6554a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 28 May 2025 13:48:11 +0000 Subject: [PATCH 10/12] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 253259a..01216c3 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 3e102df76583a14b5efc18238aefbf539ab0d8a1 +Author: Patrick Schleizer +Date: Wed May 28 08:37:03 2025 -0400 + + fix + +commit d5edc243ac2db861f1600d3906a02494eaf9a824 +Author: Patrick Schleizer +Date: Wed May 28 12:12:00 2025 +0000 + + bumped changelog version + commit eda1d0aef640af1ea73c72d6caa876733de4e5a0 Merge: e966774 5a10ad0 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 2f1be9f..152c289 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:46.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 28 May 2025 13:48:11 +0000 + security-misc (3:46.0-1) unstable; urgency=medium * New upstream version (local package). From 109c0134677d991c449aa009773cb22babeee8db Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Thu, 12 Jun 2025 01:08:34 -0500 Subject: [PATCH 11/12] Add comment related to approx package caching proxy --- usr/libexec/security-misc/permission-lockdown | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 31aaee4..19fbe89 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -25,6 +25,7 @@ # /usr/libexec/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4" # /usr/libexec/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine" # /usr/libexec/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng" +# /usr/libexec/security-misc/permission-lockdown: user: approx | chmod o-rwx "/var/cache/approx" # /usr/libexec/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs" # /usr/libexec/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity" # /usr/libexec/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd" From 115b6f6aa2a4d00ad5690c2c0889e142540c01ca Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 14 Jun 2025 11:51:44 +0000 Subject: [PATCH 12/12] bumped changelog version --- changelog.upstream | 19 +++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 01216c3..b1f95a9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit 4639d1aab572bb4ad751bd1da5b936b9d73d3264 +Merge: 5159de6 109c013 +Author: Patrick Schleizer +Date: Fri Jun 13 15:09:52 2025 -0400 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/approx' + +commit 109c0134677d991c449aa009773cb22babeee8db +Author: Aaron Rainbolt +Date: Thu Jun 12 01:08:34 2025 -0500 + + Add comment related to approx package caching proxy + +commit 5159de63438e8c1274658e7175a80fb693d6554a +Author: Patrick Schleizer +Date: Wed May 28 13:48:11 2025 +0000 + + bumped changelog version + commit 3e102df76583a14b5efc18238aefbf539ab0d8a1 Author: Patrick Schleizer Date: Wed May 28 08:37:03 2025 -0400 diff --git a/debian/changelog b/debian/changelog index 152c289..6f6d1ad 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:46.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 14 Jun 2025 11:51:44 +0000 + security-misc (3:46.1-1) unstable; urgency=medium * New upstream version (local package).