Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master'

Browse Source
This commit is contained in:
Patrick Schleizer 2019-12-20 01:30:31 -05:00
commit c5d1e9dda7
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 75 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
etc/permission-hardening.conf
View File

@ -1,10 +1,41 @@
## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## File permission hardening. ## File permission hardening.
## ##
## Syntax: ## Syntax:
## [filename] [mode] [owner] [group] [capability] ## [filename] [mode] [owner] [group] [capability]
## ##
## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
## argument.
##
/home/ 0755 root root /home/ 0755 root root
/home/user/ 0700 user user /home/user/ 0700 user user
/root/ 0700 root root /root/ 0700 root root
/boot/ 0700 root root /boot/ 0700 root root
/etc/permission-hardening.conf 0600 root root /etc/permission-hardening.conf 0600 root root
## Remove all SUID/SGID binaries/libraries.
/bin/ nosuid
/usr/bin/ nosuid
/usr/local/bin/ nosuid
/sbin/ nosuid
/usr/sbin/ nosuid
/usr/local/sbin/ nosuid
/lib/ nosuid
/lib32/ nosuid
/lib64/ nosuid
/usr/lib/ nosuid
/usr/lib32/ nosuid
/usr/lib64/ nosuid
/usr/local/lib/ nosuid
/usr/local/lib32/ nosuid
/usr/local/lib64/ nosuid
## SUID whitelist.
/usr/bin/sudo 4755 root root
/usr/bin/bwrap 4755 root root
/usr/lib/policykit-1/polkit-agent-helper-1 4755 root root
/usr/lib/dbus-1.0/dbus-daemon-launch-helper 4754 root messagebus
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper 4755 root root
/usr/lib/x86_64-linux-gnu/utempter/utempter 2755 root utmp

52
usr/lib/security-misc/permission-hardening
View File

@ -1,11 +1,47 @@
#!/bin/bash #!/bin/bash
## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
set -x
config_file="/etc/permission-hardening.conf" config_file="/etc/permission-hardening.conf"
shopt -s globstar
add_statoverride_entry() {
if [ "${nosuid}" = "true" ]; then
while read -r line; do
if ! read -r file_name existing_mode owner group; then
continue
fi
if test -u "${file_name}" || test -g "${file_name}"; then
echo "suid - file_name: '${file_name}' | existing_mode: '${existing_mode}'"
if dpkg-statoverride --list | grep -q "${file_name}"; then
if ! dpkg-statoverride --list | grep -q "${owner} ${group} ${existing_mode:1} ${file_name}"; then
dpkg-statoverride --remove "${file_name}"
dpkg-statoverride --add --update "${owner}" "${group}" "${existing_mode:1}" "${file_name}"
fi
else
dpkg-statoverride --add --update "${owner}" "${group}" "${existing_mode:1}" "${file_name}"
fi
fi
done < <( stat -c "%n %a %U %G" ${file%/}/** )
else
dpkg-statoverride --add --update "${owner}" "${group}" "${mode}" "${file%/}"
fi
}
set_file_perms() { set_file_perms() {
while read -r line; do while read -r line; do
[[ "$line" =~ ^#.*$ ]] && continue [[ "$line" =~ ^#.*$ ]] && continue
if [ "${line}" = "" ]; then
continue
fi
if ! read -r file mode owner group capability <<< "${line}" ; then if ! read -r file mode owner group capability <<< "${line}" ; then
echo "ERROR: cannot parse line: ${line}" echo "ERROR: cannot parse line: ${line}"
continue continue
@ -16,34 +52,34 @@ set_file_perms() {
continue continue
fi fi
if ! seq -w 000 4777 | grep -qw "${mode}"; then nosuid=""
if [ "${mode}" = "nosuid" ]; then
nosuid="true"
elif ! seq -w 000 4777 | grep -qw "${mode}"; then
echo "ERROR: Mode '${mode}' is invalid!" echo "ERROR: Mode '${mode}' is invalid!"
continue continue
fi fi
if ! getent passwd | grep -q "^${owner}:"; then if ! getent passwd | grep -q "^${owner}:" && ! [ "${mode}" = "nosuid" ]; then
echo "ERROR: User '${owner}' does not exist!" echo "ERROR: User '${owner}' does not exist!"
continue continue
fi fi
if ! getent group | grep -q "^${group}:"; then if ! getent group | grep -q "^${group}:" && ! [ "${mode}" = "nosuid" ]; then
echo "ERROR: Group '${group}' does not exist!" echo "ERROR: Group '${group}' does not exist!"
continue continue
fi fi
chmod "${mode}" "${file}"
chown "${owner}:${group}" "${file}"
## The permissions should not be reset during upgrades. ## The permissions should not be reset during upgrades.
if dpkg-statoverride --list | grep -q "${file%/}"; then if dpkg-statoverride --list | grep -q "${file%/}"; then
## If there is an entry for the file, but the owner/group/mode do not ## If there is an entry for the file, but the owner/group/mode do not
## match, we remove and re-add the entry to update it. ## match, we remove and re-add the entry to update it.
if ! dpkg-statoverride --list | grep -q "${owner} ${group} ${mode:1} ${file%/}"; then if ! dpkg-statoverride --list | grep -q "${owner} ${group} ${mode:1} ${file%/}"; then
dpkg-statoverride --remove "${file}" dpkg-statoverride --remove "${file}"
dpkg-statoverride --add "${owner}" "${group}" "${mode}" "${file}" add_statoverride_entry
fi fi
else else
dpkg-statoverride --add "${owner}" "${group}" "${mode}" "${file}" add_statoverride_entry
fi fi
if ! [ "${capability}" = "" ]; then if ! [ "${capability}" = "" ]; then