From eff5af03184f52181894884b90a8d867a1f10956 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Sun, 20 Jun 2021 10:16:33 -0400
Subject: [PATCH] https://forums.whonix.org/t/restrict-root-access/7658/116

---
 etc/permission-hardening.d/25_default_sudo.conf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/etc/permission-hardening.d/25_default_sudo.conf b/etc/permission-hardening.d/25_default_sudo.conf
index fe92af1..3087ad4 100644
--- a/etc/permission-hardening.d/25_default_sudo.conf
+++ b/etc/permission-hardening.d/25_default_sudo.conf
@@ -5,6 +5,7 @@
 ## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
+## https://forums.whonix.org/t/restrict-root-access/7658/116
 ## This restricts the file permissions of the sudo executable so that a vulnerability
 ## in the program will not be exploitable by any users not in the "sudo" group. sudo
 ## is a very complex program and is setuid so vulnerabilities in it can allow privilege
@@ -15,5 +16,5 @@
 ## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a
 ## compromised network-facing daemon (such as web servers, time synchronization daemons,
 ## etc.)  running as its own user from exploiting sudo to escalate privileges.
-/usr/bin/sudo 4750 root sudo
-/bin/sudo 4750 root sudo
+#/usr/bin/sudo 4750 root sudo
+#/bin/sudo 4750 root sudo