Refactor permission-hardener

- Organize comments from default configuration;
- Apply and undo changes from a single file controlled by parameters;
- Arrays should be evaluated as arrays and not normal variables;
- Quote variables;
- Brackets around variables;
- Standardize test cases to "test" command;
- Test against empty or non-empty variables with "-z" and "-n";
- Show a usage message when necessary;
- Require root to run the script with informative message;
- Permit the user to see the help message without running as root;
- Do not create root directories without passing root check;
- Use long options for "set" command;

etc/permission-hardening.d/30_default.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or
@@ -9,10 +9,8 @@
 ##
 ## Syntax:
 ## [filename] [mode] [owner] [group] [capability]
+## [filename] [exactwhitelist|matchwhitelist|disablewhitelist|nosuid]
 ##
-## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
-## argument.
-
 ## TODO: white spaces inside file name untested and probably will not work.
 
 ######################################################################
@@ -22,13 +20,9 @@
 #whitelists_disable_all=true
 
 ######################################################################
-# SUID disablewhitelist
+# SUID disables below (or in lexically higher) files: disablewhitelist
 ######################################################################
 
-## disablewhitelist disables below (or in lexically higher) files
-## exactwhitelist and matchwhitelist. Add these here (discouraged) or better
-## in file "/etc/permission-hardening.d/20_user.conf".
-
 ## For example, if you are not using SELinux the following might make sense to
 ## enable. TODO: research
 #/utempter/utempter disablewhitelist
@@ -37,7 +31,7 @@
 #/fusermount disablewhitelist
 
 ######################################################################
-# SUID exact match whitelist
+# SUID whitelist matches full path: exactwhitelist
 ######################################################################
 
 ## In case you need to use 'su'. See also:
@@ -45,10 +39,6 @@
 #/bin/su exactwhitelist
 #/usr/bin/su exactwhitelist
 
-######################################################################
-# SUID exact match whitelist
-######################################################################
-
 ## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html
 ## https://lwn.net/Articles/590315/
 ## http://forums.whonix.org/t/permission-hardening/8655/25
@@ -56,12 +46,12 @@
 #/lib/xorg/Xorg.wrap whitelist
 
 ######################################################################
-# SUID regex match whitelist
+# SUID whitelist matches in any section of the path: matchwhitelist
 ######################################################################
 
-######################################################################
-# SUID regex match whitelist
-######################################################################
+## Examples below are already configured:
+#ssh-agent matchwhitelist
+#/lib/openssh matchwhitelist
 
 ######################################################################
 # Permission Hardening
@@ -95,9 +85,12 @@
 /etc/passwd- 0644 root root
 
 ######################################################################
-# SUID/SGID Removal
+# SUID/SGID Removal: nosuid
 ######################################################################
 
+## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
+## argument.
+##
 ## Remove all SUID/SGID binaries/libraries.
 
 /bin/ nosuid

usr/bin/permission-hardening-undo

@@ -1,136 +0,0 @@
-#!/bin/bash
-
-## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-#set -x
-set -e
-set -o pipefail
-
-if [ "$1" = "all" ]; then
-   remove_file="all"
-elif [ ! "$1" = "" ]; then
-   remove_file="$1"
-else
-   echo "ERROR: need to give parameter 'all' or a filename.
-
-examples:
-
-$0 all
-
-$0 /usr/bin/newgrp
-   " >&2
-fi
-
-exit_code=0
-
-dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode"
-dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode"
-
-undo_permission_hardening() {
-   if [ ! -f /var/lib/permission-hardening/existing_mode/statoverride ]; then
-      return 0
-   fi
-
-   local line
-
-   while read -r line; do
-      ## example line:
-      ## root root 4755 /usr/lib/eject/dmcrypt-get-device
-
-      local owner group mode file_name
-      if ! read -r owner group mode file_name <<< "$line" ; then
-         exit_code=201
-         echo "ERROR: cannot parse line: $line" >&2
-         continue
-      fi
-      true "owner: '$owner' group: '$group' mode: '$mode' file_name: '$file_name'"
-
-      if [ "$remove_file" = "all" ]; then
-         do_proceed=true
-         verbose_maybe=""
-      else
-         if [ "$remove_file" = "$file_name" ]; then
-            do_proceed=true
-            verbose_maybe="--verbose"
-            remove_one=true
-         else
-            do_proceed=false
-            verbose_maybe=""
-         fi
-      fi
-
-      if [ "$do_proceed" = "false" ]; then
-         continue
-      fi
-
-      if [ "$remove_one" = "true" ]; then
-         set -x
-      fi
-
-      if test -e "$file_name" ; then
-         chown $verbose_maybe "${owner}:${group}" "$file_name" || exit_code=202
-         ## chmod need to be run after chown since chown removes suid.
-         ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature
-         chmod $verbose_maybe "$mode" "$file_name" || exit_code=203
-      else
-         echo "INFO: file_name: '$file_name' - does not exist. This is likely normal."
-      fi
-
-      dpkg-statoverride --remove "$file_name" &>/dev/null || true
-      dpkg-statoverride $dpkg_admindir_parameter_existing_mode --remove "$file_name" &>/dev/null || true
-      dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" &>/dev/null || true
-
-      if [ "$remove_one" = "true" ]; then
-         set +x
-         break
-      fi
-
-   done < "/var/lib/permission-hardening/existing_mode/statoverride"
-}
-
-undo_permission_hardening
-
-if [ ! "$remove_file" = "all" ]; then
-   if [ ! "$remove_one" = "true" ]; then
-      echo "INFO: none removed.
-
-File '$remove_file' has not removed from SUID Disabler and Permission Hardener during this invocation of this program.
-
-Note: This is expected if already done earlier.
-
-Note: This program expects the full path to the file. Example:
-
-$0 /usr/bin/newgrp
-
-The following syntax will not work:
-
-$0 program-name
-
-The following example will not work:
-
-$0 newgrp
-
-To remove all:
-
-$0 all
-
-This change might not be permanent (because of the permission-hardening.service systemd unit). For full instructions, see:
-https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
-
-To view list of changed by SUID Disabler and Permission Hardener:
-https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener
-
-For re-enabling any specific SUID binary:
-https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries
-
-For completely disabling SUID Disabler and Permission Hardener:
-https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener"
-   fi
-fi
-
-if [ ! "$exit_code" = "0" ]; then
-   echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2
-fi
-
-exit "$exit_code"