Refactor permission-hardener

- Organize comments from default configuration; - Apply and undo changes from a single file controlled by parameters; - Arrays should be evaluated as arrays and not normal variables; - Quote variables; - Brackets around variables; - Standardize test cases to "test" command; - Test against empty or non-empty variables with "-z" and "-n"; - Show a usage message when necessary; - Require root to run the script with informative message; - Permit the user to see the help message without running as root; - Do not create root directories without passing root check; - Use long options for "set" command;
2025-06-08 14:12:38 -04:00 · 2024-01-02 12:17:16 +01:00 · 2024-01-02 12:17:16 +01:00 · f138cf0f78
commit f138cf0f78
parent e15596e7af
3 changed files with 615 additions and 595 deletions
--- a/etc/permission-hardening.d/30_default.conf
+++ b/etc/permission-hardening.d/30_default.conf
@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 ## Please use "/etc/permission-hardening.d/20_user.conf" or
@ -9,10 +9,8 @@
 ##
 ## Syntax:
 ## [filename] [mode] [owner] [group] [capability]
 ## [filename] [exactwhitelist|matchwhitelist|disablewhitelist|nosuid]
 ##
 ## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
 ## argument.
 ## TODO: white spaces inside file name untested and probably will not work.
 ######################################################################
@ -22,13 +20,9 @@
 #whitelists_disable_all=true
 ######################################################################
-# SUID disablewhitelist
+# SUID disables below (or in lexically higher) files: disablewhitelist
 ######################################################################
 ## disablewhitelist disables below (or in lexically higher) files
 ## exactwhitelist and matchwhitelist. Add these here (discouraged) or better
 ## in file "/etc/permission-hardening.d/20_user.conf".
 ## For example, if you are not using SELinux the following might make sense to
 ## enable. TODO: research
 #/utempter/utempter disablewhitelist
@ -37,7 +31,7 @@
 #/fusermount disablewhitelist
 ######################################################################
-# SUID exact match whitelist
+# SUID whitelist matches full path: exactwhitelist
 ######################################################################
 ## In case you need to use 'su'. See also:
@ -45,10 +39,6 @@
 #/bin/su exactwhitelist
 #/usr/bin/su exactwhitelist
 ######################################################################
 # SUID exact match whitelist
 ######################################################################
 ## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html
 ## https://lwn.net/Articles/590315/
 ## http://forums.whonix.org/t/permission-hardening/8655/25
@ -56,12 +46,12 @@
 #/lib/xorg/Xorg.wrap whitelist
 ######################################################################
-# SUID regex match whitelist
+# SUID whitelist matches in any section of the path: matchwhitelist
 ######################################################################
-######################################################################
+## Examples below are already configured:
-# SUID regex match whitelist
+#ssh-agent matchwhitelist
-######################################################################
+#/lib/openssh matchwhitelist
 ######################################################################
 # Permission Hardening
@ -95,9 +85,12 @@
 /etc/passwd- 0644 root root
 ######################################################################
-# SUID/SGID Removal
+# SUID/SGID Removal: nosuid
 ######################################################################
 ## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
 ## argument.
 ##
 ## Remove all SUID/SGID binaries/libraries.
 /bin/ nosuid
--- a/usr/bin/permission-hardening
+++ b/usr/bin/permission-hardening
--- a/usr/bin/permission-hardening-undo
+++ b/usr/bin/permission-hardening-undo
@ -1,136 +0,0 @@
 #!/bin/bash
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 #set -x
 set -e
 set -o pipefail
 if [ "$1" = "all" ]; then
   remove_file="all"
 elif [ ! "$1" = "" ]; then
   remove_file="$1"
 else
   echo "ERROR: need to give parameter 'all' or a filename.
 examples:
 $0 all
 $0 /usr/bin/newgrp
   " >&2
 fi
 exit_code=0
 dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode"
 dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode"
 undo_permission_hardening() {
   if [ ! -f /var/lib/permission-hardening/existing_mode/statoverride ]; then
      return 0
   fi
   local line
   while read -r line; do
      ## example line:
      ## root root 4755 /usr/lib/eject/dmcrypt-get-device
      local owner group mode file_name
      if ! read -r owner group mode file_name <<< "$line" ; then
         exit_code=201
         echo "ERROR: cannot parse line: $line" >&2
         continue
      fi
      true "owner: '$owner' group: '$group' mode: '$mode' file_name: '$file_name'"
      if [ "$remove_file" = "all" ]; then
         do_proceed=true
         verbose_maybe=""
      else
         if [ "$remove_file" = "$file_name" ]; then
            do_proceed=true
            verbose_maybe="--verbose"
            remove_one=true
         else
            do_proceed=false
            verbose_maybe=""
         fi
      fi
      if [ "$do_proceed" = "false" ]; then
         continue
      fi
      if [ "$remove_one" = "true" ]; then
         set -x
      fi
      if test -e "$file_name" ; then
         chown $verbose_maybe "${owner}:${group}" "$file_name" || exit_code=202
         ## chmod need to be run after chown since chown removes suid.
         ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature
         chmod $verbose_maybe "$mode" "$file_name" || exit_code=203
      else
         echo "INFO: file_name: '$file_name' - does not exist. This is likely normal."
      fi
      dpkg-statoverride --remove "$file_name" &>/dev/null || true
      dpkg-statoverride $dpkg_admindir_parameter_existing_mode --remove "$file_name" &>/dev/null || true
      dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" &>/dev/null || true
      if [ "$remove_one" = "true" ]; then
         set +x
         break
      fi
   done < "/var/lib/permission-hardening/existing_mode/statoverride"
 }
 undo_permission_hardening
 if [ ! "$remove_file" = "all" ]; then
   if [ ! "$remove_one" = "true" ]; then
      echo "INFO: none removed.
 File '$remove_file' has not removed from SUID Disabler and Permission Hardener during this invocation of this program.
 Note: This is expected if already done earlier.
 Note: This program expects the full path to the file. Example:
 $0 /usr/bin/newgrp
 The following syntax will not work:
 $0 program-name
 The following example will not work:
 $0 newgrp
 To remove all:
 $0 all
 This change might not be permanent (because of the permission-hardening.service systemd unit). For full instructions, see:
 https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
 To view list of changed by SUID Disabler and Permission Hardener:
 https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener
 For re-enabling any specific SUID binary:
 https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries
 For completely disabling SUID Disabler and Permission Hardener:
 https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener"
   fi
 fi
 if [ ! "$exit_code" = "0" ]; then
   echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2
 fi
 exit "$exit_code"