Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-25 21:29:24 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix terminology, sguid -> sgid

Browse Source 
Thanks to @madaidan for the bug report!

https://forums.whonix.org/t/permission-hardening/8655/21
This commit is contained in:
Patrick Schleizer 2019-12-20 11:58:07 -05:00
parent 1cd5fb6a00
commit f88ca25889
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
usr/lib/security-misc/permission-hardening
View File

@ -82,14 +82,14 @@ add_nosuid_statoverride_entry() {
setuid=true
setuid_output="set-user-id"
fi
setguid=""
setguid_output=""
setsgid=""
setsgid_output=""
if test -g "$file_name"; then
setguid=true
setguid_output="set-group-id"
setsgid=true
setsgid_output="set-group-id"
fi
if [ "$setuid" = "true" ] || [ "$setguid" = "true" ]; then
if [ "$setuid" = "true" ] || [ "$setsgid" = "true" ]; then
string_length_of_existing_mode="${#existing_mode}"
if [ "$string_length_of_existing_mode" = "4" ]; then
new_mode="${existing_mode:1}"
@ -99,7 +99,7 @@ add_nosuid_statoverride_entry() {
## Remove 'others' / 'group' execution ('chmod og-x /path/to/binary') rights for better usability?
## Make binaries such as 'su' fail closed rather than fail open if suid was removed from these?
## Are there suid or guid binaries which are still useful if suid / guid has been removed from these?
## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these?
## https://forums.whonix.org/t/permission-hardening/8655/10
# if [ "$new_mode" = "755" ]; then
# new_mode=744
@ -121,11 +121,11 @@ add_nosuid_statoverride_entry() {
done
if [ "$is_whitelisted" = "true" ]; then
echo "INFO: SKIP whitelisted - $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
continue
fi
echo "INFO: $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'"
echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'"
## No need to check "dpkg-statoverride --list" for existing entries.
## If existing_mode was correct already, we would not have reached this point.