Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-26 23:39:26 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix terminology, sguid -> sgid

Browse Source 
Thanks to @madaidan for the bug report!

https://forums.whonix.org/t/permission-hardening/8655/21
This commit is contained in:
Patrick Schleizer 2019-12-20 11:58:07 -05:00
parent 1cd5fb6a00
commit f88ca25889
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
usr/lib/security-misc/permission-hardening
View File

@ -82,14 +82,14 @@ add_nosuid_statoverride_entry() {
setuid=true setuid=true
setuid_output="set-user-id" setuid_output="set-user-id"
fi fi
setguid="" setsgid=""
setguid_output="" setsgid_output=""
if test -g "$file_name"; then if test -g "$file_name"; then
setguid=true setsgid=true
setguid_output="set-group-id" setsgid_output="set-group-id"
fi fi
if [ "$setuid" = "true" ] || [ "$setguid" = "true" ]; then if [ "$setuid" = "true" ] || [ "$setsgid" = "true" ]; then
string_length_of_existing_mode="${#existing_mode}" string_length_of_existing_mode="${#existing_mode}"
if [ "$string_length_of_existing_mode" = "4" ]; then if [ "$string_length_of_existing_mode" = "4" ]; then
new_mode="${existing_mode:1}" new_mode="${existing_mode:1}"
@ -99,7 +99,7 @@ add_nosuid_statoverride_entry() {
## Remove 'others' / 'group' execution ('chmod og-x /path/to/binary') rights for better usability? ## Remove 'others' / 'group' execution ('chmod og-x /path/to/binary') rights for better usability?
## Make binaries such as 'su' fail closed rather than fail open if suid was removed from these? ## Make binaries such as 'su' fail closed rather than fail open if suid was removed from these?
## Are there suid or guid binaries which are still useful if suid / guid has been removed from these? ## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these?
## https://forums.whonix.org/t/permission-hardening/8655/10 ## https://forums.whonix.org/t/permission-hardening/8655/10
# if [ "$new_mode" = "755" ]; then # if [ "$new_mode" = "755" ]; then
# new_mode=744 # new_mode=744
@ -121,11 +121,11 @@ add_nosuid_statoverride_entry() {
done done
if [ "$is_whitelisted" = "true" ]; then if [ "$is_whitelisted" = "true" ]; then
echo "INFO: SKIP whitelisted - $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
continue continue
fi fi
echo "INFO: $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'"
## No need to check "dpkg-statoverride --list" for existing entries. ## No need to check "dpkg-statoverride --list" for existing entries.
## If existing_mode was correct already, we would not have reached this point. ## If existing_mode was correct already, we would not have reached this point.