From f8f2e6c7041d98572452be2e53094d0c539b1616 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon, 23 Dec 2019 02:35:13 -0500
Subject: [PATCH] fix disablewhitelist feature
---
etc/permission-hardening.d/30_default.conf | 2 ++
usr/lib/security-misc/permission-hardening | 3 +--
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf
index b030e55..9527253 100644
--- a/etc/permission-hardening.d/30_default.conf
+++ b/etc/permission-hardening.d/30_default.conf
@@ -17,6 +17,8 @@
# SUID disablewhitelist
######################################################################
+#/utempter/utempter disablewhitelist
+
######################################################################
# SUID exact match whitelist
######################################################################
diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening
index d6335bc..d175acb 100755
--- a/usr/lib/security-misc/permission-hardening
+++ b/usr/lib/security-misc/permission-hardening
@@ -170,7 +170,7 @@ add_nosuid_statoverride_entry() {
local is_disable_whitelisted
is_disable_whitelisted=""
for disablematch_list_entry in $disable_white_list ; do
- if [ "$file_name" = "$disablematch_list_entry" ]; then
+ if echo "$file_name" | grep -q "$disablematch_list_entry" ; then
is_disable_whitelisted="true"
## Stop looping through the disablewhitelist.
break
@@ -179,7 +179,6 @@ add_nosuid_statoverride_entry() {
if [ "$is_disable_whitelisted" = "true" ]; then
echo "INFO: white list disabled - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
- continue
else
if [ "$is_exact_whitelisted" = "true" ]; then
echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"