Merge remote-tracking branch 'github-kicksecure/master'

This commit is contained in:
Patrick Schleizer 2022-06-08 08:20:24 -04:00
commit fcaec49675
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
3 changed files with 37 additions and 3 deletions

View File

@ -0,0 +1,14 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
## configuration. When security-misc is updated, this file may be overwritten.
# Keep the `passwd` utility executable to prevent issues with the
# /usr/libexec/security-misc/pam-abort-on-locked-password script blocking
# user logins with `su` and KScreenLocker
#
# See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd
/usr/bin/passwd 0755 root root
/bin/passwd 0755 root root

View File

@ -0,0 +1,11 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
## configuration. When security-misc is updated, this file may be overwritten.
## required for performing password validation from unprivileged user
## processes such as KScreenLockers unlock prompt
/usr/sbin/unix_chkpwd exactwhitelist
/sbin/unix_chkpwd exactwhitelist

View File

@ -235,7 +235,7 @@ add_nosuid_statoverride_entry() {
set_file_perms() {
echo "INFO: START parsing config_file: '$config_file'"
local line
while read -r line; do
while read -r line || [[ -n "${line}" ]]; do
if [ "$line" = "" ]; then
continue
fi
@ -318,12 +318,12 @@ set_file_perms() {
continue
fi
if ! getent passwd | grep -q "^${owner_from_config}:" ; then
if ! echo "${passwd_file_contents}" | grep -q "^${owner_from_config}:" ; then
echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2
continue
fi
if ! getent group | grep -q "^${group_from_config}:" ; then
if ! echo "${group_file_contents}" | grep -q "^${group_from_config}:" ; then
echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2
continue
fi
@ -462,6 +462,15 @@ set_file_perms() {
}
parse_config_folder() {
# Query contents of password and group databases only once and buffer them
#
# If we dont buffer we sometimes get incorrect results when checking for entries using
# `if getent passwd | grep -q '^root:'; …` since `grep` exits after the first match in
# this case causing `getent` to receive SIGPIPE, which then fails the pipeline since
# `set -o pipefail` is set for this script.
passwd_file_contents="$(getent passwd)"
group_file_contents="$(getent group)"
shopt -s nullglob
for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do
set_file_perms