diff --git a/etc/permission-hardening.d/25_default_passwd.conf b/etc/permission-hardening.d/25_default_passwd.conf new file mode 100644 index 0000000..19c2a4d --- /dev/null +++ b/etc/permission-hardening.d/25_default_passwd.conf @@ -0,0 +1,14 @@ +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +# Keep the `passwd` utility executable to prevent issues with the +# /usr/libexec/security-misc/pam-abort-on-locked-password script blocking +# user logins with `su` and KScreenLocker +# +# See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd +/usr/bin/passwd 0755 root root +/bin/passwd 0755 root root diff --git a/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf b/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf new file mode 100644 index 0000000..15ff326 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf @@ -0,0 +1,11 @@ +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## required for performing password validation from unprivileged user +## processes such as KScreenLocker’s unlock prompt +/usr/sbin/unix_chkpwd exactwhitelist +/sbin/unix_chkpwd exactwhitelist diff --git a/usr/libexec/security-misc/permission-hardening b/usr/libexec/security-misc/permission-hardening index c0572c2..9d78068 100755 --- a/usr/libexec/security-misc/permission-hardening +++ b/usr/libexec/security-misc/permission-hardening @@ -235,7 +235,7 @@ add_nosuid_statoverride_entry() { set_file_perms() { echo "INFO: START parsing config_file: '$config_file'" local line - while read -r line; do + while read -r line || [[ -n "${line}" ]]; do if [ "$line" = "" ]; then continue fi @@ -318,12 +318,12 @@ set_file_perms() { continue fi - if ! getent passwd | grep -q "^${owner_from_config}:" ; then + if ! echo "${passwd_file_contents}" | grep -q "^${owner_from_config}:" ; then echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2 continue fi - if ! getent group | grep -q "^${group_from_config}:" ; then + if ! echo "${group_file_contents}" | grep -q "^${group_from_config}:" ; then echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2 continue fi @@ -462,6 +462,15 @@ set_file_perms() { } parse_config_folder() { + # Query contents of password and group databases only once and buffer them + # + # If we don’t buffer we sometimes get incorrect results when checking for entries using + # `if getent passwd | grep -q '^root:'; …` since `grep` exits after the first match in + # this case causing `getent` to receive SIGPIPE, which then fails the pipeline since + # `set -o pipefail` is set for this script. + passwd_file_contents="$(getent passwd)" + group_file_contents="$(getent group)" + shopt -s nullglob for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do set_file_perms