Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'github-kicksecure/master'

Browse Source
This commit is contained in:
Patrick Schleizer 2022-06-08 08:20:24 -04:00
commit fcaec49675
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
3 changed files with 37 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
etc/permission-hardening.d/25_default_passwd.conf Normal file
View File

@ -0,0 +1,14 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
## configuration. When security-misc is updated, this file may be overwritten.
# Keep the `passwd` utility executable to prevent issues with the
# /usr/libexec/security-misc/pam-abort-on-locked-password script blocking
# user logins with `su` and KScreenLocker
#
# See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd
/usr/bin/passwd 0755 root root
/bin/passwd 0755 root root

11
etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf Normal file
View File

@ -0,0 +1,11 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
## configuration. When security-misc is updated, this file may be overwritten.
## required for performing password validation from unprivileged user
## processes such as KScreenLockers unlock prompt
/usr/sbin/unix_chkpwd exactwhitelist
/sbin/unix_chkpwd exactwhitelist

15
usr/libexec/security-misc/permission-hardening
View File

@ -235,7 +235,7 @@ add_nosuid_statoverride_entry() {
set_file_perms() { set_file_perms() {
echo "INFO: START parsing config_file: '$config_file'" echo "INFO: START parsing config_file: '$config_file'"
local line local line
while read -r line; do while read -r line || [[ -n "${line}" ]]; do
if [ "$line" = "" ]; then if [ "$line" = "" ]; then
continue continue
fi fi
@ -318,12 +318,12 @@ set_file_perms() {
continue continue
fi fi
if ! getent passwd | grep -q "^${owner_from_config}:" ; then if ! echo "${passwd_file_contents}" | grep -q "^${owner_from_config}:" ; then
echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2 echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2
continue continue
fi fi
if ! getent group | grep -q "^${group_from_config}:" ; then if ! echo "${group_file_contents}" | grep -q "^${group_from_config}:" ; then
echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2 echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2
continue continue
fi fi
@ -462,6 +462,15 @@ set_file_perms() {
} }
parse_config_folder() { parse_config_folder() {
# Query contents of password and group databases only once and buffer them
#
# If we dont buffer we sometimes get incorrect results when checking for entries using
# `if getent passwd | grep -q '^root:'; …` since `grep` exits after the first match in
# this case causing `getent` to receive SIGPIPE, which then fails the pipeline since
# `set -o pipefail` is set for this script.
passwd_file_contents="$(getent passwd)"
group_file_contents="$(getent group)"
shopt -s nullglob shopt -s nullglob
for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do
set_file_perms set_file_perms