## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## https://forums.whonix.org/t/restrict-root-access/7658/116 ## This restricts the file permissions of the sudo executable so that a vulnerability ## in the program will not be exploitable by any users not in the "sudo" group. sudo ## is a very complex program and is setuid so vulnerabilities in it can allow privilege ## escalation, regardless of other root access restrictions. For example, the following ## buffer overflow vulnerability could have been exploited by any user on the system: ## https://www.openwall.com/lists/oss-security/2021/01/26/3 ## With this restriction, only users explicitly permitted to use sudo by being added to ## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a ## compromised network-facing daemon (such as web servers, time synchronization daemons, ## etc.) running as its own user from exploiting sudo to escalate privileges. #/usr/bin/sudo 4750 root sudo #/bin/sudo 4750 root sudo