## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/50_user.conf" or ## "/usr/local/etc/permission-hardening.d/50_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## File permission hardening. ## ## Syntax: ## [filename] [mode] [owner] [group] [capability] ## ## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" ## argument. ## SUID whitelist. ## TODO: white spaces inside file name untested /usr/bin/sudo whitelist /bin/sudo whitelist /usr/bin/bwrap whitelist /bin/bwrap whitelist /usr/lib/policykit-1/polkit-agent-helper-1 whitelist /usr/lib/dbus-1.0/dbus-daemon-launch-helper whitelist /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper whitelist /usr/lib/x86_64-linux-gnu/utempter/utempter whitelist ## TODO: research ## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c /usr/lib/qubes/qfile-unpacker whitelist ## Permission hardening. /home/ 0755 root root /home/user/ 0700 user user /root/ 0700 root root /boot/ 0700 root root /etc/permission-hardening.d 0600 root root /usr/local/etc/permission-hardening.d 0600 root root ## Remove all SUID/SGID binaries/libraries. /bin/ nosuid /usr/bin/ nosuid /usr/local/bin/ nosuid /sbin/ nosuid /usr/sbin/ nosuid /usr/local/sbin/ nosuid ## No SUID binaries there by default. ## remount-secure mounts it with nosuid anyhow. ## Therefore no processing it here. #/lib/ nosuid /lib32/ nosuid /lib64/ nosuid /usr/lib/ nosuid /usr/lib32/ nosuid /usr/lib64/ nosuid /usr/local/lib/ nosuid /usr/local/lib32/ nosuid /usr/local/lib64/ nosuid