security-misc

mirror of https://github.com/Kicksecure/security-misc.git synced 2025-12-14 02:14:32 -05:00

History

Ashlen 94dc9da4ab fix(permission-hardener): ssh-agent gets 755 perms Replace the commented-out matchwhitelist entry for ssh-agent with an explicit permission entry (755) for /usr/bin/ssh-agent. When ssh-agent's matchwhitelist entry was commented out in commit `7a5f8b87af`, permission-hardener began resetting it to restrictive defaults (744), preventing non-root users from executing ssh-agent. This broke split SSH functionality in Qubes OS for me because I was using Kicksecure in the vault qube, and ssh-agent runs under a non-root user in that configuration (see https://forum.qubes-os.org/t/split-ssh/19060). As noted in the comment, Debian installs with 2755 permissions as a way to mitigate ptrace attacks, but this rationale doesn't apply due to kernel.yama.ptrace_scope=2 being set in Kicksecure.		2025-05-20 18:04:46 -06:00
..
25_default_whitelist_bubblewrap.conf	Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory	2025-01-07 14:10:46 -06:00
25_default_whitelist_chromium.conf	permission hardener: disable SUID for `chrome-sandbox`	2025-01-14 04:09:57 -05:00
25_default_whitelist_dbus.conf	comment	2025-01-14 04:12:12 -05:00
25_default_whitelist_firejail.conf	comments	2025-04-08 06:53:08 -04:00
25_default_whitelist_fuse.conf	comment	2025-01-14 03:54:35 -05:00
25_default_whitelist_hardened_malloc.conf	copyright	2024-12-31 13:26:21 -05:00
25_default_whitelist_mount.conf	Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory	2025-01-07 14:10:46 -06:00
25_default_whitelist_pam.conf	comment	2025-01-14 03:56:55 -05:00
25_default_whitelist_passwd.conf	usrmerge	2025-01-20 06:28:16 -05:00
25_default_whitelist_policykit.conf	comments	2025-01-20 04:29:42 -05:00
25_default_whitelist_postfix.conf	comments	2025-01-20 04:29:42 -05:00
25_default_whitelist_qubes.conf	comment	2025-01-14 04:13:39 -05:00
25_default_whitelist_selinux.conf	comments	2025-01-20 04:29:42 -05:00
25_default_whitelist_spice.conf	comments	2025-01-20 04:29:42 -05:00
25_default_whitelist_ssh.conf	fix(permission-hardener): ssh-agent gets 755 perms	2025-05-20 18:04:46 -06:00
25_default_whitelist_sudo.conf	comments	2025-01-20 04:29:42 -05:00
25_default_whitelist_unix_chkpwd.conf	usrmerge	2025-01-20 06:28:16 -05:00
25_default_whitelist_virtualbox.conf	usrmerge	2025-01-20 06:28:16 -05:00
30_default.conf	copyright	2024-12-31 13:26:21 -05:00