Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-21 05:01:03 -05:00
Code Issues Packages Projects Releases Wiki Activity
d5ff1d6f28
security-misc/usr/lib/security-misc/permission-hardening
Patrick Schleizer d5ff1d6f28
refactoring
2019-12-20 03:00:39 -05:00

141 lines
3.8 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
#set -x
exit_code=0
config_file="/etc/permission-hardening.conf"
shopt -s globstar
echo_wrapper() {
echo "run: $@"
#"$@"
}
add_statoverride_entry() {
if [ "${nosuid}" = "true" ]; then
echo "fso: $fso"
while read -r line; do
if ! read -r file_name existing_mode owner group; then
continue
fi
## -h file True if file is a symbolic Link.
## -u file True if file has its set-user-id bit set.
## -g file True if file has its set-group-id bit set.
if test -h "$file_name" ; then
## https://forums.whonix.org/t/kernel-hardening/7296/323
true "skip symlink: $file_name"
continue
fi
if test -u "$file_name" || test -g "$file_name"; then
string_length_of_existing_mode="${#existing_mode}"
if [ "$string_length_of_existing_mode" = "4" ]; then
new_mode="${existing_mode:1}"
else
new_mode="${existing_mode}"
fi
echo "suid - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'"
if dpkg-statoverride --list | grep -q "$file_name"; then
if ! dpkg-statoverride --list | grep -q "${owner} ${group} ${existing_mode:1} $file_name"; then
echo_wrapper dpkg-statoverride --remove "$file_name"
echo_wrapper dpkg-statoverride --add --update "${owner}" "${group}" "${existing_mode:1}" "$file_name"
fi
else
echo_wrapper dpkg-statoverride --add --update "${owner}" "${group}" "${existing_mode:1}" "$file_name"
fi
fi
done < <( stat -c "%n %a %U %G" "${fso%/}/"** )
else
echo_wrapper dpkg-statoverride --add --update "${owner}" "${group}" "$mode" "${fso%/}"
fi
}
set_file_perms() {
while read -r line; do
if [ "$line" = "" ]; then
continue
fi
if [[ "$line" =~ ^# ]]; then
continue
fi
if [[ "$line" =~ [0-9a-zA-Z/] ]]; then
true OK
else
exit_code=200
echo "ERROR: cannot parse line with invalid character: ${line}" >&2
continue
fi
if ! read -r fso mode owner group capability <<< "${line}" ; then
exit_code=201
echo "ERROR: cannot parse line: ${line}" >&2
continue
fi
if ! [ -e "${fso}" ]; then
echo "INFO: fso '${fso}' does not exist!"
continue
fi
nosuid=""
if [ "$mode" = "nosuid" ]; then
nosuid="true"
elif ! seq -w 000 4777 | grep -qw "$mode"; then
echo "ERROR: Mode '$mode' is invalid!" >&2
continue
fi
if [ ! "$mode" = "nosuid" ]; then
if ! getent passwd | grep -q "^${owner}:"; then
echo "ERROR: User '${owner}' does not exist!" >&2
continue
fi
if ! getent group | grep -q "^${group}:"; then
echo "ERROR: Group '${group}' does not exist!" >&2
continue
fi
fi
## The permissions should not be reset during upgrades.
if dpkg-statoverride --list | grep -q "${fso%/}"; then
## If there is an entry for the fso, but the owner/group/mode do not
## match, we remove and re-add the entry to update it.
if ! dpkg-statoverride --list | grep -q "${owner} ${group} ${mode:1} ${fso%/}"; then
echo_wrapper dpkg-statoverride --remove "${fso}"
add_statoverride_entry
fi
else
add_statoverride_entry
fi
if ! [ "$capability" = "" ]; then
if [ "$capability" = "none" ]; then
echo_wrapper setcap -r "${fso}"
else
if ! capsh --print | grep "Bounding set" | grep -q "$capability"; then
echo "ERROR: Capability '$capability' does not exist!" >&2
continue
fi
echo_wrapper setcap "${capability}+ep" "${fso}"
fi
fi
done < "${config_file}"
}
set_file_perms
exit "$exit_code"
Reference in New Issue View Git Blame Copy Permalink