Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-05-03 22:44:49 -04:00
Code Issues Projects Releases Packages Wiki Activity
security-misc/usr/lib/security-misc/permission-hardening
Patrick Schleizer e74d2e4f94
output
2019-12-20 04:23:14 -05:00

154 lines
4.5 KiB
Bash
Executable file
Raw Blame History

#!/bin/bash
## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
#set -x
exit_code=0
config_file="/etc/permission-hardening.conf"
shopt -s globstar
echo_wrapper() {
echo "run: $@"
## TODO
#"$@"
}
add_nosuid_statoverride_entry() {
while read -r line; do
if ! read -r file_name existing_mode owner group; then
continue
fi
## -h file True if file is a symbolic Link.
## -u file True if file has its set-user-id bit set.
## -g file True if file has its set-group-id bit set.
if test -h "$file_name" ; then
## https://forums.whonix.org/t/kernel-hardening/7296/323
true "skip symlink: $file_name"
continue
fi
if test -u "$file_name" || test -g "$file_name"; then
string_length_of_existing_mode="${#existing_mode}"
if [ "$string_length_of_existing_mode" = "4" ]; then
new_mode="${existing_mode:1}"
else
new_mode="$existing_mode"
fi
echo "suid - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'"
if dpkg-statoverride --list | grep -q "$file_name"; then
if ! dpkg-statoverride --list | grep -q "$owner $group $new_mode $file_name"; then
echo_wrapper dpkg-statoverride --remove "$file_name"
echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name"
fi
else
echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name"
fi
fi
done < <( stat -c "%n %a %U %G" "${fso_without_trailing_slash}/"** )
}
set_file_perms() {
while read -r line; do
if [ "$line" = "" ]; then
continue
fi
if [[ "$line" =~ ^# ]]; then
continue
fi
if [[ "$line" =~ [0-9a-zA-Z/] ]]; then
true OK
else
exit_code=200
echo "ERROR: cannot parse line with invalid character: $line" >&2
continue
fi
if ! read -r fso mode_from_config owner group capability <<< "$line" ; then
exit_code=201
echo "ERROR: cannot parse line: $line" >&2
continue
fi
if ! [ -e "$fso" ]; then
echo "INFO: fso '$fso' does not exist!"
continue
fi
echo "fso: $fso"
fso_without_trailing_slash="${fso%/}"
## Use dpkg-statoverride so permissions are not reset during upgrades.
nosuid=""
if [ "$mode_from_config" = "nosuid" ]; then
nosuid="true"
## If mode_from_config is "nosuid" the config does not set owner and
## group. Therefore do not enforce owner/group check.
add_nosuid_statoverride_entry
else
if ! seq -w 000 4777 | grep -qw "$mode_from_config"; then
echo "ERROR: Mode '$mode_from_config' is invalid!" >&2
continue
fi
if ! getent passwd | grep -q "^${owner}:"; then
echo "ERROR: User '$owner' does not exist!" >&2
continue
fi
if ! getent group | grep -q "^${group}:"; then
echo "ERROR: Group '$group' does not exist!" >&2
continue
fi
## Check there is an entry for the fso.
if dpkg-statoverride --list | grep -q "$fso_without_trailing_slash"; then
## There is an fso entry. Check if owner/group/mode match.
if dpkg-statoverride --list | grep -q "$owner $group $mode_from_config $fso_without_trailing_slash"; then
## The owner/group/mode matches. No further action required.
true OK
else
## The owner/group/mode do not match, therefore remove and re-add the entry to update it.
## fso_without_trailing_slash instead of fso to prevent
## "dpkg-statoverride: warning: stripping trailing /"
echo_wrapper dpkg-statoverride --remove "$fso_without_trailing_slash"
echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash"
fi
else
## There is no fso entry. Therefore add one.
echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash"
fi
fi
if [ "$capability" = "" ]; then
continue
fi
if [ "$capability" = "none" ]; then
echo_wrapper setcap -r "$fso"
else
if ! capsh --print | grep "Bounding set" | grep -q "$capability"; then
echo "ERROR: Capability '$capability' does not exist!" >&2
continue
fi
echo_wrapper setcap "${capability}+ep" "$fso"
fi
done < "$config_file"
}
set_file_perms
exit "$exit_code"
Reference in a new issue View git blame Copy permalink