Patrick
December 20, 2019, 5:39pm
35
set-user-id set-group-id found - file_name: ‘/usr/lib/xorg/Xorg.wrap’
Needed?
At first sight looks important. But Debian / systemd might not use / need it.
Are any of these actually used? Is there any breakage from removing their SUID bits? If not, then we can just ignore them.
Not yet tested. Can’t find anything online what these are used for. Testing this can be future work.
I doubt VboxNetDHCP would be used seeing as Whonix doesn’t even use DHCP at all.
security-misc isn’t just used by Whonix. I don’t want to break VirtualBox (hosts) for those who install security-misc or Kicksecure.
Would be better to match for /usr/lib/virtualbox/
in case some random directory that just happens to have the name “virtualbox” gets whitelisted.
Will add.
1 Like
No, Debian and many other linux distros use Xorg rootless by default so there’s no need for the suid wrapper unless the user themselves has configured X to run as root for whatever reason (which is a security risk due to X’s large attack surface).
1 Like
We can use this to remove capabilities of some unneeded binaries too by using the none
capability rule.
getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/bin/ping = cap_net_raw+ep
I think we should remove the capabilities of /bin/ping
since it doesn’t work with Tor anyway.
1 Like
We can add Whonix specific things such as ping capability removal to anon-apps-config package as a drop- snippet.
Pull requests welcome.
1 Like
Patrick
December 21, 2019, 7:34am
40
This is now in the developers repository. Enabling it will be easy.
sudo systemctl enable permission-hardening.service
It might be enabled by default one day (similar to Restrict Hardware Information to Root - Testers Wanted! ) but it needs a fair amount of testing as I am running into many issues here.
We’ll also need some way to record changes and to undo these.
Breaks whonix-firewall.
Dec 21 06:43:54 host enable-firewall[351]: iptables/1.8.2 Failed to initialize nft: Protocol not supported
1 Like
Patrick
December 21, 2019, 12:59pm
41
dpkg-statoverride --list
has only limited usefulness for this since Debian itself uses these. There is no way to distinguish which were added by Debian and which by permission hardening.
This is done. security-misc: Enhance Miscellaneous Security Settings documents how to enable this feature, how to view what was changed and how to undo and disable this feature.
1 Like
Patrick:
Breaks whonix-firewall.
Patrick:
Breaks AppArmor.
It didn’t break those when I tested it and I have no idea why it would break those. Are you sure this isn’t something else?
AppArmor and whonix-firewall run as root anyway.
1 Like
Patrick
December 21, 2019, 7:41pm
43
sudo setcap -r /bin/ping ; echo $?
Failed to set capabilities on file `/bin/ping’ (No data available)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
1
1 Like
Weird. It works fine for me.
The only way I can reproduce this is by making /bin/ping suid first. Is your /bin/ping suid?
1 Like
Patrick
December 21, 2019, 7:51pm
45
No.
sudo stat -c "%n %a %U %G" /bin/ping
/bin/ping 755 root root
sudo setcap -r /bin/ping ; echo $?
Failed to set capabilities on file `/bin/ping’ (No data available)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
1
But capabilities (was there before) are removed.
sudo getcap /bin/ping ; echo $?
0
The problem is the error message and non-zero exit code. Output could be redirected to /dev/null and non-zero exit could code be ignored but that would break error checking.
1 Like
Patrick
December 22, 2019, 7:08pm
46
Any reason to whitelist /lib/dbus-1.0/dbus-daemon-launch-helper
?
existing mode:
root messagebus 4754 /lib/dbus-1.0/dbus-daemon-launch-helper
committed 07:06PM - 21 Dec 19 UTC
committed 11:56PM - 22 Dec 19 UTC
to cover both:
/usr/lib/x86_64-linux-gnu/utempter/utempter
/lib/x86_64-linux-gn… u/utempter/utempter
committed 11:57PM - 22 Dec 19 UTC
We don’t want to break dbus.
1 Like
Patrick
December 22, 2019, 7:16pm
48
I’ve documented SUID / SGID that we will be breaking by default when permission hardening gets enabled:
security-misc: Enhance Miscellaneous Security Settings
1 Like
Patrick
December 23, 2019, 1:54pm
51
madaidan via Whonix Forum:
Would it be a good idea to hardcode / change newmode
of these to 744
? I.e. to remove exeution permission for others
and `group?
What’s the point of reading binaries if it can’t even be executed? Maybe just give a mode of 700
.
Making the minimal change required for security. Keeping things simple.
Making it easier for users to restore to defaults.
1 Like
Patrick
December 23, 2019, 2:06pm
52
madaidan via Whonix Forum:
We can use this to remove capabilities of some unneeded binaries too by using the none
capability rule.
getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/bin/ping = cap_net_raw+ep
I think we should remove the capabilities of /bin/ping
since it doesn’t work with Tor anyway.
Good idea. We already support:
/usr/bin/ nosuid
Should we add another feature
/ nocap
?
Or should we just
/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper
set to nocap
and consider that good enough?
Capability removal only works until package upgrade since
dpkg-statoverwrite does not support capabilities. Feature request:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580
1 Like
Only 2 things have capabilities by default anyway so that’s not really needed.
1 Like