I only added that so the script would ignore comments in permission-hardening.conf. Whitelisting only good characters doesn’t seem that useful.
--update
sounds like a better replacement for the part where it removes and adds entries again.
To save calls to chmod/chown we can check if the file is already set at that mode:
if ! [ "$(stat -c %a ${file})" = "${mode}" ]
No. chmod 755 -R /bin
sets everything in /bin to 755
which will probably mess up permissions for tons of things.
But chmod u-s -R /bin
will only remove the setuid bit from everything in /bin and leave other permissions the exact same.
u-s
is far less likely to break things and a better approach,
I actually prefer octal over human readable. It’s simpler IMO.
Yes, but recursion isn’t needed just for keeping things out.
If for example, we want non-owner users to read everything in /usr/example/
but not execute anything, we can add:
/usr/example/ 744 root root -R
Or if we want to remove the SUID bit from everything /bin/
but still allow anyone to execute it, we can add:
/bin u-s root root -R
Yes but the setuid bit can be reset during updates if we don’t also use dpkg-statoverride recursively.
The way the syntax is now seems fine. It’s just dpkg-statoverride which is the main problem.
Yes, that’s why it’s bad.
Sounds better. Maybe something like:
stat -c "%n %a" /bin/* | awk '$2 == "4755"'
Although this will miss files like 4711
.