I meant allowing people to choose to disable/enable /home, /boot etc. restrictions (once they’re added) as they wish.
I would prefer to have something periodically check and restrict /boot in case the permissions get changed for whatever reason. If a user wants to have the permissions changed, they can disable permission-lockdown (or change specific settings like I said above).
1 Like
Patrick
November 22, 2019, 5:56pm
241
Since it’s only done once (and by the time they want to change the setting that setting is already turned on), it’s even easier for them to just change the permissions back to what they want. Thanks to the _done file, the sysadmin won’t be bothered with this ever again.
Why would anything package work on permissions on folder /boot
directly? Or what else could change it?
Even if permissions for things inside folder /boot/something change (Debian deciding to change permissions for kernel image or something), that file would stay inaccessible since the root of the folder (i.e. /boot
) already has the correct permissions.
If it should be something more periodic…More enforcing…
(Yet configureable. (?))
(And “non-opaque”.)
What about systemd’s /usr/lib/tmpfiles.d
mechanism? Also looks quite appropriate?
(No, not just temp files. Yes, some files there configure permissions for persistent folders such as /var/log or /var/cache.)
Would that work?
1 Like
What if they don’t remember what the permissions were or aren’t technical enough to change them back to what they want?
I think it would be good to save the default permission and reset it if the user chooses too.
Just in case. E.g. a user’s mistake or misconfigured script can do that.
You wouldn’t want accidental read-write access to kernel images.
Permissions may be more likely to change for other folders we might restrict in the future.
That looks great actually. Seems like a far better approach.
1 Like
OpenSUSE actually has a package that changes the file permissions.
https://en.opensuse.org/openSUSE:Security_Documentation
the easy profile has a focus on ease of use where more program features work out of the box without the user having to intervene. It also means that there is a larger security attack surface. It can be used for typical single user desktop systems when usability is favored over stricter security.
the secure profile is more security oriented and disables certain program privileges. This can result in some program features not being available or behaving less conventiently. It can be used for typical server or multi-user host machines.
the paranoid profile is a tightly locked down set of settings that isn’t fully usable in production, because a lot of program features will stop working. This should only be used when security is the major requirement and when you are willing to tune the profile into a state where you can perform the task you want to fullfill with the system.
I can’t find the permissions file anywhere online to see what they do. I’ll setup a VM to check.
1 Like
Here is opensuse’s configuration.
permissions.secure: Debian paste error
permissions.paranoid: Debian paste error
2 Likes
Patrick
November 22, 2019, 6:54pm
245
Awesome find! Can you find the source code? Maybe it can be ported to Debian.
Looks like “/etc/permissions.paranoid” was forgotten. Most search results from year 2002 - 2004. Looks like we’re rediscovering old security knowledge.
1 Like
The source only seems to be distributed in .rpm files which I have no idea how to use.
download.opensuse.org/source/distribution/leap/15.0-Current/repo/oss/src/permissions-20180125-lp150.1.2.src.rpm
No, it’s still supported by opensuse. Just doesn’t seem very popular.
1 Like
Patrick
November 23, 2019, 6:20am
247
An rpm is similar to a deb. Just an archive with a different file extension. Please open it and look around.
ark permissions-20180125-lp150.1.2.src.rpm
permission.spec
License: GPL-2.0+
Url: GitHub - openSUSE/permissions
source code repository is here:
1 Like
Patrick
November 23, 2019, 11:24am
248
committed 11:20AM - 23 Nov 19 UTC
https://www.whonix.org/wiki/Dev/Entropy
https://bugs.debian.org/cgi-bin/bugrepo… rt.cgi?bug=927972
https://forums.whonix.org/t/jitterentropy-rngd/7204
Are there any other kernel modules that we could load for better security?
1 Like
Last commit on permissions.paranoid was yesterday. Definitely isn’t forgotten.
Dunno why I couldn’t find that repo when searching.
1 Like
https://wiki.gentoo.org/index.php?title=Hardened_Kernel&oldid=638760
CONFIG_PAGE_POISONING forces debug infrastructure bloat, slab poisoning via slub_debug=P disables the slub fast path which is unnecessarily, ridiculously slow + always enables verification which can be a nice security feature but hurts performance more. It also forces the freelist pointer after the allocation, which is a security improvement in terms of mitigating use-after-free but wastes memory (PaX leaves it inline now unlike in the past and just sanitizes the rest). It also uses a poison value resulting in pointers pointing to userspace - quite dangerous without UDEREF, and still a bad idea with it present.
Seems like init_on_free is more secure and has better performance.
init_on_{free,alloc} don’t seem to have sanity checks though (page poisoning does). linux-hardened solves this with CONFIG_PAGE_SANITIZE_VERIFY
and CONFIG_SLAB_SANITIZE_VERIFY
.
Btw the init_on options are basically PAX_MEMORY_SANITIZE
AFAIK (what the link is comparing page poisoning to).
1 Like
Lockdown is about to be incorporated in the kernel itself if not already AFAICT.
2 Likes
Patrick
November 28, 2019, 3:24pm
253
1 Like
Patrick_mobile:
What about lockdown lsm?
Lockdown is nice but it doesn’t do much. It’s only focused on making it harder for root to escalate to kernel code but most of the things it does can already be done without lockdown.
It’s mostly just marketing. Most Linux users won’t benefit from it anyway as an untrusted root user isn’t part of their threat model (although it is part of ours).
Also see https://twitter.com/DanielMicay/status/1180072339112898562
Patrick:
How to use it?
It’s only available in linux 5.4 which is far away from the debian stable kernel.
2 Likes
Patrick
December 4, 2019, 4:49pm
256
Qubes Debian VM with Qubes dom0 kernel.
sudo checksec --kernel
Kernel protection information:
Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.
Kernel config:
/proc/config.gz
Vanilla Kernel ASLR: Full
Protected symlinks: Enabled
Protected hardlinks: Enabled
Ipv4 reverse path filtering: Disabled
Ipv6 reverse path filtering: Disabled
Kernel heap randomization: Enabled
GCC stack protector support: Enabled
GCC structleak plugin: Enabled
GCC structleak by ref plugin: Enabled
SLAB freelist randomization: Enabled
Virtually-mapped kernel stack: Enabled
Enforce read-only kernel data: Enabled
Enforce read-only module data: Enabled
Exec Shield: Disabled
Hardened Usercopy: Enabled
Hardened Usercopy Pagespan: Disabled
Harden str/mem functions: Enabled
Restrict /dev/mem access: Enabled
Restrict I/O access to /dev/mem: Enabled
Restrict /dev/kmem access: Enabled
X86 only:
Address space layout randomization: Enabled
SELinux: Disabled
SELinux infomation available here:
http://selinuxproject.org/
grsecurity / PaX: No GRKERNSEC
The grsecurity / PaX patchset is available here:
http://grsecurity.net/
1 Like
Patrick
December 4, 2019, 4:55pm
257
Same in Qubes Debian VM with Qubes VM kernel.
1 Like
Patrick
December 4, 2019, 4:59pm
258
Patrick:
Exec Shield: Disabled
False-positives.
opened 03:50PM - 19 Sep 19 UTC
closed 02:10PM - 27 May 20 UTC
# Issue
The kernel checks for 'Ipv6 reverse path filtering' and 'Exec Shield' a… re unaccomplishable, as the corresponding kernel settings do not exist any more.
# OS version and Kernel version
Debian unstable
Linux desktopdebian 5.2.0-2-amd64 #1 SMP Debian 5.2.9-2 (2019-08-21) x86_64 GNU/Linux
# Extra info
```
ls -l /proc/sys/kernel/
total 0
-rw-r--r-- 1 root root 0 Sep 19 16:27 acct
-rw-r--r-- 1 root root 0 Sep 19 16:27 acpi_video_flags
-rw-r--r-- 1 root root 0 Sep 19 16:27 auto_msgmni
-r--r--r-- 1 root root 0 Sep 19 16:27 bootloader_type
-r--r--r-- 1 root root 0 Sep 19 16:27 bootloader_version
-rw-r--r-- 1 root root 0 Sep 19 16:27 bpf_stats_enabled
-rw------- 1 root root 0 Sep 19 16:27 cad_pid
-r--r--r-- 1 root root 0 Sep 19 15:24 cap_last_cap
-rw-r--r-- 1 root root 0 Sep 19 15:24 core_pattern
-rw-r--r-- 1 root root 0 Sep 19 16:27 core_pipe_limit
-rw-r--r-- 1 root root 0 Sep 19 16:27 core_uses_pid
-rw-r--r-- 1 root root 0 Sep 19 16:27 ctrl-alt-del
-rw-r--r-- 1 root root 0 Sep 19 16:27 dmesg_restrict
-rw-r--r-- 1 root root 0 Sep 19 15:24 domainname
dr-xr-xr-x 1 root root 0 Sep 19 16:27 firmware_config
-rw-r--r-- 1 root root 0 Sep 19 16:27 ftrace_dump_on_oops
-rw-r--r-- 1 root root 0 Sep 19 16:27 ftrace_enabled
-rw-r--r-- 1 root root 0 Sep 19 16:27 hardlockup_all_cpu_backtrace
-rw-r--r-- 1 root root 0 Sep 19 16:27 hardlockup_panic
-rw-r--r-- 1 root root 0 Sep 19 15:24 hostname
-rw-r--r-- 1 root root 0 Sep 19 16:27 hung_task_check_count
-rw-r--r-- 1 root root 0 Sep 19 16:27 hung_task_check_interval_secs
-rw-r--r-- 1 root root 0 Sep 19 16:27 hung_task_panic
-rw-r--r-- 1 root root 0 Sep 19 16:27 hung_task_timeout_secs
-rw-r--r-- 1 root root 0 Sep 19 16:27 hung_task_warnings
-rw-r--r-- 1 root root 0 Sep 19 16:27 io_delay_type
-rw-r--r-- 1 root root 0 Sep 19 16:27 kexec_load_disabled
dr-xr-xr-x 1 root root 0 Sep 19 16:27 keys
-rw-r--r-- 1 root root 0 Sep 19 16:27 kptr_restrict
-rw-r--r-- 1 root root 0 Sep 19 16:27 max_lock_depth
-rw-r--r-- 1 root root 0 Sep 19 16:27 modprobe
-rw-r--r-- 1 root root 0 Sep 19 16:27 modules_disabled
-rw-r--r-- 1 root root 0 Sep 19 16:27 msgmax
-rw-r--r-- 1 root root 0 Sep 19 16:27 msgmnb
-rw-r--r-- 1 root root 0 Sep 19 16:27 msgmni
-rw-r--r-- 1 root root 0 Sep 19 16:27 msg_next_id
-r--r--r-- 1 root root 0 Sep 19 15:24 ngroups_max
-rw-r--r-- 1 root root 0 Sep 19 16:27 nmi_watchdog
-rw-rw-rw- 1 root root 0 Sep 19 16:27 ns_last_pid
-rw-r--r-- 1 root root 0 Sep 19 16:27 numa_balancing
-rw-r--r-- 1 root root 0 Sep 19 16:27 numa_balancing_scan_delay_ms
-rw-r--r-- 1 root root 0 Sep 19 16:27 numa_balancing_scan_period_max_ms
-rw-r--r-- 1 root root 0 Sep 19 16:27 numa_balancing_scan_period_min_ms
-rw-r--r-- 1 root root 0 Sep 19 16:27 numa_balancing_scan_size_mb
-r--r--r-- 1 root root 0 Sep 19 17:24 osrelease
-r--r--r-- 1 root root 0 Sep 19 16:27 ostype
-rw-r--r-- 1 root root 0 Sep 19 15:24 overflowgid
-rw-r--r-- 1 root root 0 Sep 19 15:24 overflowuid
-rw-r--r-- 1 root root 0 Sep 19 16:27 panic
-rw-r--r-- 1 root root 0 Sep 19 16:27 panic_on_io_nmi
-rw-r--r-- 1 root root 0 Sep 19 16:27 panic_on_oops
-rw-r--r-- 1 root root 0 Sep 19 16:27 panic_on_rcu_stall
-rw-r--r-- 1 root root 0 Sep 19 16:27 panic_on_unrecovered_nmi
-rw-r--r-- 1 root root 0 Sep 19 16:27 panic_on_warn
-rw-r--r-- 1 root root 0 Sep 19 16:27 panic_print
-rw-r--r-- 1 root root 0 Sep 19 16:27 perf_cpu_time_max_percent
-rw-r--r-- 1 root root 0 Sep 19 16:27 perf_event_max_contexts_per_stack
-rw-r--r-- 1 root root 0 Sep 19 16:27 perf_event_max_sample_rate
-rw-r--r-- 1 root root 0 Sep 19 16:27 perf_event_max_stack
-rw-r--r-- 1 root root 0 Sep 19 16:27 perf_event_mlock_kb
-rw-r--r-- 1 root root 0 Sep 19 16:27 perf_event_paranoid
-rw-r--r-- 1 root root 0 Sep 19 15:24 pid_max
-rw-r--r-- 1 root root 0 Sep 19 16:27 poweroff_cmd
-rw-r--r-- 1 root root 0 Sep 19 16:27 print-fatal-signals
-rw-r--r-- 1 root root 0 Sep 19 16:27 printk
-rw-r--r-- 1 root root 0 Sep 19 16:27 printk_delay
-rw-r--r-- 1 root root 0 Sep 19 16:27 printk_devkmsg
-rw-r--r-- 1 root root 0 Sep 19 16:27 printk_ratelimit
-rw-r--r-- 1 root root 0 Sep 19 16:27 printk_ratelimit_burst
dr-xr-xr-x 1 root root 0 Sep 19 16:27 pty
dr-xr-xr-x 1 root root 0 Sep 19 17:24 random
-rw-r--r-- 1 root root 0 Sep 19 16:27 randomize_va_space
-rw-r--r-- 1 root root 0 Sep 19 16:27 real-root-dev
-rw-r--r-- 1 root root 0 Sep 19 16:27 sched_autogroup_enabled
-rw-r--r-- 1 root root 0 Sep 19 16:27 sched_cfs_bandwidth_slice_us
-rw-r--r-- 1 root root 0 Sep 19 16:27 sched_child_runs_first
dr-xr-xr-x 1 root root 0 Sep 19 16:27 sched_domain
-rw-r--r-- 1 root root 0 Sep 19 16:27 sched_latency_ns
-rw-r--r-- 1 root root 0 Sep 19 16:27 sched_migration_cost_ns
-rw-r--r-- 1 root root 0 Sep 19 16:27 sched_min_granularity_ns
-rw-r--r-- 1 root root 0 Sep 19 16:27 sched_nr_migrate
-rw-r--r-- 1 root root 0 Sep 19 16:27 sched_rr_timeslice_ms
-rw-r--r-- 1 root root 0 Sep 19 16:27 sched_rt_period_us
-rw-r--r-- 1 root root 0 Sep 19 16:27 sched_rt_runtime_us
-rw-r--r-- 1 root root 0 Sep 19 16:27 sched_schedstats
-rw-r--r-- 1 root root 0 Sep 19 16:27 sched_tunable_scaling
-rw-r--r-- 1 root root 0 Sep 19 16:27 sched_wakeup_granularity_ns
dr-xr-xr-x 1 root root 0 Sep 19 16:27 seccomp
-rw-r--r-- 1 root root 0 Sep 19 16:27 sem
-rw-r--r-- 1 root root 0 Sep 19 16:27 sem_next_id
-rw-r--r-- 1 root root 0 Sep 19 16:27 shmall
-rw-r--r-- 1 root root 0 Sep 19 16:27 shmmax
-rw-r--r-- 1 root root 0 Sep 19 16:27 shmmni
-rw-r--r-- 1 root root 0 Sep 19 16:27 shm_next_id
-rw-r--r-- 1 root root 0 Sep 19 16:27 shm_rmid_forced
-rw-r--r-- 1 root root 0 Sep 19 16:27 softlockup_all_cpu_backtrace
-rw-r--r-- 1 root root 0 Sep 19 16:27 softlockup_panic
-rw-r--r-- 1 root root 0 Sep 19 16:27 soft_watchdog
-rw-r--r-- 1 root root 0 Sep 19 16:27 stack_tracer_enabled
-rw-r--r-- 1 root root 0 Sep 19 16:27 sysctl_writes_strict
-rw-r--r-- 1 root root 0 Sep 19 16:27 sysrq
-rw-r--r-- 1 root root 0 Sep 19 16:27 tainted
-rw-r--r-- 1 root root 0 Sep 19 15:24 threads-max
-rw-r--r-- 1 root root 0 Sep 19 16:27 timer_migration
-rw-r--r-- 1 root root 0 Sep 19 16:27 traceoff_on_warning
-rw-r--r-- 1 root root 0 Sep 19 16:27 tracepoint_printk
-rw-r--r-- 1 root root 0 Sep 19 16:27 unknown_nmi_panic
-rw-r--r-- 1 root root 0 Sep 19 16:27 unprivileged_bpf_disabled
-rw------- 1 root root 0 Sep 19 16:27 unprivileged_userns_apparmor_policy
-rw-r--r-- 1 root root 0 Sep 19 16:27 unprivileged_userns_clone
dr-xr-xr-x 1 root root 0 Sep 19 16:27 usermodehelper
-r--r--r-- 1 root root 0 Sep 19 16:27 version
-rw-r--r-- 1 root root 0 Sep 19 16:27 watchdog
-rw-r--r-- 1 root root 0 Sep 19 16:27 watchdog_cpumask
-rw-r--r-- 1 root root 0 Sep 19 16:27 watchdog_thresh
dr-xr-xr-x 1 root root 0 Sep 19 16:27 yama
```
```
ll /proc/sys/net/ipv6/conf/all
total 0
dr-xr-xr-x 1 root root 0 Sep 19 16:27 .
dr-xr-xr-x 1 root root 0 Sep 19 15:24 ..
-rw-r--r-- 1 root root 0 Sep 19 16:27 accept_dad
-rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra
-rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra_defrtr
-rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra_from_local
-rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra_min_hop_limit
-rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra_mtu
-rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra_pinfo
-rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra_rt_info_max_plen
-rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra_rt_info_min_plen
-rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra_rtr_pref
-rw-r--r-- 1 root root 0 Sep 19 16:27 accept_redirects
-rw-r--r-- 1 root root 0 Sep 19 16:27 accept_source_route
-rw-r--r-- 1 root root 0 Sep 19 16:27 addr_gen_mode
-rw-r--r-- 1 root root 0 Sep 19 16:27 autoconf
-rw-r--r-- 1 root root 0 Sep 19 16:27 dad_transmits
-rw-r--r-- 1 root root 0 Sep 19 16:27 disable_ipv6
-rw-r--r-- 1 root root 0 Sep 19 16:27 disable_policy
-rw-r--r-- 1 root root 0 Sep 19 16:27 drop_unicast_in_l2_multicast
-rw-r--r-- 1 root root 0 Sep 19 16:27 drop_unsolicited_na
-rw-r--r-- 1 root root 0 Sep 19 16:27 enhanced_dad
-rw-r--r-- 1 root root 0 Sep 19 16:27 force_mld_version
-rw-r--r-- 1 root root 0 Sep 19 16:27 force_tllao
-rw-r--r-- 1 root root 0 Sep 19 16:27 forwarding
-rw-r--r-- 1 root root 0 Sep 19 16:27 hop_limit
-rw-r--r-- 1 root root 0 Sep 19 16:27 ignore_routes_with_linkdown
-rw-r--r-- 1 root root 0 Sep 19 16:27 keep_addr_on_down
-rw-r--r-- 1 root root 0 Sep 19 16:27 max_addresses
-rw-r--r-- 1 root root 0 Sep 19 16:27 max_desync_factor
-r--r--r-- 1 root root 0 Sep 19 16:27 mc_forwarding
-rw-r--r-- 1 root root 0 Sep 19 16:27 mldv1_unsolicited_report_interval
-rw-r--r-- 1 root root 0 Sep 19 16:27 mldv2_unsolicited_report_interval
-rw-r--r-- 1 root root 0 Sep 19 16:27 mtu
-rw-r--r-- 1 root root 0 Sep 19 16:27 ndisc_notify
-rw-r--r-- 1 root root 0 Sep 19 16:27 ndisc_tclass
-rw-r--r-- 1 root root 0 Sep 19 16:27 optimistic_dad
-rw-r--r-- 1 root root 0 Sep 19 16:27 proxy_ndp
-rw-r--r-- 1 root root 0 Sep 19 16:27 regen_max_retry
-rw-r--r-- 1 root root 0 Sep 19 16:27 router_probe_interval
-rw-r--r-- 1 root root 0 Sep 19 16:27 router_solicitation_delay
-rw-r--r-- 1 root root 0 Sep 19 16:27 router_solicitation_interval
-rw-r--r-- 1 root root 0 Sep 19 16:27 router_solicitation_max_interval
-rw-r--r-- 1 root root 0 Sep 19 16:27 router_solicitations
-rw-r--r-- 1 root root 0 Sep 19 16:27 seg6_enabled
-rw-r--r-- 1 root root 0 Sep 19 16:27 seg6_require_hmac
-rw------- 1 root root 0 Sep 19 16:27 stable_secret
-rw-r--r-- 1 root root 0 Sep 19 16:27 suppress_frag_ndisc
-rw-r--r-- 1 root root 0 Sep 19 16:27 temp_prefered_lft
-rw-r--r-- 1 root root 0 Sep 19 16:27 temp_valid_lft
-rw-r--r-- 1 root root 0 Sep 19 16:27 use_oif_addrs_only
-rw-r--r-- 1 root root 0 Sep 19 16:27 use_optimistic
-rw-r--r-- 1 root root 0 Sep 19 16:27 use_tempaddr
```
Probably kernel recompilation required? → kernel recompilation for better hardening
1 Like
Hardened usercopy pagespan is only good for debugging AFAIK.
1 Like