SUID Disabler and Permission Hardener

https://github.com/Whonix/security-misc/pull/44

1 Like

Added some refactoring, debugging, code simplification, and stylistic changes. Btw I make no claim that my code style is superior in any form but it is easier to grasp by my participial biased brain. Hope that is ok.

Found some issues.

run: dpkg-statoverride --add --update root root 0755 /home
run: dpkg-statoverride --add --update user user 0700 /home/user
run: dpkg-statoverride --add --update root root 0700 /root
run: dpkg-statoverride --add --update root root 0700 /boot
run: dpkg-statoverride --add --update root root 0600 /etc/permission-hardening.conf
run: dpkg-statoverride --remove /bin/
fso: /bin/
suid - file_name: ‘/bin/mount’ | existing_mode: ‘4755’ | existing_mode:1: ‘755’
run: dpkg-statoverride --add --update root root 755 /bin/mount
suid - file_name: ‘/bin/ntfs-3g’ | existing_mode: ‘4755’ | existing_mode:1: ‘755’
run: dpkg-statoverride --add --update root root 755 /bin/ntfs-3g
suid - file_name: ‘/bin/umount’ | existing_mode: ‘4755’ | existing_mode:1: ‘755’
run: dpkg-statoverride --add --update root root 755 /bin/umount
run: dpkg-statoverride --remove /usr/bin/
fso: /usr/bin/
suid - file_name: ‘/usr/bin/atrm’ | existing_mode: ‘777’ | existing_mode:1: ‘77’
run: dpkg-statoverride --add --update root root 77 /usr/bin/atrm
suid - file_name: ‘/usr/bin/bwrap’ | existing_mode: ‘4755’ | existing_mode:1: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/bwrap
suid - file_name: ‘/usr/bin/chfn’ | existing_mode: ‘4755’ | existing_mode:1: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/chfn
suid - file_name: ‘/usr/bin/chsh’ | existing_mode: ‘4755’ | existing_mode:1: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/chsh
suid - file_name: ‘/usr/bin/dotlock’ | existing_mode: ‘777’ | existing_mode:1: ‘77’
run: dpkg-statoverride --add --update root root 77 /usr/bin/dotlock
suid - file_name: ‘/usr/bin/dotlock.mailutils’ | existing_mode: ‘2755’ | existing_mode:1: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/dotlock.mailutils
suid - file_name: ‘/usr/bin/firejail’ | existing_mode: ‘4755’ | existing_mode:1: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/firejail
suid - file_name: ‘/usr/bin/gpasswd’ | existing_mode: ‘4755’ | existing_mode:1: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/gpasswd
suid - file_name: ‘/usr/bin/newaliases’ | existing_mode: ‘777’ | existing_mode:1: ‘77’
run: dpkg-statoverride --add --update root root 77 /usr/bin/newaliases
suid - file_name: ‘/usr/bin/newgrp’ | existing_mode: ‘4755’ | existing_mode:1: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/newgrp
suid - file_name: ‘/usr/bin/pkexec.security-misc-orig’ | existing_mode: ‘4755’ | existing_mode:1: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/pkexec.security-misc-orig
suid - file_name: ‘/usr/bin/sg’ | existing_mode: ‘777’ | existing_mode:1: ‘77’
run: dpkg-statoverride --add --update root root 77 /usr/bin/sg
suid - file_name: ‘/usr/bin/sudo’ | existing_mode: ‘4755’ | existing_mode:1: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/sudo
suid - file_name: ‘/usr/bin/write’ | existing_mode: ‘777’ | existing_mode:1: ‘77’
run: dpkg-statoverride --add --update root root 77 /usr/bin/write
INFO: fso ‘/usr/local/bin/’ does not exist!
fso: /sbin/
suid - file_name: ‘/sbin/mount.nfs’ | existing_mode: ‘4755’ | existing_mode:1: ‘755’
run: dpkg-statoverride --add --update root root 755 /sbin/mount.nfs
suid - file_name: ‘/sbin/mount.ntfs’ | existing_mode: ‘777’ | existing_mode:1: ‘77’
run: dpkg-statoverride --add --update root root 77 /sbin/mount.ntfs
suid - file_name: ‘/sbin/umount.nfs4’ | existing_mode: ‘777’ | existing_mode:1: ‘77’
run: dpkg-statoverride --add --update root root 77 /sbin/umount.nfs4
suid - file_name: ‘/sbin/unix_chkpwd’ | existing_mode: ‘2755’ | existing_mode:1: ‘755’
run: dpkg-statoverride --add --update root shadow 755 /sbin/unix_chkpwd
fso: /usr/sbin/
suid - file_name: ‘/usr/sbin/exim4’ | existing_mode: ‘4755’ | existing_mode:1: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/sbin/exim4
suid - file_name: ‘/usr/sbin/runq’ | existing_mode: ‘777’ | existing_mode:1: ‘77’
run: dpkg-statoverride --add --update root root 77 /usr/sbin/runq
INFO: fso ‘/usr/local/sbin/’ does not exist!
run: dpkg-statoverride --remove /lib/
fso: /lib/
usr/lib/security-misc/permission-hardening: line 19: /usr/bin/stat: Argument list too long
fso: /lib32/
fso: /lib64/
run: dpkg-statoverride --remove /usr/lib/
fso: /usr/lib/
usr/lib/security-misc/permission-hardening: line 19: /usr/bin/stat: Argument list too long
fso: /usr/lib32/
INFO: fso ‘/usr/lib64/’ does not exist!
INFO: fso ‘/usr/local/lib/’ does not exist!
INFO: fso ‘/usr/local/lib32/’ does not exist!
INFO: fso ‘/usr/local/lib64/’ does not exist!
run: dpkg-statoverride --add --update root root 4755 /usr/bin/sudo
run: dpkg-statoverride --add --update root root 4755 /usr/bin/bwrap
run: dpkg-statoverride --add --update root root 4755 /usr/lib/policykit-1/polkit-agent-helper-1
run: dpkg-statoverride --remove /usr/lib/dbus-1.0/dbus-daemon-launch-helper
run: dpkg-statoverride --add --update root messagebus 4754 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
INFO: fso ‘/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper’ does not exist!
run: dpkg-statoverride --add --update root utmp 2755 /usr/lib/x86_64-linux-gnu/utempter/utempter


run: dpkg-statoverride --remove /bin/

Do we want to do this?

suid - file_name: ‘/usr/bin/atrm’ | existing_mode: ‘777’ | existing_mode:1: ‘77’
run: dpkg-statoverride --add --update root root 77 /usr/bin/atrm

This is because:

stat -c "%n %a %U %G" /usr/bin/atrm

/usr/bin/atrm 777 root root

Therefore need to check string length of permission variable. I will fix this very soon.

fso: /lib/
usr/lib/security-misc/permission-hardening: line 19: /usr/bin/stat: Argument list too long

Can reproduce manually too.

shopt -s globstar
stat -c "%n %a %U %G" /lib/**

bash: /usr/bin/stat: Argument list too long

1 Like

symlinks are probably (a or the) cause for the permission variable length issue above.

stat -c "%n %a %U %G" /usr/bin/sg

/usr/bin/sg 777 root root

test -u /usr/bin/sg ; echo $?

0

test -g /usr/bin/sg ; echo $?

1

test -h /usr/bin/sg ; echo $?

0

ls -la /usr/bin/sg

lrwxrwxrwx 1 root root 6 Jul 27 2018 /usr/bin/sg -> newgrp

realpath /usr/bin/sg

/usr/bin/newgrp

The question is, how should we handle symlinks?

Should we just skip symlinks in nosuid mode? That is what I have implemented for now. Config entries such as /bin/ nosuid should catch such entries anyhow since these would be in other folders which config will “run nosuid” on anyhow. Except, it would miss custom made symlinks linking to folders which we don’t parse.

Otherwise we could resolve the symlink (maybe using realpath) and then “run nosuid” on wherever it links to even if a weird path such as hypothetically /usr/share/somesuid/somesuidbinary. Such entries however would likely never be updated/removed when the symlink changed.

1 Like

Let’s not use add_statoverride_entry for both, case of nosuid and regular modes. That is because when we’re using nosuid that is totally different. In that case we iterate over folders. For other modes, we don’t iterate but set specific modes. There is not any code that would be repeated. Therefore made that add_nosuid_statoverride_entry.

This is fixed.

For now, no longer doing this. That was only only a bug when using nosuid entries. Not a deliberate choice in config. If this was wanted, another entry should be added to config (similar to /boot/ 0700 root root but would have to think about mode/owner/group but there may be no fitting config file and does not seem important).

1 Like

I don’t think we should support iterating over folders for nosuid while at the same time setting specific modes/owner/groups. To specific what I mean:

This is OK:

/bin/ nosuid

This is also OK:

/etc/permission-hardening.conf 0600 root root

This does not seem useful:

/bin/ nosuid 0600 root root

This does not seem useful:

/bin/ nosuid root root

If both nosuid and a mode/owner/group change is wanted, better add another config line.

1 Like

We are hitting ARG_MAX

getconf ARG_MAX

more info:
https://www.linuxjournal.com/article/6060

How can I prevent arguments to `xargs` from being prefixed with spaces? - Unix & Linux Stack Exchange said xargs can split it up.

Will use

done < <( find "${fso_without_trailing_slash}/" -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} )

to fix it.

1 Like

It’s fixed. But by fixing the parsing of /lib it’s also very slow. Needs 3 minutes to finish.

(And only using dry mode, i.e. not running the dpkg-statoverwrite --add / --remove commands yet actuary. I don’t think that would change much to the worse, though.)

time sudo usr/lib/security-misc/permission-hardening

fso: /home/
run: dpkg-statoverride --add --update root root 0755 /home
fso: /home/user/
run: dpkg-statoverride --add --update user user 0700 /home/user
fso: /root/
run: dpkg-statoverride --add --update root root 0700 /root
fso: /boot/
run: dpkg-statoverride --add --update root root 0700 /boot
fso: /etc/permission-hardening.conf
run: dpkg-statoverride --add --update root root 0600 /etc/permission-hardening.conf
fso: /bin/
suid - file_name: ‘/bin/fusermount’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /bin/fusermount
suid - file_name: ‘/bin/su’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /bin/su
suid - file_name: ‘/bin/ntfs-3g’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /bin/ntfs-3g
fso: /usr/bin/
suid - file_name: ‘/usr/bin/sudo’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/sudo
suid - file_name: ‘/usr/bin/chsh’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/chsh
suid - file_name: ‘/usr/bin/crontab’ | existing_mode: ‘2755’ | new_mode: ‘755’
run: dpkg-statoverride --remove /usr/bin/crontab
run: dpkg-statoverride --add --update root crontab 755 /usr/bin/crontab
suid - file_name: ‘/usr/bin/chfn’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/chfn
suid - file_name: ‘/usr/bin/ssh-agent’ | existing_mode: ‘2755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root ssh 755 /usr/bin/ssh-agent
suid - file_name: ‘/usr/bin/newuidmap’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/newuidmap
suid - file_name: ‘/usr/bin/pkexec.security-misc-orig’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/pkexec.security-misc-orig
suid - file_name: ‘/usr/bin/bwrap’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/bwrap
suid - file_name: ‘/usr/bin/chage’ | existing_mode: ‘2755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root shadow 755 /usr/bin/chage
INFO: fso ‘/usr/local/bin/’ does not exist!
fso: /sbin/
suid - file_name: ‘/sbin/mount.nfs’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /sbin/mount.nfs
fso: /usr/sbin/
INFO: fso ‘/usr/local/sbin/’ does not exist!
fso: /lib/
fso: /lib32/
fso: /lib64/
fso: /usr/lib/
suid - file_name: ‘/usr/lib/policykit-1/polkit-agent-helper-1’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/policykit-1/polkit-agent-helper-1
suid - file_name: ‘/usr/lib/eject/dmcrypt-get-device’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/eject/dmcrypt-get-device
suid - file_name: ‘/usr/lib/virtualbox/VBoxNetDHCP’ | existing_mode: ‘6755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/virtualbox/VBoxNetDHCP
suid - file_name: ‘/usr/lib/virtualbox/VBoxNetNAT’ | existing_mode: ‘6755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/virtualbox/VBoxNetNAT
suid - file_name: ‘/usr/lib/virtualbox/VBoxHeadless’ | existing_mode: ‘6755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/virtualbox/VBoxHeadless
suid - file_name: ‘/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
suid - file_name: ‘/usr/lib/dbus-1.0/dbus-daemon-launch-helper’ | existing_mode: ‘4754’ | new_mode: ‘754’
run: dpkg-statoverride --remove /usr/lib/dbus-1.0/dbus-daemon-launch-helper
run: dpkg-statoverride --add --update root messagebus 754 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
suid - file_name: ‘/usr/lib/kde4/libexec/fileshareset’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/kde4/libexec/fileshareset
suid - file_name: ‘/usr/lib/kde4/libexec/kdesud’ | existing_mode: ‘2755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root nogroup 755 /usr/lib/kde4/libexec/kdesud
suid - file_name: ‘/usr/lib/chromium/chrome-sandbox’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/chromium/chrome-sandbox
suid - file_name: ‘/usr/lib/qubes/qfile-unpacker’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/qubes/qfile-unpacker
suid - file_name: ‘/usr/lib/evolution/camel-lock-helper-1.2’ | existing_mode: ‘2755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root mail 755 /usr/lib/evolution/camel-lock-helper-1.2
fso: /usr/lib32/
INFO: fso ‘/usr/lib64/’ does not exist!
INFO: fso ‘/usr/local/lib/’ does not exist!
INFO: fso ‘/usr/local/lib32/’ does not exist!
INFO: fso ‘/usr/local/lib64/’ does not exist!
fso: /usr/bin/sudo
run: dpkg-statoverride --add --update root root 4755 /usr/bin/sudo
fso: /usr/bin/bwrap
run: dpkg-statoverride --add --update root root 4755 /usr/bin/bwrap
fso: /usr/lib/policykit-1/polkit-agent-helper-1
run: dpkg-statoverride --add --update root root 4755 /usr/lib/policykit-1/polkit-agent-helper-1
fso: /usr/lib/dbus-1.0/dbus-daemon-launch-helper
INFO: fso ‘/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper’ does not exist!
fso: /usr/lib/x86_64-linux-gnu/utempter/utempter
run: dpkg-statoverride --add --update root utmp 2755 /usr/lib/x86_64-linux-gnu/utempter/utempter

real 3m3.306s
user 1m12.419s
sys 1m57.067s

The xtrace (sudo bash -x usr/lib/security-misc/permission-hardening or setting set -x) at the top of the script looks efficient. We don’t call stat a million times and we are using bash built-ins.

1 Like

Added some benchmarking code (but not clean, will not publish unless deemed required).

fso: /bin/ | benchmark: 00:00:01
fso: /usr/bin/ | benchmark: 00:00:05
fso: /sbin/ | benchmark: 00:00:00
fso: /usr/sbin/ | benchmark: 00:00:01
fso: /lib/ | benchmark: 00:00:57
fso: /lib32/ | benchmark: 00:00:00
fso: /lib64/ | benchmark: 00:00:00
fso: /usr/lib/ | benchmark: 00:02:01
fso: /usr/lib32/ | benchmark: 00:00:00

Parsing /lib/ and /usr/lib/ takes far most of the time.

Fortunately /lib does not have any suid binaries by default on my system.

Maybe we can mount /lib as nodev,nosuid. As per Kurt Seifried - LASG / Installation we can. Then we could remove /lib from permission hardening config and safe 1 minute.

Related: (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security? - #21 by madaidan

Parsing /usr/lib though seems important.

1 Like
1 Like

I want to add a usability feature.

As user user.

stat -c "%n %a %U %G" /bin/su
/bin/su 755 root root
which su

/bin/su

I.e. su is still executable by user user even though it has suid removed. This is bad because su fails open, i.e. in weird ways. It does not report “missing suid”. What I preferred:

sudo chmod o-x /bin/su
stat -c "%n %a %U %G" /bin/su

/bin/su 754 root root

which su
su

bash: /bin/su: Permission denied

Now user user cannot execute su anymore. It is failing closed.

1 Like

This is the script output as of now.

run: dpkg-statoverride --add --update root root 0755 /home
run: dpkg-statoverride --add --update user user 0700 /home/user
run: dpkg-statoverride --add --update root root 0700 /root
run: dpkg-statoverride --add --update root root 0700 /boot
run: dpkg-statoverride --add --update root root 0600 /etc/permission-hardening.d
INFO: fso: ‘/usr/local/etc/permission-hardening.d’ - does not exist. This is likely normal.
INFO: set-user-id found - file_name: ‘/bin/fusermount’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /bin/fusermount
INFO: set-user-id found - file_name: ‘/bin/su’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /bin/su
INFO: set-user-id found - file_name: ‘/bin/ntfs-3g’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /bin/ntfs-3g
INFO: set-user-id found - file_name: ‘/usr/bin/sudo’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/sudo
INFO: set-user-id found - file_name: ‘/usr/bin/chsh’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/chsh
INFO: set-group-id found - file_name: ‘/usr/bin/crontab’ | existing_mode: ‘2755’ | new_mode: ‘755’
run: dpkg-statoverride --remove /usr/bin/crontab
run: dpkg-statoverride --add --update root crontab 755 /usr/bin/crontab
INFO: set-user-id found - file_name: ‘/usr/bin/chfn’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/chfn
INFO: set-group-id found - file_name: ‘/usr/bin/ssh-agent’ | existing_mode: ‘2755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root ssh 755 /usr/bin/ssh-agent
INFO: set-user-id found - file_name: ‘/usr/bin/newuidmap’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/newuidmap
INFO: set-user-id found - file_name: ‘/usr/bin/pkexec.security-misc-orig’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/pkexec.security-misc-orig
INFO: set-user-id found - file_name: ‘/usr/bin/bwrap’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/bin/bwrap
INFO: set-group-id found - file_name: ‘/usr/bin/chage’ | existing_mode: ‘2755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root shadow 755 /usr/bin/chage
INFO: fso: ‘/usr/local/bin/’ - does not exist. This is likely normal.
INFO: set-user-id found - file_name: ‘/sbin/mount.nfs’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /sbin/mount.nfs
INFO: fso: ‘/usr/local/sbin/’ - does not exist. This is likely normal.
INFO: set-user-id found - file_name: ‘/usr/lib/policykit-1/polkit-agent-helper-1’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/policykit-1/polkit-agent-helper-1
INFO: set-user-id found - file_name: ‘/usr/lib/eject/dmcrypt-get-device’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/eject/dmcrypt-get-device
INFO: set-user-id set-group-id found - file_name: ‘/usr/lib/virtualbox/VBoxNetDHCP’ | existing_mode: ‘6755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/virtualbox/VBoxNetDHCP
INFO: set-user-id set-group-id found - file_name: ‘/usr/lib/virtualbox/VBoxNetNAT’ | existing_mode: ‘6755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/virtualbox/VBoxNetNAT
INFO: set-user-id set-group-id found - file_name: ‘/usr/lib/virtualbox/VBoxHeadless’ | existing_mode: ‘6755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/virtualbox/VBoxHeadless
INFO: set-user-id found - file_name: ‘/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
INFO: set-user-id found - file_name: ‘/usr/lib/dbus-1.0/dbus-daemon-launch-helper’ | existing_mode: ‘4754’ | new_mode: ‘754’
run: dpkg-statoverride --remove /usr/lib/dbus-1.0/dbus-daemon-launch-helper
run: dpkg-statoverride --add --update root messagebus 754 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
INFO: set-user-id found - file_name: ‘/usr/lib/kde4/libexec/fileshareset’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/kde4/libexec/fileshareset
INFO: set-group-id found - file_name: ‘/usr/lib/kde4/libexec/kdesud’ | existing_mode: ‘2755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root nogroup 755 /usr/lib/kde4/libexec/kdesud
INFO: set-user-id found - file_name: ‘/usr/lib/chromium/chrome-sandbox’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/chromium/chrome-sandbox
INFO: set-user-id found - file_name: ‘/usr/lib/qubes/qfile-unpacker’ | existing_mode: ‘4755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root root 755 /usr/lib/qubes/qfile-unpacker
INFO: set-group-id found - file_name: ‘/usr/lib/evolution/camel-lock-helper-1.2’ | existing_mode: ‘2755’ | new_mode: ‘755’
run: dpkg-statoverride --add --update root mail 755 /usr/lib/evolution/camel-lock-helper-1.2
INFO: fso: ‘/usr/lib64/’ - does not exist. This is likely normal.
INFO: fso: ‘/usr/local/lib/’ - does not exist. This is likely normal.
INFO: fso: ‘/usr/local/lib32/’ - does not exist. This is likely normal.
INFO: fso: ‘/usr/local/lib64/’ - does not exist. This is likely normal.
run: dpkg-statoverride --add --update root root 4755 /usr/bin/sudo
run: dpkg-statoverride --add --update root root 4755 /usr/bin/bwrap
run: dpkg-statoverride --add --update root root 4755 /usr/lib/policykit-1/polkit-agent-helper-1
INFO: fso: ‘/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper’ - does not exist. This is likely normal.
run: dpkg-statoverride --add --update root utmp 2755 /usr/lib/x86_64-linux-gnu/utempter/utempter

new_mode is either 755 or 754. I.e. has still execution permission for others or group.

For config entries stating nosuid only: Would it be a good idea to hardcode / change newmode of these to 744? I.e. to remove exeution permission for others and `group?

  if [ "$new_mode" = "755" ]; then
    new_mode=744
  fi
  if [ "$new_mode" = "754" ]; then
    new_mode=744
  fi
  if [ "$new_mode" = "745" ]; then
    new_mode=744
  fi

I guess the question is:

Are there suid or guid binaries which are still useful if suid / guid has been removed from these?

1 Like

Could you please review if it is sane to remove suid / guid from the following binaries? @madaidan

run: dpkg-statoverride --add --update root root 755 /bin/fusermount
run: dpkg-statoverride --add --update root root 755 /bin/su
run: dpkg-statoverride --add --update root root 755 /bin/ntfs-3g
run: dpkg-statoverride --add --update root root 755 /usr/bin/sudo
run: dpkg-statoverride --add --update root root 755 /usr/bin/chsh
run: dpkg-statoverride --remove /usr/bin/crontab
run: dpkg-statoverride --add --update root crontab 755 /usr/bin/crontab
run: dpkg-statoverride --add --update root root 755 /usr/bin/chfn
run: dpkg-statoverride --add --update root ssh 755 /usr/bin/ssh-agent
run: dpkg-statoverride --add --update root root 755 /usr/bin/newuidmap
run: dpkg-statoverride --add --update root root 755 /usr/bin/pkexec.security-misc-orig
run: dpkg-statoverride --add --update root shadow 755 /usr/bin/chage
run: dpkg-statoverride --add --update root root 755 /sbin/mount.nfs
run: dpkg-statoverride --add --update root root 755 /usr/lib/policykit-1/polkit-agent-helper-1
run: dpkg-statoverride --add --update root root 755 /usr/lib/eject/dmcrypt-get-device
run: dpkg-statoverride --add --update root root 755 /usr/lib/virtualbox/VBoxNetDHCP
run: dpkg-statoverride --add --update root root 755 /usr/lib/virtualbox/VBoxNetNAT
run: dpkg-statoverride --add --update root root 755 /usr/lib/virtualbox/VBoxHeadless
run: dpkg-statoverride --add --update root root 755 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
run: dpkg-statoverride --add --update root messagebus 754 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
run: dpkg-statoverride --add --update root root 755 /usr/lib/kde4/libexec/fileshareset
run: dpkg-statoverride --add --update root nogroup 755 /usr/lib/kde4/libexec/kdesud
run: dpkg-statoverride --add --update root root 755 /usr/lib/chromium/chrome-sandbox
run: dpkg-statoverride --add --update root root 755 /usr/lib/qubes/qfile-unpacker
run: dpkg-statoverride --add --update root mail 755 /usr/lib/evolution/camel-lock-helper-1.2
run: dpkg-statoverride --add --update root root 4755 /usr/lib/policykit-1/polkit-agent-helper-1
run: dpkg-statoverride --add --update root utmp 2755 /usr/lib/x86_64-linux-gnu/utempter/utempter

Does the suid default whitelist need to be expanded?
Specifically, let’s not break chromium and virtualbox.

1 Like

Found some issue.

Dec 20 07:54:47 disp3633 permission-hardening[26043]: + seq -w 000 4777
Dec 20 07:54:47 disp3633 permission-hardening[26043]: + grep -qw 2755
Dec 20 07:54:47 disp3633 permission-hardening[26043]: seq: write error: Broken pipe

Need to use a better regex here.

Another issue.

user@disp3633:~$ sudoedit /usr/lib/security-misc/permission-hardening
sudoedit: /usr/bin/sudoedit must be owned by uid 0 and have the setuid bit set
user@disp3633:~$ sudo test
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

That is because there is a significant time gap between suid removal from /usr/bin and re-adding the whitelist of /usr/bin/sudo. Therefore we need to implement the whitelist another way. Not by first removing suid and then re-adding. Better to not modify file permissions of sudo (and other white listed ones) at all. Otherwise this can cause a lot bugs which are timing dependent (when other scripts use sudo).

1 Like

Not perfect but functional.

1 Like

Now also fixed:

1 Like

That does not work. It will “forget” to process some files.

find /usr/bin | wc -l

1149

Added a counter.

INFO: fso_to_process: ‘/usr/bin/’ | counter: ‘575’

1 Like

Fixed.

1 Like
sudo /usr/lib/security-misc/permission-hardening 

sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

On Qubes there is also /bin/sudo and /bin/brwap. Fixed.

1 Like

Found a way to crazy speed up things. Using find with -perm /u=s,g=s. Will add.

1 Like

It’s fine. Do what you want. You’re better than me at writing bash scripts anyway.

You can just add another rule for su:

/bin/su 0700 root root

What’s the point of reading binaries if it can’t even be executed? Maybe just give a mode of 700.

It’s fine to remove it from most of them but whitelist sudo, virtualbox, polkit, dbus and chromium. Chromium only needs suid if unprivileged user namespaces are disabled which Debian does by default.

1 Like