madaidan via Whonix Forum:
What’s the point of reading binaries if it can’t even be executed? Maybe just give a mode of
Making the minimal change required for security. Keeping things simple.
Making it easier for users to restore to defaults.
madaidan via Whonix Forum:
We can use this to remove capabilities of some unneeded binaries too by using the
getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/bin/ping = cap_net_raw+ep
I think we should remove the capabilities of
/bin/pingsince it doesn’t work with Tor anyway.
Good idea. We already support:
Should we add another feature
Or should we just
nocap and consider that good enough?
Capability removal only works until package upgrade since
dpkg-statoverwrite does not support capabilities. Feature request:
Only 2 things have capabilities by default anyway so that’s not really needed.
The only missing feature is: if suid / sgid was already removed during a previous run of the service and the user adds it to exactwhitelist of machwhitelist after that, it will not be re-enabled suid / sgid.
An easy fix would be to tell users “boot into admin mode”, run
/usr/lib/security-misc/permission-hardening-undo and reboot. But this is a bit unsafe if other services are already started. “boot into admin mode” should probably mean “don’t start any services such as web services”? Will discuss in multiple boot modes for better security: persistent + root | persistent + noroot | live + root | live + noroot
We could auto-restore permissions for later added whitelist entries since permission before change are recorded in
if [ "$mode_from_config" = "exactwhitelist" ]; then
/var/lib/permission-hardening/existing_mode. Same for
if [ "$mode_from_config" = "matchwhitelist" ]; then
But not sure if worth the effort.
Should it do that anyway? The point of those options are for whitelisting, not adding back permissions. This doesn’t seem needed.
fuse: failed to exec fusermount: Permission denied
Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage
if you run it with the --appimage-extract option.
for more information
open dir error: No such file or directory
sudo chmod +sx /bin/fusermount
Really bad bug disabling sudo. Unexplained. Non-reproducible. Not a full disk issue, plenty of free space.
Dec 29 04:17:11 debian-buster-test permission-hardening: INFO: START parsing config_file: ‘/etc/permission-hardening.d/30_default.conf’
Dec 29 04:17:12 debian-buster-test permission-hardening: /usr/lib/security-misc/permission-hardening: line 255: cannot create temp file for here-document: No such file or directory
Dec 29 04:17:12 debian-buster-test permission-hardening: ERROR: cannot parse line: /usr/bin/sudo exactwhitelist
Probably better to abort processing the config file and immediately
exit with error when that happens. Will implement that.
Did that. And probably found the cause:
/usr/bin/torbrowser: line 252: /bin/mount: Permission denied
/usr/bin/torbrowser: line 270: /bin/mount: Permission denied
/usr/bin/torbrowser (by Whonix developers) uses
mount to check if Tor Browser folder is mounted noexec.
/bin/mount is SUID by Debian default.
/bin/mount makes sense as executable but with SUID removed.
Not an ideal solution. First add
exactwhitelist and then below set
/bin/mount 745 root root. A unintuitive config. But good enough for now?
Anyone got time to read?
Needs a call for testers.
Polishing a few things just now.
I think there are two security issues with SUID.
A)As I’ve added to the wiki just now
Some SUID binaries have a history of privilege escalation security vulnerabilities..
B)General attack surface such as kernel attack surface.
SUID Disabler and Permission Hardener is currently doing is disable as many SUID binaries as reasonable without breaking a Linux desktop operating system. Improving the situation for
To however have the full benefit, to do
B) we would have to eliminate all SUID binaries. This might be reasonable and doable for CLI environments such as servers ( also think Kicksecure).
What do you think?
If you agree, I guess the configuration file of
SUID Disabler and Permission Hardener should be split. The whitelist should be in a separate file. Then a system administrator could easily nuke the whitelist. Alternatively or additional perhaps a
ignore_whitelist=true configuration option would be useful? Then we could document this and some users could benefit from a completely SUID free system.
Moved to dedicated wiki page:
More documentation enhancements:
Should we add
/opt is that some manually installed software installs itself to
/opt. Some lesser important functionality might require suid or sgid. The suid/sgid bit might have been accidentally set by a developer. (Or part of legacy install scripts. Useful in past, then forgotten, now obsolete.) Removal of suid / sgid might in many cases go unnoticed by the user. (In cases where that software is run as root anyhow.)
On the other hand, the
/opt folder is empty on a default Debian (based) installation. One could argue if the (super) admin installs files there it should be honored by the system and kept unobstructed.
I guess it depends if (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security? would re-mount
Other folders where suid binaries might end up?
But adding that I guess would be excessive because:
- Will be covered by (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security? anyhow which will be a better solution.
- Avoid long scan times during boot.
- Requires root anyhow to create root owned suid binaries. System administrator shouldn’t create root owned suid binaries in home folder anyhow.
/root? Depends on outcome of this post Disable SUID Binaries - A) vs B).
- Any others?