The only missing feature is: if suid / sgid was already removed during a previous run of the service and the user adds it to exactwhitelist of machwhitelist after that, it will not be re-enabled suid / sgid.
fuse: failed to exec fusermount: Permission denied
Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage
if you run it with the --appimage-extract option.
See FUSE · AppImage/AppImageKit Wiki · GitHub
for more information
open dir error: No such file or directory
Really bad bug disabling sudo. Unexplained. Non-reproducible. Not a full disk issue, plenty of free space.
Dec 29 04:17:11 debian-buster-test permission-hardening: INFO: START parsing config_file: ‘/etc/permission-hardening.d/30_default.conf’
Dec 29 04:17:12 debian-buster-test permission-hardening: /usr/lib/security-misc/permission-hardening: line 255: cannot create temp file for here-document: No such file or directory
Dec 29 04:17:12 debian-buster-test permission-hardening: ERROR: cannot parse line: /usr/bin/sudo exactwhitelist
Probably better to abort processing the config file and immediately exit with error when that happens. Will implement that.
A) As I’ve added to the wiki just now Some SUID binaries have a history of privilege escalation security vulnerabilities..
B) General attack surface such as kernel attack surface.
What SUID Disabler and Permission Hardener is currently doing is disable as many SUID binaries as reasonable without breaking a Linux desktop operating system. Improving the situation for A)
To however have the full benefit, to do B) we would have to eliminate all SUID binaries. This might be reasonable and doable for CLI environments such as servers ( also think Kicksecure).
What do you think?
If you agree, I guess the configuration file of SUID Disabler and Permission Hardener should be split. The whitelist should be in a separate file. Then a system administrator could easily nuke the whitelist. Alternatively or additional perhaps a ignore_whitelist=true configuration option would be useful? Then we could document this and some users could benefit from a completely SUID free system.
Rationale for /opt is that some manually installed software installs itself to /opt. Some lesser important functionality might require suid or sgid. The suid/sgid bit might have been accidentally set by a developer. (Or part of legacy install scripts. Useful in past, then forgotten, now obsolete.) Removal of suid / sgid might in many cases go unnoticed by the user. (In cases where that software is run as root anyhow.)
On the other hand, the /opt folder is empty on a default Debian (based) installation. One could argue if the (super) admin installs files there it should be honored by the system and kept unobstructed.
It can be done for GUI environments also. Nothing really requires setuid. We can replace them with capabilities.
The admin could whitelist their binaries.
Unlikely. We could cover /root since that’s a bit more likely to contain suid binaries and it wouldn’t increase scan time much since most users would be storing their files in an unprivileged user’s home directory.
That would break a lot of things. For example, if I mounted a drive containing another Linux system to /mnt in order to debug an issue, permission hardener would kill all suid binaries in it and become extremely slow. A better solution would be mounting those filesystems with the nosuid option since it’s much easier to revert (mount -o remount,suid /mnt vs. resetting all file permissions).
Meaning there might be no standard way in which packages implement setting capabilities yet. Therefore I wanted to look at a package that sets capabilities. For example package iputils-ping contains capability enabled binary ping. From the package postinst script:
if [ "$1" = configure ]; then
# If we have setcap is installed, try setting cap_net_raw+ep,
# which allows us to install our binaries without the setuid
if command -v setcap > /dev/null; then
if setcap cap_net_raw+ep /bin/ping; then
chmod u-s /bin/ping
echo "Setcap failed on /bin/ping, falling back to setuid" >&2
chmod u+s /bin/ping
echo "Setcap is not installed, falling back to setuid" >&2
chmod u+s /bin/ping
# Local variables:
# mode: shell-script
# tab-width: 4
# indent-tabs-mode: nil
dpkg -S /sbin/setcap
cat debian/control | grep cap
So if libcap2-bin does not get installed early enough (before iputils-ping) is installed, the Debian maintainer script will set SUID instead of using capabilities. Assuming that other packages might be implemented in a similar way, we should find a way to make sure package libcap2-bin is installed during the build process as early as possible.
Other random examples having a similar use of setcap:
Take into account systems no supporting fcaps, this includes:
(for now) non-Linux systems,
Linux w/ old kernels or kernels w/o fcap compiled in,
file systems not supporting fcaps, and/or w/o mount time enabled
Or don’t care much about this and just ignore errors using setcap [...] || true?
Added to wiki:
It does not search folders /root because no SUID binaries should be there by default. That folder is by default readable only by root. If root was to create a custom SUID and move it there, then root should be able to execute it.
The lack of dpkg-statoverride support is an issue however. Maybe we can implement something ourselves via an apt / dpkg hook? I.e. on package upgrade, it checks /etc/permission-hardening.d/ for any needed capabilities and if so, sets them.
Capabilities don’t have the same configurability as sudoers exceptions. We cannot restrict which user can execute the program with higher privileges or what arguments they can use.
It may even be better to replace capabilities or setuid with sudoers exceptions as we can restrict execution of those binaries to specific users. For example, if /bin/example is setuid, it can be executed by any user and potentially exploited whereas if a sudoers exception was made, it will only be able to be executed by user user, preventing a compromised sdwdate user from exploiting that program.
Issue indeed… The essential issue is this…
(You probably know but I am writing this down as reminder to self and everyone else reading.)
sudo getcap /bin/ping
(Capabilities of /bin/ping already removed.)
sudo apt install --reinstall iputils-ping
sudo getcap /bin/ping
/bin/ping = cap_net_raw+ep
Even if we could, there would a race condition. A time window of vulnerability. Malware with the ability to abuse a capability could use inotifywait (or some other mechanism (perhaps brute force trying)) to wait until the binary is updated and the capability reinstated.
Perhaps once  Multiple Boot Modes for Better Security: an Implementation of Untrusted Root existed, malware lurking under user user should be deactivated once rebooted into admin mode. Then malware running under user user couldn’t exploit the vulnerable time window of the capability briefly being re-introduced. If we go for that, we should probably remove upgrade-nonroot command. It would still be an incomplete solution until… Even if rebooted into admin mode, there might be daemons running under for example user www-data. Once  is implemented, probbly when booting into admin mode only a limited amount of systemd services should be executed.
Nothing really is as great as a proper implementation of dpkg-statoverride. In case of permissions, dpkg never changes back to the different/original/weaker permissions (won’t re-enable SUID even briefly).
Which kind of configurablity do we need? Can we re-implement these?
Can the output of whoami or some alternative command be trusted? Or can that be fooled with some LD_PRELOAD trick or something?
Let’s pick livecheck.sh[archive] as an example. The script currently uses sudo --non-interactive /bin/lsblk --noheadings --all --raw --output RO. This could probably be translated to some capability.
You’re right. We don’t want all users to have that capability. If output of whoami or similar could be trusted, the script itself could check if it’s running under user user and exit if not so?
The capability might give access to a lot more than sudo --non-interactive /bin/lsblk --noheadings --all --raw --output RO.
Am I re-inventing SUID or sudo here?
My conclusion for now: An SUID free desktop system (including free of sudo) is impractical.
Now on a second thought… Perhaps livecheck.sh could be implemented in a more sophisticated way. A systemd unit running as root  could run sblk --noheadings --all --raw --output RO, then write the output to a world readable file.  livecheck.sh could then read from that file instead of running a command with SUID (meaning sudo).
Perhaps similar solutions could be invented for other cases currently dependent on a /etc/sudoers.d exception.
Seems difficult. I would not know how to implement this without over complicating the code. I don’t think many people will read that config, let alone edit it or view the logs.
Currently config doesn’t even support white spaces in folder names. (Untested.) Such as basic feature should be implemented before going fancy with bash/AppArmor-style regex?
Config parsing, the script looks complex enough already for my taste.
/usr/local seems to hold anything that also the root / could hold. I found mentions of all newly added entries on Google when putting the serach term into quotes such as.
Also for consistency, thought good to add. At worst in costs a second or so and a log entry.
 Or limited user with sudoers exception or capability? Too complex, fancy?
 Or only user user? Too complex, fancy?