SUID Disabler and Permission Hardener

Performance issues which might cause trouble in Qubes-Whonix:

WIth debugging.

time sudo bash -x /usr/libexec/security-misc/permission-hardening

real	0m7.729s
user	0m0.688s
sys	0m2.020s

Dropping debugging doesn’t make much of a difference.

time sudo /usr/libexec/security-misc/permission-hardening

real	0m8.759s
user	0m0.730s
sys	0m2.100s

Some solution has to be found so it won’t add boot delay.

/usr/bin/time -f %E sudo /usr/libexec/security-misc/permission-hardening

As mentioned in above ticket, I am now considering to not run SUID Disabler at boot time but only at package installation and update time. This would prevent issue Sometimes qubes don't start the first time - If Whonix/Kicksecure Hardening Features for Testers Enabled · Issue #7959 · QubesOS/qubes-issues · GitHub and help to move this ticket forward, i.e. enabling SUID Disabler by default.

SUID Disabler and Permission Hardener is now enabled by default at package installation time.

This is now in the developers repository.

It would also break sudo

Done.

qfile-unpacker is whitelisted and a security risk.
…but only a threat model when Qubes would be already using sudo lockdown by default or when opt-in by the user.

SUID Disabler and Permission Hardener is now enabled by default in the testers repository.

TODO:

1. merge permission-hardening and permission-hardening-undo?

• https://github.com/Kicksecure/security-misc/blob/master/usr/bin/permission-hardening
• https://github.com/Kicksecure/security-misc/blob/master/usr/bin/permission-hardening-undo

2. allow undoing permission-hardening user selected binaries

• permission-hardener disable passwd
• permission-hardener disable /usr/bin/passwd
• A) look up what permission-hardener did (similar to permission-hardening-undo), and
• B) undo that, and
• C) add a config snippet, whitelist entry, and
• D) notify the user of all modifications in terminal output.

3. ⚓ T941 lock down interpreters / compilers (interpreter lock) (compiler lock)

• Implement permission-hardener enable compiler. The initial implementation does not necessarily include the list of interpreters / compilers (separate lists) but the config / variables for these lists need to be implemented first.

4. CI testing / github actions

SUID Disabler and Permission Hardener is now enabled by default in the stable repository.

Am I correct in understanding that with QubesOS currently allowing passwordless root by default, this will have limited impact on improving security for Qubes-Whonix, unless used in a non-standard configuration?

(Even in that case it’s useful to have, as in the future Qubes may finally move toward supporting root account protection again.)

Correct.

In Qubes (when using Kicksecure for Qubes or) Qubes-Whonix this only has an affect for:

• other (system) users that don’t have passwordless root by default
• those who use sudo hardening

Related information, future work:

• Strong Linux User Account Isolation
• Multiple Boot Modes for Better Security: an Implementation of Untrusted Root (probably not compatible with Qubes, which needs a different approach)