Actions

SUID Disabler and Permission Hardener

From Whonix


Suidhardener.jpg


Introduction[edit]

SUID Disabler and Permission Hardener aims to increase the security of the system by improving Strong Linux User Account Isolation, setting more restrictive file permissions and reducing attack surface through disabling of SUID-enabled binaries. [1] This feature is part of security-misc.

SUID vs. SGID[edit]

SUID (Set owner User ID up on execution) is: [2]

... a special type of file permissions given to a file. Normally in Linux/Unix when a program runs, it inherit’s access permissions from the logged in user. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it. In simple words users will get file owner’s permissions as well as owner UID and GID when executing a file/program/command.

In simple terms, SUID (or setuid) allows a user to execute a binary with the privileges of the binary's owner. This is often used to allow unprivileged users to utilize certain functionality that is normally only reserved for the root user. As such, many SUID binaries have a history of privilege escalation security vulnerabilities.

Quote Removing SUID and SGID flags off binaries [archive]:

SUID and SGID binaries pose a risk of exploitation due to them running as user 'root' or as group 'root' (or some other group or user).

A related Linux functionality is SGID (Set Group ID up on execution). This is: [3]

... a special type of file permissions given to a file/folder. Normally in Linux/Unix when a program runs, it inherit’s access permissions from the logged in user. SGID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file group permissions to become member of that group to execute the file. In simple words users will get file Group’s permissions when executing a Folder/file/program/command. SGID is similar to SUID. The difference between both is that SUID assumes owner of the file permissions and SGID assumes group’s permissions when executing a file instead of logged in user inherit permissions.

This page sometimes only refers to SUID while it means both, SUID and SGID. Even the name of the program -- SUID Disabler and Permission Hardener -- leaves out SGID, even though SGID disabling is included.

Disabled Binaries and Libraries[edit]

SUID Disabler and Permission Hardener configuration folders are /etc/permission-hardening.d and /usr/local/etc/permission-hardening.d. (SUID Disabler and Permission Hardener default configuration folder [archive])

SUID Disabler and Permission Hardener searches the following folders for SUID/SGID binaries/libraries and disables all except those which are whitelisted in the configuration file. The following list of folders were copied from the default configuration file at the time of writing.

## Remove all SUID/SGID binaries/libraries.

/bin/ nosuid
/usr/bin/ nosuid
/usr/local/bin/ nosuid
/sbin/ nosuid
/usr/sbin/ nosuid
/usr/local/sbin/ nosuid
/lib/ nosuid
/lib32/ nosuid
/lib64/ nosuid
/usr/lib/ nosuid
/usr/lib32/ nosuid
/usr/lib64/ nosuid
/usr/local/lib/ nosuid
/usr/local/lib32/ nosuid
/usr/local/lib64/ nosuid

It does not search the whole hard drive because:

  • No known Debian packages or other software following the file hierarchy standard installs SUID/SGID binaries/libraries into other disk locations. Since installation of new malicious root owned SUID/SGID binaries/libraries would require root, this is outside of the threat model. An attacker capable of creating malicious root owned SUID/SGID binaries/libraries in non-standard disk locations already owns the system. The purpose of SUID Disabler is to avoid malicious/compromised non-root accounts from escalating to root using SUID, not to control what an attacker with root can do. For that, see Untrusted Root - improve Security by Restricting Root [archive], apparmor-profile-everything and Multiple Boot Modes for Better Security - a Design for the Implementation of Untrusted Root.
  • It does not search /mnt or /media because another Linux installation could be mounted in that folder which should not be broken by SUID Disabler. [4]
  • It does not search folders /root because no SUID binaries should be there by default. That folder is by default readable only by root. If root was to create a custom SUID and move it there, then root should be able to execute it.
  • It searches folders /opt or /usr/local/opt by default (version 19.7-1 and above). These folders do not exist in a default installation. Rationale for that is that some manually installed software installs itself there. Some lesser important functionality might require SUID/SGID. The SUID/SGID bit might have been accidentally set by a developer. (Or part of legacy install scripts. Useful in past, then forgotten, now obsolete.) Removal of SUID/SGID might in many cases go unnoticed by the user. I.e. user might not notice any broken functionality. For example, cases where that software is run as root anyhow. [5]
  • This process is re-done every time SUID Disabler and Permission Hardener is started at system boot time. Searching the whole disk would slow down the boot process.
  • Another feature by security-misc, Remount Secure will in future re-mount folders such as /home with mount options noexec and noexec at early boot time anyhow. This is a better solution. Therefore there is no need to duplicate that functionality in SUID Disabler.

Some SUID/SGID binaries such as sudo whitelisted by default because otherwise a Linux desktop computer would be unusable. The choice of whitelisted SUID/SGID binaries is justified in SUID Disabler and Permission Hardener default configuration folder [archive] and in its development discussion [archive].

It would however in theory be desirable to have a system fully free of SUID/SGID binaries for general and kernel related attack surface reduction. [6] Quote [archive] security researcher Solar Designer:

Ideally, there should be no SUID binaries reachable from the user account, as otherwise significant extra attack surface inside the VM is exposed (dynamic linker, libc startup, portions of Linux kernel including ELF loader, etc.)

Operating such as system might however be impractical and at odds with other security advice. One would have to operate without both, sudo and su, would have to ignore advice to not login as root as explained on the Safely Use Root Commands wiki page. Therefore such a configuration is still undocumented. To aid such experiments, research, developers and advanced users, SUID Disabler and Permission Hardener has an optional feature to Disable All SUID Binaries.

Implementation:

Enable SUID Disabler and Permission Hardener[edit]

Testers only! Testers only!

Temporary Until Package Re-Installation[edit]

As long as SUID Disabler and Permission Hardener is for testers-only, it is recommended to initially manually run from the command line. Optional. This is useful to better understand what SUID Disabler and Permission Hardener is actually doing.

sudo /usr/lib/security-misc/permission-hardening

(The printout will look similar to this.)

However, if any package that ships any SUID binary is re-installed, the SUID bit will be re-enabled. Therefore it is recommend to permanently enable SUID Disabler and Permission Hardener to ensure that re-installed packages will keep previously disabled SUID binaries permanently disabled.

Permanently[edit]

Info These commands are only required once.

Enable systemd unit.

sudo systemctl enable permission-hardening.service

Start systemd unit.

sudo systemctl start permission-hardening.service

SUID Disabler and Permission Hardener Operations[edit]

Show dpkg-statoverride List[edit]

SUID Disabler is based on the standard Debian tool dpkg-statoverride (man page [archive]). It is a tool to reliably override ownership and mode of files.

SUID Disabler would be incomplete if it did not use dpkg-statoverride. This is because when a package is upgraded or re-installed, dpkg would reset the original file permissions. I.e. re-enable SUID. To prevent a race condition (malware abusing SUID before SUID can re-disable), dpkg-statoverride is being used.

It might be helpful to view the list of overwritten dpkg file permissions.

dpkg-statoverride --list

Note that even when not using SUID Disabler at all, Debian (and a few other packages) by default adds a few dpkg statoverwrites by themselves. Not all entries in the list of dpkg statoverwrites are the caused by SUID Disabler. Therefore SUID Disabler maintains its own lists of changes. It records permissions before it applies any changes as well as records the new permissions set by SUID Disabler. In case of any issues it might however be useful to check the list of file permission changes enforced by dpkg-statoverride.

View List of Debian Default File Permissions Before Changes[edit]

File /var/lib/permission-hardening/existing_mode/statoverride records modes before changing them using SUID Disabler and Permission Hardener. To view, run the following command.

cat /var/lib/permission-hardening/existing_mode/statoverride

View List of Changed Mode Permissions[edit]

File /var/lib/permission-hardening/new_mode/statoverride records modes that were changed by SUID Disabler and Permission Hardener. To view, run the following command.

cat /var/lib/permission-hardening/new_mode/statoverride

Alternatively see dpkg-statoverride list.

Compare Mode Changes[edit]

To view previous modes and how these were changed (replace meld with your favorite diff viewer):

meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride

Re-enable Specific SUID Binaries[edit]

Syntax:

sudo /usr/lib/security-misc/permission-hardening-undo /full/path/to/file

Example:

sudo /usr/lib/security-misc/permission-hardening-undo /usr/sbin/exim4

This is only effective only reboot. To make the change permanent the SUID binary needs to be whitelisted as per the next chapter.

Whitelist Specific SUID Binaries[edit]

1. Create settings folder.

sudo mkdir -p /etc/permission-hardening.d

2. Open file /etc/permission-hardening.d/20_user.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/permission-hardening.d/20_user.conf

3. Learn the syntax.

Do not add this.

/full/path/to/file exactwhitelist

4. Add.

Example. Replace /usr/sbin/exim4 with the actual path to the binary intended to be whitelisted.

/usr/sbin/exim4 exactwhitelist

5. Save.

6. Re-enable SUID binary.

Steps in this chapter by itself are not sufficient. It is required to re-enable the specific SUID binary as per above chapter.

7. Done.

Steps to whitelist SUID binary are complete.

Whitelist Specific Capability Binaries[edit]

1. Follow the same instructions as in above chapter Whitelist Specific SUID Binaries even though this is a capability binary and not a SUID binary.

2. Learn the syntax.

Do not run this command.

sudo setcap capability /full/path/to/binary

3. Re-add previously removed capability.

The following example adds capability cap_net_raw+ep to binary /bin/ping. Replace cap_net_raw+ep with the actual capability and binary /bin/ping with the actual binary intended to be re-added.

sudo setcap cap_net_raw+ep /bin/ping

4. Verify capability was re-added.

Syntax.

sudo getcap /full/path/to/binary

Example.

sudo getcap /bin/ping

Should show.

/bin/ping = cap_net_raw+ep

5. Done.

Disable All SUID Binaries[edit]

Whonix first time users warning Warning:

Advanced users only! This breaks even sudo.

whitelists_disable_all=true

Disable SUID Disabler and Permission Hardener[edit]

Undo all changes. The following command is is only efficient until upgrade of package security-misc or reboot. To disable permanently the subsequent systemctl commands are required as well.

sudo /usr/lib/security-misc/permission-hardening-undo all

Stop systemd unit.

sudo systemctl stop permission-hardening.service

Mask systemd unit.

sudo systemctl mask permission-hardening.service

SUID SGID Hardening Issues[edit]

This is a list of SUID/SGID programs which have their set-user-id bit and/or set-group-id bit removed.

To use the following programs you need to:

  • either use root rights, OR
  • restore SUID/SGID (undocumented)

Standard GNU/Linux utilities:

  • These tools probably are used much nowadays on Linux desktop single user computers. If you need any of this, you are better off using root.
  • passwd man [archive] (change user password)
  • chage man [archive] (change user password expiry information)
  • expiry man [archive] (check and enforce password expiration policy)
  • chfn man [archive] (change real user name and information)
  • chsh man [archive] (change login shell)
  • gpasswd man [archive] (administer /etc/group and /etc/gshadow)
  • newgrp man [archive] (log in to a new group)

applications related:

  • /usr/lib/kde4/libexec/fileshareset: dolphin
  • /usr/lib/openssh/ssh-keysign
  • ssh-agent
  • pppd man [archive] (Point-to-Point Protocol Daemon) Dial up modem only?

root rights related:

mount related:

  • mount
  • umount
  • mount.nfs
  • mount.cifs
  • ntfs-3g
  • /usr/lib/eject/dmcrypt-get-device

virtualization related:

  • /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic (Manage nics in another network namespace) Does Anbox need this?

namespace related:

  • newgidmap man [archive] (set the gid mapping of a user namespace)
  • newuidmap man [archive] (set the uid mapping of a user namespace)

crontab related:

  • You are better off editing any non-root user's crontab with root rights.
  • crontab man [archive] (Manage users crontab files)
  • at man [archive] (executes commands at a specified time)

local mail, mailspool, printing related:

  • Related to local mail, mailspool. Webmail and e-mail clients should be fine. These tools probably are used much nowadays on Linux desktop single user computers.
  • dotlockfile man [archive] (Utility to manage lockfiles)
  • dotlock.mailutils man [archive] (lock mail spool files) Also related to printing?
  • exim4 man [archive] (Mail Transfer Agent)
  • /usr/lib/evolution/camel-lock-helper-1.2 See this [archive].

system local messaging:

  • Even more obscure than above. Linux multi user systems could send each other local messages.
  • wall man [archive] (write a message to all users)
  • write / bsd-write man [archive] (send a message to another user)

Network Information Server (NIS):

  • unix_chkpwd man [archive] (Helper binary that verifies the password of the current user) Related to Network Information Server (NIS)? See this discussion [archive]. Does not look important.

passwd[edit]

Running su results in (simplified) /usr/lib/security-misc/pam-abort-on-locked-password running passwd -S "$PAM_USER". This fails since SUID Disabler and Permission Hardener processes passwd by default as mentioned above.

TODO: expand

Related: root

SUID SGID Troubleshooting[edit]

Syntax:

stat -c "%n %a %U %G" /path/to/filename

Example:

stat -c "%n %a %U %G" /usr/bin/sudo

Expected output.

/usr/bin/sudo 4755 root root

SUID Disabler and Permission Hardener Design[edit]

  • Some binaries like su when SUID removed will pretend to work but then always give a permission denied error. Therefore, SUID Disabler and Permission Hardener will remove SUID (s) / SGID (g) and execute permission x for 'group' (g) and 'others' (o). Similar to chmod og-sgx /path/to/filename. Removing execution permission is useful to make binaries such as su fail closed rather than fail open if SUID was removed from these. It does not remove SUID/SGID and execute permissions for 'owner' (u). It does not run similar to chmod u-sgx /path/to/filename.
  • SUID Disabler and Permission Hardener does not remove read access since there is no security benefit and it is easier to manually undo. Preventing read access to a binary can prevent an attacker from reverse engineering it and discovering vulnerabilities to exploit however the attacker could also simply read the source code of the binary since Whonix is comprised of Freedom Software. Even ignoring that, there are still ways to leak the contents of unreadable binaries. [7] Thus, this would be an incomplete and easily circumvented form of security through obscurity.
  • Are there SUID or SGID binaries which are still useful if executable by anyone if SUID/SGID has been removed from these? Yes. For example, the mount command.
  • Are there SUID or SGID binaries which are still useful if executable by non-root users if SUID/SGID has been removed from these? Yes. For example, the mount command.

SUID Disabler and Permission Hardener Printout[edit]

This printout was added in November 2020. It might not be kept up to date. It is for illustrative purposes to document what SUID Disabler and Permission Hardener is actually doing.

When initially running SUID Disabler and Permission Hardener for the first time.

sudo /usr/lib/security-misc/permission-hardening

The printout will look like the following.

INFO: START parsing config_file: '/etc/permission-hardening.d/30_default.conf'
run: dpkg-statoverride --add --update root root 745 /bin/mount
run: dpkg-statoverride --add --update root root 745 /usr/bin/mount
run: dpkg-statoverride --add --update root root 0755 /home
run: dpkg-statoverride --add --update user user 0700 /home/user
run: dpkg-statoverride --add --update root root 0700 /root
run: dpkg-statoverride --add --update root root 0700 /boot
run: dpkg-statoverride --add --update root root 0600 /etc/permission-hardening.d
INFO: fso: '/usr/local/etc/permission-hardening.d' - does not exist. This is likely normal.
run: dpkg-statoverride --add --update root root 0700 /lib/modules
INFO:  set-group-id found - file_name: '/bin/expiry' | existing_mode: '2755' | new_mode: '744'
run: dpkg-statoverride --add --update root shadow 744 /bin/expiry
INFO: set-user-id  found - file_name: '/bin/chfn' | existing_mode: '4755' | new_mode: '744'
run: dpkg-statoverride --add --update root root 744 /bin/chfn
INFO: SKIP matchwhitelisted - set-user-id  found - file_name: '/bin/fusermount' | existing_mode: '4755' | matchwhite_list_entry: '/fusermount'
INFO:  set-group-id found - file_name: '/bin/bsd-write' | existing_mode: '2755' | new_mode: '744'
run: dpkg-statoverride --add --update root tty 744 /bin/bsd-write
INFO: set-user-id  found - file_name: '/bin/umount' | existing_mode: '4755' | new_mode: '744'
run: dpkg-statoverride --add --update root root 744 /bin/umount
INFO: set-user-id  found - file_name: '/bin/gpasswd' | existing_mode: '4755' | new_mode: '744'
run: dpkg-statoverride --add --update root root 744 /bin/gpasswd
INFO: set-user-id  found - file_name: '/bin/newgrp' | existing_mode: '4755' | new_mode: '744'
run: dpkg-statoverride --add --update root root 744 /bin/newgrp
INFO: SKIP whitelisted - set-user-id  found - file_name: '/bin/bwrap' | existing_mode: '4755'
INFO:  set-group-id found - file_name: '/bin/chage' | existing_mode: '2755' | new_mode: '744'
run: dpkg-statoverride --add --update root shadow 744 /bin/chage
INFO: set-user-id  found - file_name: '/bin/su' | existing_mode: '4755' | new_mode: '744'
run: dpkg-statoverride --add --update root root 744 /bin/su
INFO: set-user-id  found - file_name: '/bin/pkexec' | existing_mode: '4755' | new_mode: '744'
run: dpkg-statoverride --add --update root root 744 /bin/pkexec
INFO: SKIP whitelisted - set-user-id  found - file_name: '/bin/sudo' | existing_mode: '4755'
INFO: set-user-id  found - file_name: '/bin/passwd' | existing_mode: '4755' | new_mode: '744'
run: dpkg-statoverride --add --update root root 744 /bin/passwd
INFO:  set-group-id found - file_name: '/bin/wall' | existing_mode: '2755' | new_mode: '744'
run: dpkg-statoverride --add --update root tty 744 /bin/wall
INFO:  set-group-id found - file_name: '/bin/crontab' | existing_mode: '2755' | new_mode: '744'
run: dpkg-statoverride --add --update root crontab 744 /bin/crontab
INFO: set-user-id  found - file_name: '/bin/chsh' | existing_mode: '4755' | new_mode: '744'
run: dpkg-statoverride --add --update root root 744 /bin/chsh
INFO: SKIP matchwhitelisted - set-user-id  found - file_name: '/usr/bin/fusermount' | existing_mode: '4755' | matchwhite_list_entry: '/fusermount'
INFO: SKIP whitelisted - set-user-id  found - file_name: '/usr/bin/bwrap' | existing_mode: '4755'
INFO: SKIP whitelisted - set-user-id  found - file_name: '/usr/bin/sudo' | existing_mode: '4755'
INFO:  set-group-id found - file_name: '/sbin/unix_chkpwd' | existing_mode: '2755' | new_mode: '744'
run: dpkg-statoverride --add --update root shadow 744 /sbin/unix_chkpwd
INFO: SKIP matchwhitelisted -  set-group-id found - file_name: '/lib/x86_64-linux-gnu/utempter/utempter' | existing_mode: '2755' | matchwhite_list_entry: '/utempter/utempter'
INFO: SKIP matchwhitelisted - set-user-id  found - file_name: '/lib/dbus-1.0/dbus-daemon-launch-helper' | existing_mode: '4754' | matchwhite_list_entry: 'dbus-daemon-launch-helper'
INFO: SKIP matchwhitelisted - set-user-id  found - file_name: '/lib/qubes/qfile-unpacker' | existing_mode: '4755' | matchwhite_list_entry: '/qubes/qfile-unpacker'
INFO: SKIP matchwhitelisted - set-user-id  found - file_name: '/lib/policykit-1/polkit-agent-helper-1' | existing_mode: '4755' | matchwhite_list_entry: 'polkit-agent-helper-1'
INFO: SKIP matchwhitelisted -  set-group-id found - file_name: '/usr/lib/x86_64-linux-gnu/utempter/utempter' | existing_mode: '2755' | matchwhite_list_entry: '/utempter/utempter'
INFO: SKIP matchwhitelisted - set-user-id  found - file_name: '/usr/lib/dbus-1.0/dbus-daemon-launch-helper' | existing_mode: '4754' | matchwhite_list_entry: 'dbus-daemon-launch-helper'
INFO: SKIP matchwhitelisted - set-user-id  found - file_name: '/usr/lib/qubes/qfile-unpacker' | existing_mode: '4755' | matchwhite_list_entry: '/qubes/qfile-unpacker'
INFO: SKIP matchwhitelisted - set-user-id  found - file_name: '/usr/lib/policykit-1/polkit-agent-helper-1' | existing_mode: '4755' | matchwhite_list_entry: 'polkit-agent-helper-1'
INFO: fso: '/usr/local/lib32/' - does not exist. This is likely normal.
INFO: fso: '/usr/local/lib64/' - does not exist. This is likely normal.
INFO: END parsing config_file: '/etc/permission-hardening.d/30_default.conf'
INFO: START parsing config_file: '/etc/permission-hardening.d/30_ping.conf'
run: dpkg-statoverride --add --update root root 0755 /bin/ping
run: setcap -r /bin/ping
INFO: END parsing config_file: '/etc/permission-hardening.d/30_ping.conf'

SUID Disabler and Permission Hardener Log Analysis[edit]

Applied Permission Changes[edit]

Permission Hardening[edit]

run: dpkg-statoverride --add --update root root 0755 /home
run: dpkg-statoverride --add --update user user 0700 /home/user
run: dpkg-statoverride --add --update root root 0700 /root
run: dpkg-statoverride --add --update root root 0700 /boot
run: dpkg-statoverride --add --update root root 0600 /etc/permission-hardening.d
run: dpkg-statoverride --add --update root root 0700 /lib/modules

SUID Disabling[edit]

run: dpkg-statoverride --add --update root root 745 /bin/mount
run: dpkg-statoverride --add --update root root 745 /usr/bin/mount
run: dpkg-statoverride --add --update root shadow 744 /bin/expiry
run: dpkg-statoverride --add --update root root 744 /bin/chfn
run: dpkg-statoverride --add --update root tty 744 /bin/bsd-write
run: dpkg-statoverride --add --update root root 744 /bin/umount
run: dpkg-statoverride --add --update root root 744 /bin/gpasswd
run: dpkg-statoverride --add --update root root 744 /bin/newgrp
run: dpkg-statoverride --add --update root shadow 744 /bin/chage
run: dpkg-statoverride --add --update root root 744 /bin/su
run: dpkg-statoverride --add --update root root 744 /bin/pkexec
run: dpkg-statoverride --add --update root root 744 /bin/passwd
run: dpkg-statoverride --add --update root tty 744 /bin/wall
run: dpkg-statoverride --add --update root crontab 744 /bin/crontab
run: dpkg-statoverride --add --update root root 744 /bin/chsh
run: dpkg-statoverride --add --update root shadow 744 /sbin/unix_chkpwd
run: dpkg-statoverride --add --update root root 0755 /bin/ping

Capability Removal[edit]

run: setcap -r /bin/ping

Parsed Configuration Files[edit]

INFO: START parsing config_file: '/etc/permission-hardening.d/30_default.conf'
INFO: END parsing config_file: '/etc/permission-hardening.d/30_default.conf'
INFO: START parsing config_file: '/etc/permission-hardening.d/30_ping.conf'
INFO: END parsing config_file: '/etc/permission-hardening.d/30_ping.conf'

Whitelisted SUID Binaries[edit]

INFO: SKIP matchwhitelisted - set-user-id  found - file_name: '/bin/fusermount' | existing_mode: '4755' | matchwhite_list_entry: '/fusermount'
INFO: SKIP whitelisted - set-user-id  found - file_name: '/bin/bwrap' | existing_mode: '4755'
INFO: SKIP whitelisted - set-user-id  found - file_name: '/bin/sudo' | existing_mode: '4755'
INFO: SKIP matchwhitelisted - set-user-id  found - file_name: '/usr/bin/fusermount' | existing_mode: '4755' | matchwhite_list_entry: '/fusermount'
INFO: SKIP whitelisted - set-user-id  found - file_name: '/usr/bin/bwrap' | existing_mode: '4755'
INFO: SKIP whitelisted - set-user-id  found - file_name: '/usr/bin/sudo' | existing_mode: '4755'
INFO: SKIP matchwhitelisted -  set-group-id found - file_name: '/lib/x86_64-linux-gnu/utempter/utempter' | existing_mode: '2755' | matchwhite_list_entry: '/utempter/utempter'
INFO: SKIP matchwhitelisted - set-user-id  found - file_name: '/lib/dbus-1.0/dbus-daemon-launch-helper' | existing_mode: '4754' | matchwhite_list_entry: 'dbus-daemon-launch-helper'
INFO: SKIP matchwhitelisted - set-user-id  found - file_name: '/lib/qubes/qfile-unpacker' | existing_mode: '4755' | matchwhite_list_entry: '/qubes/qfile-unpacker'
INFO: SKIP matchwhitelisted - set-user-id  found - file_name: '/lib/policykit-1/polkit-agent-helper-1' | existing_mode: '4755' | matchwhite_list_entry: 'polkit-agent-helper-1'
INFO: SKIP matchwhitelisted -  set-group-id found - file_name: '/usr/lib/x86_64-linux-gnu/utempter/utempter' | existing_mode: '2755' | matchwhite_list_entry: '/utempter/utempter'
INFO: SKIP matchwhitelisted - set-user-id  found - file_name: '/usr/lib/dbus-1.0/dbus-daemon-launch-helper' | existing_mode: '4754' | matchwhite_list_entry: 'dbus-daemon-launch-helper'
INFO: SKIP matchwhitelisted - set-user-id  found - file_name: '/usr/lib/qubes/qfile-unpacker' | existing_mode: '4755' | matchwhite_list_entry: '/qubes/qfile-unpacker'
INFO: SKIP matchwhitelisted - set-user-id  found - file_name: '/usr/lib/policykit-1/polkit-agent-helper-1' | existing_mode: '4755' | matchwhite_list_entry: 'polkit-agent-helper-1'

Non-Existing Folders[edit]

INFO: fso: '/usr/local/etc/permission-hardening.d' - does not exist. This is likely normal.
INFO: fso: '/usr/local/lib32/' - does not exist. This is likely normal.
INFO: fso: '/usr/local/lib64/' - does not exist. This is likely normal.

Permission Hardener Issues[edit]

The following folders are only readable with root rights.

  • /boot
    • Issue: Breaks KVM direct kernel boot using kernel images located in /boot. I.e. when using KVM to boot a kernel from the host disk located in folder /boot will not be possible by default. The safest alternative would be using another file location for kernel images or inside VM kernel images.

Search for SUID SGID[edit]

After enabling SUID Disabler and Permission Hardener.

Search for SUID binaries.

sudo find / -perm -4000 -type f -executable

Ignore the following.

find: ‘/proc/5422/task/5422/fd/6’: No such file or directory
find: ‘/proc/5422/task/5422/fdinfo/6’: No such file or directory
find: ‘/proc/5422/fd/5’: No such file or directory
find: ‘/proc/5422/fdinfo/5’: No such file or directory

The following list shows only white listed SUID binaries.

/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/qubes/qfile-unpacker
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/fusermount
/usr/bin/bwrap
/usr/bin/sudo

Search for SGID binaries.

sudo find / -perm -2000 -type f -executable

The following list shows only white listed SGID binaries.

/usr/lib/x86_64-linux-gnu/utempter/utempter

Debugging[edit]

Look what SUID Disabler and Permission Hardener is actually doing. Most interesting to run this command during initial enabling of SUID Disabler and Permission Hardener.

sudo journalctl --no-pager -b -o cat -u permission-hardening

Future Work[edit]

  • Add a scan script for scanning folders where SUID binaries commonly reside. Option to scan whole disk.
  • Add an APT hook to scan folders where SUID binaries commonly reside to scan after package installation and notify user when new SUID where installed.

References[edit]



Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=SUID Disabler and Permission Hardener&body=https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener link=https://reddit.com/submit?url=https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener&title=SUID Disabler and Permission Hardener link=https://news.ycombinator.com/submitlink?u=https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener&t=SUID Disabler and Permission Hardener link=https://mastodon.technology/share?message=SUID Disabler and Permission Hardener%20https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener&t=SUID Disabler and Permission Hardener

Please help in testing new features and bug fixes in Whonix ™.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.