Security-misc
From Whonix
Stable Features[edit]
Testing Features[edit]
Restrict Hardware Information to Root[edit]
See Restrict Hardware Information to Root.
https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 [archive]
Experimental Features[edit]
Unreleased. (Developers only.) Will flow into other repositories as per usual.
SUID Disabling and Permission Hardening[edit]
Introduction[edit]
- default config file [archive]
/usr/lib/security-misc/permission-hardening[archive]./usr/lib/security-misc/permission-hardening-undo[archive].- systemd unit file [archive]
Enable[edit]
Only required doing once.
Enable systemd unit.
sudo systemctl enable permission-hardening.service
Start systemd unit.
sudo systemctl start permission-hardening.service
Debugging[edit]
Look what permission-hardening is actually doing. Most interesting during initial installation of security-misc.
sudo journalctl --no-pager -b -o cat -u permission-hardening
/var/lib/permission-hardening/existing_mode/statoverride records modes before changing them using permission hardening.
cat /var/lib/permission-hardening/existing_mode/statoverride
/var/lib/permission-hardening/new_mode/statoverride now records modes that were changed by permission hardening.
cat /var/lib/permission-hardening/new_mode/statoverride
To view previous modes and how these were changed (replace meld with your favorite diff viewer):
meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride
Removal[edit]
Undo all changes. The following command is is only efficient until upgrade of package security-misc or reboot. To disable entirely the subsequent systemctl commands are required as well.
sudo /usr/lib/security-misc/permission-hardening-undo
Stop systemd unit.
sudo systemctl stop permission-hardening.service
Mask systemd unit.
sudo systemctl mask permission-hardening.service
SUID SGID Hardening Issues[edit]
This is a list of SUID / SGID programs which have their set-user-id bit and/or set-group-id bit removed.
To use the following programs you need to:
- either use root rights, OR
- restore SUID / SGID (undocumented)
Standard GNU/Linux utilities:
- These tools probably are used much nowadays on Linux desktop single user computers. If you need any of this, you are better off using root.
passwdman [archive] (change user password)chageman [archive] (change user password expiry information)expiryman [archive] (check and enforce password expiration policy)chfnman [archive] (change real user name and information)chshman [archive] (change login shell)gpasswdman [archive] (administer/etc/groupand/etc/gshadow)newgrpman [archive] (log in to a new group)
applications related:
/usr/lib/kde4/libexec/fileshareset: dolphin/usr/lib/openssh/ssh-keysignssh-agentpppdman [archive] (Point-to-Point Protocol Daemon) Dial up modem only?
root rights related:
su: substitute user. See also documentation aboutsupkexecsome issues unrelated to SUID [archive]/usr/lib/kde4/libexec/kdesud
mount related:
mountumountfusermountmount.nfsmount.cifsntfs-3g/usr/lib/eject/dmcrypt-get-device
virtualization related:
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic(Manage nics in another network namespace) Does Anbox need this?
namespace related:
newgidmapman [archive] (set the gid mapping of a user namespace)newuidmapman [archive] (set the uid mapping of a user namespace)
crontab related:
- You are better off editing any non-root user's crontab with root rights.
crontabman [archive] (Manage users crontab files)atman [archive] (executes commands at a specified time)
local mail, mailspool, printing related:
- Related to local mail, mailspool. Webmail and e-mail clients should be fine. These tools probably are used much nowadays on Linux desktop single user computers.
dotlockfileman [archive] (Utility to manage lockfiles)dotlock.mailutilsman [archive] (lock mail spool files) Also related to printing?exim4man [archive] (Mail Transfer Agent)/usr/lib/evolution/camel-lock-helper-1.2See this [archive].
system local messaging:
- Even more obscure than above. Linux multi user systems could send each other local messages.
wallman [archive] (write a message to all users)write/bsd-writeman [archive] (send a message to another user)
Network Information Server (NIS):
unix_chkpwdman [archive] (Helper binary that verifies the password of the current user) Related toNetwork Information Server(NIS)? See this discussion [archive]. Does not look important.
Permission Hardening Issues[edit]
The following folders are only readable with root rights.
/boot: breaks KVM direct kernel boot using kernel images located in/boot. I.e. when using KVM to boot a kernel from the host disk located in/bootthis will not be possible by default. The safest alternative would be using another file location for kernel images or inside VM kernel images.
Console Lockdown[edit]
TODO: document
Will be default in Whonix ™ build version 15.0.0.7.8 and above. Unreleased.
Using pam_access.
- https://github.com/Whonix/security-misc/blob/master/etc/security/access-security-misc.conf [archive]
- https://github.com/Whonix/security-misc/blob/master/usr/share/pam-configs/console-lockdown-security-misc [archive]
To enable for older builds of Whonix ™.
Add user user to group console.
sudo adduser user console
Enable pam console lockdown.
sudo pam-auth-update --enable console-lockdown-security-misc
Remount Secure[edit]
Feature not ready!
- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/27 [archive]
- https://github.com/Whonix/security-misc/blob/master/lib/systemd/system/remount-secure.service [archive]
- https://github.com/Whonix/security-misc/blob/master/usr/lib/security-misc/remount-secure [archive]
sudo touch /etc/noexec
install[edit]
This chapter is only required for users which aren't users of Whonix or Kicksecure. That is because security-misc is installed by default in Whonix and Kicksecure.
Prerequisites:
- Debian
busterinstalled. - User account
userexists. - Package
sudoinstalled. - Package
adduserinstalled. - User
useradded to groupsudo.
Create group console.
addgroup --system console
Add user user to group console.
adduser user console
Add user user to group sudo.
adduser user sudo
Reboot.
reboot
Add Whonix ™ Repository.
Choose either, Option A, Option B, OR Option C.
Option A: Add Whonix ™ Onion Repository.
To add Whonix ™ Repository over Onion please press on expand on the right.
Install apt-transport-tor from the Debian repository.
sudo apt-get install apt-transport-tor
Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was buster.
echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list
Option B: Add Whonix ™ Clearnet Repository over Tor.
To add Whonix ™ Repository over torified clearnet please press on expand on the right.
Install apt-transport-tor from the Debian repository.
sudo apt-get install apt-transport-tor
Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was buster.
echo "deb tor+https://deb.Whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list
Option C: Add Whonix Clearnet Repository over clearnet.
To add Whonix ™ Repository over clearnet please press on expand on the right.
Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was buster.
echo "deb https://deb.Whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list
Install security-misc.
Install security-misc.
1. Update the package lists.
sudo apt-get update
2. Upgrade the system.
sudo apt-get dist-upgrade
3. Install the security-misc package.
sudo apt-get install security-misc
The procedure of installing security-misc is complete.
References[edit]
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier
Please contribute [archive] by helping to answer Whonix questions [archive].
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.