Actions

Security-misc

From Whonix


Stable Features[edit]

Described here [archive].

Testing Features[edit]

Restrict Hardware Information to Root[edit]

See Restrict Hardware Information to Root.

https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 [archive]

Experimental Features[edit]

Unreleased. (Developers only.) Will flow into other repositories as per usual.

SUID Disabling and Permission Hardening[edit]

Introduction[edit]

Enable[edit]

Only required doing once.

Enable systemd unit.

sudo systemctl enable permission-hardening.service

Start systemd unit.

sudo systemctl start permission-hardening.service

Debugging[edit]

Look what permission-hardening is actually doing. Most interesting during initial installation of security-misc.

sudo journalctl --no-pager -b -o cat -u permission-hardening

/var/lib/permission-hardening/existing_mode/statoverride records modes before changing them using permission hardening.

cat /var/lib/permission-hardening/existing_mode/statoverride

/var/lib/permission-hardening/new_mode/statoverride now records modes that were changed by permission hardening.

cat /var/lib/permission-hardening/new_mode/statoverride

To view previous modes and how these were changed (replace meld with your favorite diff viewer):

meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride

Removal[edit]

Undo all changes. The following command is is only efficient until upgrade of package security-misc or reboot. To disable entirely the subsequent systemctl commands are required as well.

sudo /usr/lib/security-misc/permission-hardening-undo

Stop systemd unit.

sudo systemctl stop permission-hardening.service

Mask systemd unit.

sudo systemctl mask permission-hardening.service

SUID SGID Hardening Issues[edit]

This is a list of SUID / SGID programs which have their set-user-id bit and/or set-group-id bit removed.

To use the following programs you need to:

  • either use root rights, OR
  • restore SUID / SGID (undocumented)

Standard GNU/Linux utilities:

  • These tools probably are used much nowadays on Linux desktop single user computers. If you need any of this, you are better off using root.
  • passwd man [archive] (change user password)
  • chage man [archive] (change user password expiry information)
  • expiry man [archive] (check and enforce password expiration policy)
  • chfn man [archive] (change real user name and information)
  • chsh man [archive] (change login shell)
  • gpasswd man [archive] (administer /etc/group and /etc/gshadow)
  • newgrp man [archive] (log in to a new group)

applications related:

  • /usr/lib/kde4/libexec/fileshareset: dolphin
  • /usr/lib/openssh/ssh-keysign
  • ssh-agent
  • pppd man [archive] (Point-to-Point Protocol Daemon) Dial up modem only?

root rights related:

mount related:

  • mount
  • umount
  • fusermount
  • mount.nfs
  • mount.cifs
  • ntfs-3g
  • /usr/lib/eject/dmcrypt-get-device

virtualization related:

  • /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic (Manage nics in another network namespace) Does Anbox need this?

namespace related:

  • newgidmap man [archive] (set the gid mapping of a user namespace)
  • newuidmap man [archive] (set the uid mapping of a user namespace)

crontab related:

  • You are better off editing any non-root user's crontab with root rights.
  • crontab man [archive] (Manage users crontab files)
  • at man [archive] (executes commands at a specified time)

local mail, mailspool, printing related:

  • Related to local mail, mailspool. Webmail and e-mail clients should be fine. These tools probably are used much nowadays on Linux desktop single user computers.
  • dotlockfile man [archive] (Utility to manage lockfiles)
  • dotlock.mailutils man [archive] (lock mail spool files) Also related to printing?
  • exim4 man [archive] (Mail Transfer Agent)
  • /usr/lib/evolution/camel-lock-helper-1.2 See this [archive].

system local messaging:

  • Even more obscure than above. Linux multi user systems could send each other local messages.
  • wall man [archive] (write a message to all users)
  • write / bsd-write man [archive] (send a message to another user)

Network Information Server (NIS):

  • unix_chkpwd man [archive] (Helper binary that verifies the password of the current user) Related to Network Information Server (NIS)? See this discussion [archive]. Does not look important.

Permission Hardening Issues[edit]

The following folders are only readable with root rights.

  • /boot: breaks KVM direct kernel boot using kernel images located in /boot. I.e. when using KVM to boot a kernel from the host disk located in /boot this will not be possible by default. The safest alternative would be using another file location for kernel images or inside VM kernel images.

Console Lockdown[edit]

TODO: document

Will be default in Whonix ™ build version 15.0.0.7.8 and above. Unreleased.

Using pam_access.

To enable for older builds of Whonix ™.

Add user user to group console.

sudo adduser user console

Enable pam console lockdown.

sudo pam-auth-update --enable console-lockdown-security-misc

Remount Secure[edit]

Feature not ready!

sudo touch /etc/noexec

References[edit]



Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

Want to get involved with Whonix ™? Check out our Contribute [archive] page.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.