Actions

Security-misc

From Whonix


Stable Features[edit]

Described here [archive].

Testing Features[edit]

Restrict Hardware Information to Root[edit]

See Restrict Hardware Information to Root.

https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 [archive]

Experimental Features[edit]

Unreleased. (Developers only.) Will flow into other repositories as per usual.

SUID Disabling and Permission Hardening[edit]

Introduction[edit]

Enable[edit]

Only required doing once.

Enable systemd unit.

sudo systemctl enable permission-hardening.service

Start systemd unit.

sudo systemctl start permission-hardening.service

Debugging[edit]

Look what permission-hardening is actually doing. Most interesting during initial installation of security-misc.

sudo journalctl --no-pager -b -o cat -u permission-hardening

/var/lib/permission-hardening/existing_mode/statoverride records modes before changing them using permission hardening.

cat /var/lib/permission-hardening/existing_mode/statoverride

/var/lib/permission-hardening/new_mode/statoverride now records modes that were changed by permission hardening.

cat /var/lib/permission-hardening/new_mode/statoverride

To view previous modes and how these were changed (replace meld with your favorite diff viewer):

meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride

Removal[edit]

Undo all changes. The following command is is only efficient until upgrade of package security-misc or reboot. To disable entirely the subsequent systemctl commands are required as well.

sudo /usr/lib/security-misc/permission-hardening-undo

Stop systemd unit.

sudo systemctl stop permission-hardening.service

Mask systemd unit.

sudo systemctl mask permission-hardening.service

SUID SGID Hardening Issues[edit]

This is a list of SUID / SGID programs which have their set-user-id bit and/or set-group-id bit removed.

To use the following programs you need to:

  • either use root rights, OR
  • restore SUID / SGID (undocumented)

Standard GNU/Linux utilities:

  • These tools probably are used much nowadays on Linux desktop single user computers. If you need any of this, you are better off using root.
  • passwd man [archive] (change user password)
  • chage man [archive] (change user password expiry information)
  • expiry man [archive] (check and enforce password expiration policy)
  • chfn man [archive] (change real user name and information)
  • chsh man [archive] (change login shell)
  • gpasswd man [archive] (administer /etc/group and /etc/gshadow)
  • newgrp man [archive] (log in to a new group)

applications related:

  • /usr/lib/kde4/libexec/fileshareset: dolphin
  • /usr/lib/openssh/ssh-keysign
  • ssh-agent
  • pppd man [archive] (Point-to-Point Protocol Daemon) Dial up modem only?

root rights related:

mount related:

  • mount
  • umount
  • fusermount
  • mount.nfs
  • mount.cifs
  • ntfs-3g
  • /usr/lib/eject/dmcrypt-get-device

virtualization related:

  • /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic (Manage nics in another network namespace) Does Anbox need this?

namespace related:

  • newgidmap man [archive] (set the gid mapping of a user namespace)
  • newuidmap man [archive] (set the uid mapping of a user namespace)

crontab related:

  • You are better off editing any non-root user's crontab with root rights.
  • crontab man [archive] (Manage users crontab files)
  • at man [archive] (executes commands at a specified time)

local mail, mailspool, printing related:

  • Related to local mail, mailspool. Webmail and e-mail clients should be fine. These tools probably are used much nowadays on Linux desktop single user computers.
  • dotlockfile man [archive] (Utility to manage lockfiles)
  • dotlock.mailutils man [archive] (lock mail spool files) Also related to printing?
  • exim4 man [archive] (Mail Transfer Agent)
  • /usr/lib/evolution/camel-lock-helper-1.2 See this [archive].

system local messaging:

  • Even more obscure than above. Linux multi user systems could send each other local messages.
  • wall man [archive] (write a message to all users)
  • write / bsd-write man [archive] (send a message to another user)

Network Information Server (NIS):

  • unix_chkpwd man [archive] (Helper binary that verifies the password of the current user) Related to Network Information Server (NIS)? See this discussion [archive]. Does not look important.

Permission Hardening Issues[edit]

The following folders are only readable with root rights.

  • /boot: breaks KVM direct kernel boot using kernel images located in /boot. I.e. when using KVM to boot a kernel from the host disk located in /boot this will not be possible by default. The safest alternative would be using another file location for kernel images or inside VM kernel images.

Console Lockdown[edit]

TODO: document

Will be default in Whonix ™ build version 15.0.0.7.8 and above. Unreleased.

Using pam_access.

To enable for older builds of Whonix ™.

Add user user to group console.

sudo adduser user console

Enable pam console lockdown.

sudo pam-auth-update --enable console-lockdown-security-misc

Remount Secure[edit]

Feature not ready!

sudo touch /etc/noexec

install[edit]

This chapter is only required for users which aren't users of Whonix or Kicksecure. That is because security-misc is installed by default in Whonix and Kicksecure.

Prerequisites:

  • Debian buster installed.
  • User account user exists.

Become root. [1]

su

Install sudo and adduser.

Install sudo adduser.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the sudo adduser package.

sudo apt-get install sudo adduser

The procedure of installing sudo adduser is complete.

The following commands need to be run either by root or use sudo.

Create group console.

addgroup --system console

Add user user to group console.

adduser user console

Add user user to group sudo.

adduser user sudo

Reboot.

reboot

Add Whonix ™ Repository.

Choose either, Option A, Option B, OR Option C.

Option A: Add Whonix ™ Onion Repository.

To add Whonix ™ Repository over Onion please press on expand on the right.

Install apt-transport-tor from the Debian repository.

sudo apt-get install apt-transport-tor

Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was buster.

echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

Option B: Add Whonix ™ Clearnet Repository over Tor.

To add Whonix ™ Repository over torified clearnet please press on expand on the right.

Install apt-transport-tor from the Debian repository.

sudo apt-get install apt-transport-tor

Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was buster.

echo "deb tor+https://deb.Whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

Option C: Add Whonix Clearnet Repository over clearnet.

To add Whonix ™ Repository over clearnet please press on expand on the right.

Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was buster.

echo "deb https://deb.Whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

Install security-misc.

Install security-misc.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the security-misc package.

sudo apt-get install security-misc

The procedure of installing security-misc is complete.

References[edit]

  1. One way or another.


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Want to help create awesome, up-to-date screenshots for the Whonix wiki? Help is most welcome!

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.