- 1 Stable Features
- 2 Testing Features
- 3 Experimental Features
- 4 install
- 5 References
Restrict Hardware Information to Root
Unreleased. (Developers only.) Will flow into other repositories as per usual.
SUID Disabling and Permission Hardening
- default config file [archive]
- systemd unit file [archive]
Only required doing once.
Enable systemd unit.
sudo systemctl enable permission-hardening.service
Start systemd unit.
sudo systemctl start permission-hardening.service
Look what permission-hardening is actually doing. Most interesting during initial installation of security-misc.
sudo journalctl --no-pager -b -o cat -u permission-hardening
/var/lib/permission-hardening/existing_mode/statoverride records modes before changing them using permission hardening.
/var/lib/permission-hardening/new_mode/statoverride now records modes that were changed by permission hardening.
To view previous modes and how these were changed (replace
meld with your favorite
meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride
Undo all changes. The following command is is only efficient until upgrade of package security-misc or reboot. To disable entirely the subsequent systemctl commands are required as well.
Stop systemd unit.
sudo systemctl stop permission-hardening.service
Mask systemd unit.
sudo systemctl mask permission-hardening.service
SUID SGID Hardening Issues
This is a list of SUID / SGID programs which have their
set-user-id bit and/or
set-group-id bit removed.
To use the following programs you need to:
- either use root rights, OR
- restore SUID / SGID (undocumented)
Standard GNU/Linux utilities:
- These tools probably are used much nowadays on Linux desktop single user computers. If you need any of this, you are better off using root.
passwdman [archive] (change user password)
chageman [archive] (change user password expiry information)
expiryman [archive] (check and enforce password expiration policy)
chfnman [archive] (change real user name and information)
chshman [archive] (change login shell)
gpasswdman [archive] (administer
newgrpman [archive] (log in to a new group)
pppdman [archive] (Point-to-Point Protocol Daemon) Dial up modem only?
root rights related:
su: substitute user. See also documentation about
pkexecsome issues unrelated to SUID [archive]
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic(Manage nics in another network namespace) Does Anbox need this?
newgidmapman [archive] (set the gid mapping of a user namespace)
newuidmapman [archive] (set the uid mapping of a user namespace)
- You are better off editing any non-root user's crontab with root rights.
crontabman [archive] (Manage users crontab files)
atman [archive] (executes commands at a specified time)
local mail, mailspool, printing related:
- Related to local mail, mailspool. Webmail and e-mail clients should be fine. These tools probably are used much nowadays on Linux desktop single user computers.
dotlockfileman [archive] (Utility to manage lockfiles)
dotlock.mailutilsman [archive] (lock mail spool files) Also related to printing?
exim4man [archive] (Mail Transfer Agent)
/usr/lib/evolution/camel-lock-helper-1.2See this [archive].
system local messaging:
- Even more obscure than above. Linux multi user systems could send each other local messages.
wallman [archive] (write a message to all users)
bsd-writeman [archive] (send a message to another user)
Network Information Server (
unix_chkpwdman [archive] (Helper binary that verifies the password of the current user) Related to
Network Information Server(
NIS)? See this discussion [archive]. Does not look important.
Permission Hardening Issues
The following folders are only readable with root rights.
/boot: breaks KVM direct kernel boot using kernel images located in
/boot. I.e. when using KVM to boot a kernel from the host disk located in
/bootthis will not be possible by default. The safest alternative would be using another file location for kernel images or inside VM kernel images.
Will be default in Whonix ™ build version
220.127.116.11.8 and above. Unreleased.
- https://github.com/Whonix/security-misc/blob/master/etc/security/access-security-misc.conf [archive]
- https://github.com/Whonix/security-misc/blob/master/usr/share/pam-configs/console-lockdown-security-misc [archive]
To enable for older builds of Whonix ™.
user to group
sudo adduser user console
Enable pam console lockdown.
sudo pam-auth-update --enable console-lockdown-security-misc
Feature not ready!
- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/27 [archive]
- https://github.com/Whonix/security-misc/blob/master/lib/systemd/system/remount-secure.service [archive]
- https://github.com/Whonix/security-misc/blob/master/usr/lib/security-misc/remount-secure [archive]
sudo touch /etc/noexec
This chapter is only required for users which aren't users of Whonix or Kicksecure. That is because security-misc is installed by default in Whonix and Kicksecure.
- User account
Become root. 
Install sudo and adduser.
The following commands need to be run either by root or use
addgroup --system console
user to group
adduser user console
user to group
adduser user sudo
- One way or another.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)