Stable Features[edit]

Described here ^[archive].

Testing Features[edit]

Restrict Hardware Information to Root[edit]

See Restrict Hardware Information to Root.

https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 ^[archive]

Experimental Features[edit]

Unreleased. (Developers only.) Will flow into other repositories as per usual.

SUID Disabling and Permission Hardening[edit]

Introduction[edit]

• default config file ^[archive]
• /usr/lib/security-misc/permission-hardening ^[archive].
• /usr/lib/security-misc/permission-hardening-undo ^[archive].
• systemd unit file ^[archive]

Enable[edit]

Only required doing once.

Enable systemd unit.

sudo systemctl enable permission-hardening.service

Start systemd unit.

sudo systemctl start permission-hardening.service

Debugging[edit]

Look what permission-hardening is actually doing. Most interesting during initial installation of security-misc.

sudo journalctl --no-pager -b -o cat -u permission-hardening

/var/lib/permission-hardening/existing_mode/statoverride records modes before changing them using permission hardening.

cat /var/lib/permission-hardening/existing_mode/statoverride

/var/lib/permission-hardening/new_mode/statoverride now records modes that were changed by permission hardening.

cat /var/lib/permission-hardening/new_mode/statoverride

To view previous modes and how these were changed (replace meld with your favorite diff viewer):

meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride

Removal[edit]

Undo all changes. The following command is is only efficient until upgrade of package security-misc or reboot. To disable entirely the subsequent systemctl commands are required as well.

sudo /usr/lib/security-misc/permission-hardening-undo

Stop systemd unit.

sudo systemctl stop permission-hardening.service

Mask systemd unit.

sudo systemctl mask permission-hardening.service

SUID SGID Hardening Issues[edit]

This is a list of SUID / SGID programs which have their set-user-id bit and/or set-group-id bit removed.

To use the following programs you need to:

• either use root rights, OR
• restore SUID / SGID (undocumented)

Standard GNU/Linux utilities:

• These tools probably are used much nowadays on Linux desktop single user computers. If you need any of this, you are better off using root.
• passwd man ^[archive] (change user password)
• chage man ^[archive] (change user password expiry information)
• expiry man ^[archive] (check and enforce password expiration policy)
• chfn man ^[archive] (change real user name and information)
• chsh man ^[archive] (change login shell)
• gpasswd man ^[archive] (administer /etc/group and /etc/gshadow)
• newgrp man ^[archive] (log in to a new group)

applications related:

• /usr/lib/kde4/libexec/fileshareset: dolphin
• /usr/lib/openssh/ssh-keysign
• ssh-agent
• pppd man ^[archive] (Point-to-Point Protocol Daemon) Dial up modem only?

root rights related:

• su: substitute user. See also documentation about su
• pkexec some issues unrelated to SUID ^[archive]
• /usr/lib/kde4/libexec/kdesud

mount related:

• mount
• umount
• fusermount
• mount.nfs
• mount.cifs
• ntfs-3g
• /usr/lib/eject/dmcrypt-get-device

virtualization related:

• /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic (Manage nics in another network namespace) Does Anbox need this?

namespace related:

• newgidmap man ^[archive] (set the gid mapping of a user namespace)
• newuidmap man ^[archive] (set the uid mapping of a user namespace)

crontab related:

• You are better off editing any non-root user's crontab with root rights.
• crontab man ^[archive] (Manage users crontab files)
• at man ^[archive] (executes commands at a specified time)

local mail, mailspool, printing related:

• Related to local mail, mailspool. Webmail and e-mail clients should be fine. These tools probably are used much nowadays on Linux desktop single user computers.
• dotlockfile man ^[archive] (Utility to manage lockfiles)
• dotlock.mailutils man ^[archive] (lock mail spool files) Also related to printing?
• exim4 man ^[archive] (Mail Transfer Agent)
• /usr/lib/evolution/camel-lock-helper-1.2 See this ^[archive].

system local messaging:

• Even more obscure than above. Linux multi user systems could send each other local messages.
• wall man ^[archive] (write a message to all users)
• write / bsd-write man ^[archive] (send a message to another user)

Network Information Server (NIS):

• unix_chkpwd man ^[archive] (Helper binary that verifies the password of the current user) Related to Network Information Server (NIS)? See this discussion ^[archive]. Does not look important.

Permission Hardening Issues[edit]

The following folders are only readable with root rights.

• /boot: breaks KVM direct kernel boot using kernel images located in /boot. I.e. when using KVM to boot a kernel from the host disk located in /boot this will not be possible by default. The safest alternative would be using another file location for kernel images or inside VM kernel images.

Console Lockdown[edit]

TODO: document

Will be default in Whonix ™ build version 15.0.0.7.8 and above. Unreleased.

Using pam_access.

• https://github.com/Whonix/security-misc/blob/master/etc/security/access-security-misc.conf ^[archive]
• https://github.com/Whonix/security-misc/blob/master/usr/share/pam-configs/console-lockdown-security-misc ^[archive]

To enable for older builds of Whonix ™.

Add user user to group console.

sudo adduser user console

Enable pam console lockdown.

sudo pam-auth-update --enable console-lockdown-security-misc

Remount Secure[edit]

Feature not ready!

• https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/27 ^[archive]
• https://github.com/Whonix/security-misc/blob/master/lib/systemd/system/remount-secure.service ^[archive]
• https://github.com/Whonix/security-misc/blob/master/usr/lib/security-misc/remount-secure ^[archive]

sudo touch /etc/noexec

References[edit]

Follow:

Donate:

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee ^[archive] of the Open Invention Network ^[archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian ^[archive]. Debian is a registered trademark ^[archive] owned by Software in the Public Interest, Inc ^[archive].

Whonix ™ is produced independently from the Tor® ^[archive] anonymity software and carries no guarantee from The Tor Project ^[archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.