-
Notifications
You must be signed in to change notification settings - Fork 49
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #101 from madaidan/sudo
Restrict sudo's file permissions
- Loading branch information
Showing
1 changed file
with
19 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org> | ||
## See the file COPYING for copying conditions. | ||
|
||
## Please use "/etc/permission-hardening.d/20_user.conf" or | ||
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom | ||
## configuration. When security-misc is updated, this file may be overwritten. | ||
|
||
## This restricts the file permissions of the sudo executable so that a vulnerability | ||
## in the program will not be exploitable by any users not in the "sudo" group. sudo | ||
## is a very complex program and is setuid so vulnerabilities in it can allow privilege | ||
## escalation, regardless of other root access restrictions. For example, the following | ||
## buffer overflow vulnerability could have been exploited by any user on the system: | ||
## https://www.openwall.com/lists/oss-security/2021/01/26/3 | ||
## With this restriction, only users explicitly permitted to use sudo by being added to | ||
## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a | ||
## compromised network-facing daemon (such as web servers, time synchronization daemons, | ||
## etc.) running as its own user from exploiting sudo to escalate privileges. | ||
/usr/bin/sudo 4750 root sudo | ||
/bin/sudo 4750 root sudo |