Protect /bin/mount from 'chmod -x'.

/bin/mount exactwhitelist /usr/bin/mount exactwhitelist Remove SUID from 'mount' but keep executable. /bin/mount 745 root root /usr/bin/mount 745 root root https://forums.whonix.org/t/disable-suid-binaries/7706/61
Kicksecure · Dec 30, 2019 · f3ff32d · f3ff32d
1 parent e4e9c4e
commit f3ff32d
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf
@@ -41,6 +41,12 @@
 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist
 /usr/lib/chromium/chrome-sandbox exactwhitelist
 
+## https://forums.whonix.org/t/disable-suid-binaries/7706/61
+## Protect from 'chmod -x' (and SUID removal).
+## SUID will be removed below in separate step.
+/bin/mount exactwhitelist
+/usr/bin/mount exactwhitelist
+
 ## There is a controversy about firejail but those who choose to install it
 ## should be able to use it.
 ## https://www.whonix.org/wiki/Dev/Firejail#Security
@@ -92,6 +98,11 @@ dbus-daemon-launch-helper matchwhitelist
 # Permission Hardening
 ######################################################################
 
+## Remove SUID from 'mount' but keep executable.
+## https://forums.whonix.org/t/disable-suid-binaries/7706/61
+/bin/mount 745 root root
+/usr/bin/mount 745 root root
+
 /home/ 0755 root root
 /home/user/ 0700 user user
 /root/ 0700 root root