New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hardening file permissions #132
Comments
Isn't SDPH very suitable because it already has the required infrastructure for enabling/disabling compiler lock, interpreter lock? Enabling/disabling the various functionalities could be governed through
The mentioned settings folder already contains such a whitelist.
I don't see apparmor-profiles-everything going anywhere anytime soon as the former contributor is no longer active. It had unresolved issues that nobody knew how to fix. So I don't think this is a realistic solution. Interesting.
It needs to be configurable so one can user compilers, interpreters even without uninstalling security-misc. |
We are already mounting most anything with nosuid. The only place left for a suid binary is under /usr where the user explicitly has to install programs with apt. Then this is a risk the user is willing to take. The suid bit in these programs serve a purpose mostly. To protect from suid privilege escalation exploits, the option would be checking if there is an apparmor profile being enforced for the suid binaries. This is a more robust solution. For example, I see that the anon-apps-config removes the suid bit from /bin/ping. Debian already ships ping with a dedicated profile, that is already enforced:
With this profile, having the capability to set uid would not be something much exploitable. The binary can not the anything at all almost, it just gets the ping.
This makes it so that running compilers require privilege. That is, one would have to And also, what exactly is the point in having a service run? We can just add a hook for boot and a post invoke hook for apt. |
If you search for SUID, SGID there is already a lot going on. And a lot of SUID, SGID are really non-essential in context of Kicksecure or single users systems, which are most systems nowadays.
Yes but some are from a different time period. Or look at this list. passwd, chage, expiry, ... these as the wiki opinionates:
I am not looking forward to write, maintain, debug apparmor profiles for very little used tools such as passwd, chage, expiry, etc. which are better run as root / with sudo.
Not sure more robust. It's much harder to maintain AppArmor profiles. I spend a few days today trying to harden the Tor Browser apparmor profile and still not sure everything is functional including its internal updater.
nosuid is even more secure than AppArmor.
Relying on the security of AppArmor when not needed. Counter to the advice by security researcher Solar Designer, quote QubesOS/qubes-issues#2695
Not great. Better to re-enable compiler access than running compilers with root. Because that leads to follow-up issues.
Depends what you mean by a service. In context of systemd, a service an be a simple APT post invoke hooks, can, should be used sparingly. These aren't used much. And not needed here. It's already implemented though a systemd |
Hmm, I see. Yes it makes sense. For compilers too. A shell script under /usr/bin like |
Then I have to ask: why is the service disabled by default? Any bugs? Do we have any problems or some missing functionality? If thats the case I will have a look at it. Else I can just create a pull with my extended new stuff for the config file. |
issue with SUID Disabler: Sometimes a Qubes VM does not start up. issue references:
Yeah. That one blocked the progression into enabling this by default. That could use some help... Any idea? Good that you asked. Now I am looking at the issue with a fresh mind and new ideas. Does some disabled SUID that Qubes (indirectly through a chain) somehow requires slow up the Qubes Template or App Qubes boot process? Or is there nothing wrong with the script itself, with the SUIDs its disabling and simply the execution sometimes takes too long on slow computers so the Qubes boot process times out. No other known bugs or missing functionality. PR with extended functionality would be appreciated. |
Maybe independently from that issue, maybe the script should be speed up by launching the actual commands it executes into the background ( But then it might also not speed up a lot presumably
Yet another solution would be not running SUID Disabler at boot time and only at package installation and upgrade time. That would be a bit less secure because it wouldn't revert any changes at boot time. The question is anyhow why these permissions would be incorrect except if root changed these. For fighting malware it seems to be the wrong tool. That's more into verified boot / dmverity. Related: |
Already implicitly covered by the existing configuration:
Duplicate.
Existing configuration already has:
Need to make sure that is safe. (Weird names in /home. Maybe not likely.)
Even worth excluding
A loop to cover all users and not just /home/user would be nice. Though, not sure it's needed. See:
Already got:
|
Could use whole folder /etc/cups? Please test, add: |
If I'm not mistaken, implicit coverage only applies to the folder
I'm on it.
I don't think so. Some files there need to be world readable for printers to work. |
I can create a pull. Where should I add this? |
Even needed because there is |
Otherwise seems more suitable in permission-lockdown than permission-hardening. Then permission-lockdown should be the only script that locks down home folder permissions and permission-hardening should stay out of it for a cleaner design. |
then I assume |
Does permission_lockdown get executed only once, or at all? This home directory loop is simple and necessary. It cannot be done with the config file because directory names are not static. This should be added as a function in permission hardening. |
Correct.
Unimportant detail... Though, at least it failed gracefully with just a notification. Something like:
In other words, non-existing folders aren't an issue. |
Every time at package install/update time.
True.
Why not a function in permission-lockdown? Thereby the logic in permission-hardening could stay generic, simpler code which is already a lot. |
The problem isn't non existing files. It is that only the user And I also have to ask: what is the point of permisison-lockdown. It is prone to several things and has unnecessary complexity. A simple chmod -R would do the same thing as the loop there. |
Can do. On it. |
It selectively applies these restrictions to user home folders only if they haven't been locked down before, preventing repetitive changes, preventing undoing user customization. If a user set up customized permissions then a chmod -R could undo a lot work. All features I intent to design in a way that these can be disabled by the system administrator, don't annoy the user, don't restrict customization, don't get into the way of advanced use cases. |
I did a better implementation. We can also cover all files, but setting them to 600 would render them unexecutable. I still implemented that part too, and commented it out. |
Permission Hardener is script that parses configuration files located in Now we'd like to enhance the script by providing users with the ability to enable or disable specific functionalities. Namely, enabling or disabling the compiler or interpreter lock. Is it common practice in Debian for settings management scripts/programs to create or delete configuration snippets within |
Wondering about the names of the script...
We could also move permission-hardener (and permission-hardener-undo) from /usr/libexec to /usr/bin to make these scripts more easily accessible. While we are at it we could even rename the horribly long name Or even manage to introduce a globally unique acronym that then users can easily find on search engines. Let's please brainstorm names and a command line parameter design.
Even [1] Not sure I'd spent effort to implement that. Might not be worth it. Then |
This is great stuff. I am going to have look at what I can do. |
So we don't have to parse on/off for each, best to make a syntax similar to systemctl. Here:
|
Hmm. To be honest this is no piece of cake to implement. I am not sure if this would be the right approach either. This is actually extremely simple to implement in a full system apparmor policy. Want to run compilers -> gotta use sudo. But there being profiles for allowed compilers makes sure we dont open a larger attack surface. This appoach can also work but I have to think a simpler way to allow the user. By default we should block access to all of them either way. |
For simplicity, using the related pull from now on for further discussions on the topic. |
Hardening file permissions and removing suid bits from binaries are quite different tasks. Handling them in the same service is not optimal because on of the two is significantly simple and breaks nothing. That is file permissions. These two functionalities have to be seperated.
Manually removing suid bits essentially is not optimal because we would have to maintain a long whitelist. This has no place here. This can be implemented in the apparmor-profiles-everything repo by removing the set_suid capability from the init profile and having seperate profiles for all suid applications. These can be ported from https://github.com/roddhjav/apparmor.d.
When it comes to file permission hardneing, the following hardening options should be applied upon install and be reverted on uninstall:
As I said, this is to be done upon install. No daemon or service is needed. We will revert these on uninstall.
The text was updated successfully, but these errors were encountered: