/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Whonix /etc/sudoers.d exceptions asterix * hardening #2852

Open
adrelanos opened this Issue Jun 8, 2017 · 4 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.1
3 participants
@adrelanos @tasket @andrewdavidwong
@adrelanos
Member

adrelanos commented Jun 8, 2017

Whonix uses * in a few /etc/sudoers.d files.

Quote @marmarek #2695 (comment)

As for actual sudo configuration - I see several files in /etc/sudoers.d have commands with * as argument. If in practice the command is called only with one or two specific arguments, IMO it's better to be verbose here.

TODO: harden this. Don't use * wherever possible.

find . -type f | grep sudoers | xargs cat | grep '*'

sdwdate ALL=NOPASSWD: /bin/date *
sdwdate ALL=NOPASSWD: /usr/lib/sdwdate/sclockadj *
sdwdate ALL=NOPASSWD: /sbin/hwclock *
sdwdate ALL=NOPASSWD: /usr/lib/sdwdate/sclockadj_kill_helper *
ALL ALL=NOPASSWD: /usr/lib/sdwdate/restart_fresh *
user ALL=NOPASSWD: /usr/bin/clock-random-manual-cli *
user ALL=NOPASSWD: /usr/bin/clock-random-manual-gui *
%sudo ALL=NOPASSWD: /usr/bin/whonix-setup-wizard *
%sudo ALL=NOPASSWD: /usr/lib/whonix-setup-wizard/whonix-setup-wizard-setup *
#tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn *
%sudo ALL=NOPASSWD: /usr/bin/whonixsetup *
user ALL=(whonixcheck) NOPASSWD: /usr/lib/whonixcheck/whonixcheck *
user ALL=(whonixcheck) NOPASSWD: /bin/bash -x /usr/lib/whonixcheck/whonixcheck *
ALL ALL=NOPASSWD: /usr/lib/msgcollector/msgprogressbar_kill_helper *

Do you think you could work on this? @tasket @crat0z

@adrelanos adrelanos referenced this issue Jun 8, 2017

Open

Automate vm sudo authorization setup #2695

@andrewdavidwong andrewdavidwong added C: Whonix enhancement labels Jun 8, 2017

@andrewdavidwong andrewdavidwong added this to the Release 4.0 milestone Jun 8, 2017

@tasket

This comment has been minimized.

Show comment
Hide comment
@tasket

tasket Jun 8, 2017

I can start looking at a few of the commands to see how they're used in Whonix under core use cases such as 'browse web site' and 'update system'. Just want to say that Whonix is not my strong suit, though.

Tightening these entries means for some commands like date, specifying additional parameters to narrow the modes of use while still leaving * in there or whatever EBNF syntax allows. Obviously, it can't be completely nailed-down if it accepts data to set the system time, for example.

Optimal configuration should take into account whether the command is used in a purely automatic function or user-initiated. With the former, system startup and cron should not be an issue because as a general rule these are run as root user. With the latter, it may be best to let the system trigger an auth prompt in certain cases.

Whether a user-initiated function is considered an admin tool or just an app (like Torbrowser) also matters; the latter type should be usable without any auth prompts. OTOH, admin functions launched from dom0 menu could simply specify a privileged user like root to avoid auth prompts.

tasket commented Jun 8, 2017

I can start looking at a few of the commands to see how they're used in Whonix under core use cases such as 'browse web site' and 'update system'. Just want to say that Whonix is not my strong suit, though.

Tightening these entries means for some commands like date, specifying additional parameters to narrow the modes of use while still leaving * in there or whatever EBNF syntax allows. Obviously, it can't be completely nailed-down if it accepts data to set the system time, for example.

Optimal configuration should take into account whether the command is used in a purely automatic function or user-initiated. With the former, system startup and cron should not be an issue because as a general rule these are run as root user. With the latter, it may be best to let the system trigger an auth prompt in certain cases.

Whether a user-initiated function is considered an admin tool or just an app (like Torbrowser) also matters; the latter type should be usable without any auth prompts. OTOH, admin functions launched from dom0 menu could simply specify a privileged user like root to avoid auth prompts.
@tasket

This comment has been minimized.

Show comment
Hide comment
@tasket

tasket Jul 15, 2017

Initial look at sdwdate:

These rules are specified by the sdwdate documentation for using this service as "non-root user". Its precarious to second-guess Patrick's design; normally I would say this is a security issue internal to the tool. I would leave most of those (first 7) rules as-is, or re-factor sdwdate in some way such as running only the HTTP part as unpriv user.

Apart from that, the line referencing '/usr/lib/sdwdate/restart_fresh' is a script that takes no parameters anyway, so '*' can be removed there.

For whonix-setup-wizard, I think these lines

%sudo ALL=NOPASSWD: /usr/bin/whonix-setup-wizard *
%sudo ALL=NOPASSWD: /usr/lib/whonix-setup-wizard/whonix-setup-wizard-setup *

...can be changed to

%sudo ALL=NOPASSWD: /usr/bin/whonix-setup-wizard
%sudo ALL=NOPASSWD: /usr/bin/whonix-setup-wizard locale_settings
%sudo ALL=NOPASSWD: /usr/lib/whonix-setup-wizard/whonix-setup-wizard-setup

However, the script '/usr/bin/whonixsetup' appears to accept multiple 'command' options. Perhaps @adrelanos could elaborate on that.

tasket commented Jul 15, 2017

Initial look at sdwdate:

These rules are specified by the sdwdate documentation for using this service as "non-root user". Its precarious to second-guess Patrick's design; normally I would say this is a security issue internal to the tool. I would leave most of those (first 7) rules as-is, or re-factor sdwdate in some way such as running only the HTTP part as unpriv user.

Apart from that, the line referencing '/usr/lib/sdwdate/restart_fresh' is a script that takes no parameters anyway, so '*' can be removed there.

For whonix-setup-wizard, I think these lines

%sudo ALL=NOPASSWD: /usr/bin/whonix-setup-wizard *
%sudo ALL=NOPASSWD: /usr/lib/whonix-setup-wizard/whonix-setup-wizard-setup *

...can be changed to

%sudo ALL=NOPASSWD: /usr/bin/whonix-setup-wizard
%sudo ALL=NOPASSWD: /usr/bin/whonix-setup-wizard locale_settings
%sudo ALL=NOPASSWD: /usr/lib/whonix-setup-wizard/whonix-setup-wizard-setup

However, the script '/usr/bin/whonixsetup' appears to accept multiple 'command' options. Perhaps @adrelanos could elaborate on that.
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Aug 28, 2017

Member
Member

adrelanos commented Aug 28, 2017

@tasket

This comment has been minimized.

Show comment
Hide comment
@tasket

tasket Oct 31, 2017

FYI this is still on my todo list, I just want to get to VPN and template-reinstall fixes first.

tasket commented Oct 31, 2017

FYI this is still on my todo list, I just want to get to VPN and template-reinstall fixes first.

@andrewdavidwong andrewdavidwong modified the milestones: Release 4.0, Release 4.1 Mar 31, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment