feat: sgid reduction (#392)

* feat: also remove sgid bit * Update yafti.yml * Update yafti.yml
2025-11-01 19:07:52 +00:00 · 2024-08-23 14:13:22 -07:00
parent c526c770ba
commit 967c7551ad
2 changed files with 13 additions and 4 deletions
--- a/files/scripts/removesuid.sh
+++ b/files/scripts/removesuid.sh
@@ -72,4 +72,13 @@ find /usr -type f -perm /4000 |
        fi
    done

+find /usr -type f -perm /2000 |
+    while IFS= read -r binary; do
+        if ! is_in_whitelist "$binary"; then
+            echo "Removing SGID bit from $binary"
+            chmod g-s "$binary"
+            echo "Removed SGID bit from $binary"
+        fi
+    done
+
 systemctl enable setcapsforunsuidbinaries.service
--- a/files/system/usr/share/ublue-os/firstboot/yafti.yml
+++ b/files/system/usr/share/ublue-os/firstboot/yafti.yml
@@ -82,10 +82,10 @@ screens:
  final-screen:
    source: yafti.screen.title
    values:
-      title: "All done!"
+      title: "Yafti run complete!"
      icon: "/path/to/icon"
      links:
-        - "Website":
-            run: /usr/bin/xdg-open https://github.com/secureblue/secureblue
+        - "POSTINSTALL-README":
+            run: /usr/bin/xdg-open https://github.com/secureblue/secureblue/blob/live/POSTINSTALL-README.md
      description: |
-        Thanks for trying secureblue, we hope you enjoy it!
+        Complete your secureblue installation by following the POSTINSTALL-README.