mirror of
https://github.com/optim-enterprises-bv/secureblue.git
synced 2025-11-09 16:26:01 +00:00
feat: replace SUID root with capabilities where possible (#303)
This commit is contained in:
qoijjj
@@ -44,6 +44,7 @@ Hardening applied:
|
|||||||
- Disable KDE GHNS by default <sup>[why?](https://blog.davidedmundson.co.uk/blog/kde-store-content/)</sup>
|
- Disable KDE GHNS by default <sup>[why?](https://blog.davidedmundson.co.uk/blog/kde-store-content/)</sup>
|
||||||
- Use HTTPS for all rpm mirrors
|
- Use HTTPS for all rpm mirrors
|
||||||
- Set all default container policies to `reject`, `signedBy`, or `sigstoreSigned`
|
- Set all default container policies to `reject`, `signedBy`, or `sigstoreSigned`
|
||||||
|
- Remove SUID-root from [numerous binaries](https://github.com/secureblue/secureblue/blob/live/config/scripts/removesuid.sh) and replace functionality [using capabilities](https://github.com/secureblue/secureblue/blob/staging/config/files/usr/bin/setcapsforunsuidbinaries)
|
||||||
- (Non-userns variants) Disabling unprivileged user namespaces
|
- (Non-userns variants) Disabling unprivileged user namespaces
|
||||||
- (Non-userns variants) Replacing bubblewrap with bubblewrap-suid so flatpak can be used without unprivileged user namespaces
|
- (Non-userns variants) Replacing bubblewrap with bubblewrap-suid so flatpak can be used without unprivileged user namespaces
|
||||||
|
|
||||||
|
|||||||
24
config/files/usr/bin/setcapsforunsuidbinaries
Normal file
24
config/files/usr/bin/setcapsforunsuidbinaries
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
set_caps_if_present() {
|
||||||
|
local caps="$1"
|
||||||
|
local binary_path="$2"
|
||||||
|
if [ -f "$binary_path" ]; then
|
||||||
|
mount --bind -o rw "$binary_path" "$binary_path"
|
||||||
|
|
||||||
|
echo "Setting caps $caps on $binary_path"
|
||||||
|
setcap "$caps" "$binary_path"
|
||||||
|
echo "Set caps $caps on $binary_path"
|
||||||
|
|
||||||
|
umount "$binary_path"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/bin/chage"
|
||||||
|
set_caps_if_present "cap_chown,cap_dac_override,cap_fowner,cap_audit_write=ep" "/usr/bin/chsh"
|
||||||
|
set_caps_if_present "cap_chown,cap_dac_override,cap_fowner,cap_audit_write=ep" "/usr/bin/chfn"
|
||||||
|
set_caps_if_present "cap_dac_read_search=ep" "/usr/libexec/openssh/ssh-keysign"
|
||||||
|
set_caps_if_present "cap_sys_admin=ep" "/usr/bin/fusermount"
|
||||||
|
set_caps_if_present "cap_sys_admin=ep" "/usr/bin/fusermount3"
|
||||||
|
set_caps_if_present "cap_sys_admin=ep" "/usr/bin/fusermount-glusterfs"
|
||||||
|
set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/sbin/unix_chkpwd"
|
||||||
@@ -0,0 +1,13 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Set caps for suid-removed binaries
|
||||||
|
After=local-fs.target sysinit.target
|
||||||
|
DefaultDependencies=no
|
||||||
|
Before=graphical-session-pre.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/bin/setcapsforunsuidbinaries
|
||||||
|
RemainAfterExit=yes
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
79
config/scripts/removesuid.sh
Normal file
79
config/scripts/removesuid.sh
Normal file
@@ -0,0 +1,79 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
# Tell build process to exit if there are any errors.
|
||||||
|
set -oue pipefail
|
||||||
|
|
||||||
|
# Reference: https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#usrbinchage
|
||||||
|
|
||||||
|
whitelist=(
|
||||||
|
# Needed for flatpak on no-userns images
|
||||||
|
"/usr/bin/bwrap"
|
||||||
|
# Requires cap_setuid if the suid bit is removed
|
||||||
|
"/usr/bin/gpasswd"
|
||||||
|
# "In effect, when the SUID bit is unset on /usr/bin/mount, mount(8) will never drop permissions. If /usr/bin/mount were to have a"
|
||||||
|
# "nonempty permitted capability set and its effective capability bit were set, then mount(8) would never have its effective "
|
||||||
|
# "capability set cleared during execution, potentially allowing unprivileged users to perform actions they shouldn’t be able to perform"
|
||||||
|
# https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#can-we-replace-the-suid-bit-with-zero-or-more-file-capabilities-4
|
||||||
|
"/usr/bin/mount"
|
||||||
|
# Required for nvidia images
|
||||||
|
"/usr/bin/nvidia-modprobe"
|
||||||
|
# https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#can-we-replace-the-suid-bit-with-zero-or-more-file-capabilities
|
||||||
|
"/usr/bin/passwd"
|
||||||
|
# https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#why-does-this-binary-need-to-be-suid-root-9
|
||||||
|
"/usr/bin/pkexec"
|
||||||
|
# https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#can-we-replace-the-suid-bit-with-zero-or-more-file-capabilities-6
|
||||||
|
"/usr/bin/su"
|
||||||
|
# https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#can-we-replace-the-suid-bit-with-zero-or-more-file-capabilities-6
|
||||||
|
"/usr/bin/sudo"
|
||||||
|
# See /usr/bin/mount
|
||||||
|
"/usr/bin/umount"
|
||||||
|
# https://gitlab.freedesktop.org/polkit/polkit/-/issues/168
|
||||||
|
"/usr/lib/polkit-1/polkit-agent-helper-1"
|
||||||
|
# https://github.com/secureblue/secureblue/issues/119
|
||||||
|
"/usr/lib64/libhardened_malloc-light.so"
|
||||||
|
"/usr/lib64/libhardened_malloc-pkey.so"
|
||||||
|
"/usr/lib64/libhardened_malloc.so"
|
||||||
|
# Required for chrome suid sandbox on no-userns images
|
||||||
|
"/usr/lib64/chromium-browser/chrome-sandbox"
|
||||||
|
# https://github.com/secureblue/secureblue/issues/119
|
||||||
|
"/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-light.so"
|
||||||
|
"/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-pkey.so"
|
||||||
|
"/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc.so"
|
||||||
|
"/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-light.so"
|
||||||
|
"/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-pkey.so"
|
||||||
|
"/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc.so"
|
||||||
|
"/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-light.so"
|
||||||
|
"/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-pkey.so"
|
||||||
|
"/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so"
|
||||||
|
"/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-light.so"
|
||||||
|
"/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-pkey.so"
|
||||||
|
"/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc.so"
|
||||||
|
# Requires cap_setgid,cap_setuid if the SUID bit is removed
|
||||||
|
"/usr/sbin/grub2-set-bootflag"
|
||||||
|
# See /usr/bin/mount
|
||||||
|
"/usr/sbin/mount.nfs"
|
||||||
|
# https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#why-does-this-binary-need-to-be-suid-root-6
|
||||||
|
"/usr/sbin/pam_timestamp_check"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
is_in_whitelist() {
|
||||||
|
local binary="$1"
|
||||||
|
for allowed_binary in "${whitelist[@]}"; do
|
||||||
|
if [ "$binary" = "$allowed_binary" ]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
find /usr -type f -perm /4000 |
|
||||||
|
while IFS= read -r binary; do
|
||||||
|
if ! is_in_whitelist "$binary"; then
|
||||||
|
echo "Removing SUID bit from $binary"
|
||||||
|
chmod u-s "$binary"
|
||||||
|
echo "Removed SUID bit from $binary"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
systemctl enable setcapsforunsuidbinaries.service
|
||||||
@@ -7,3 +7,4 @@ scripts:
|
|||||||
- hardencontainerpolicy.sh
|
- hardencontainerpolicy.sh
|
||||||
- httpsmirrors.sh
|
- httpsmirrors.sh
|
||||||
- createmissingdirectories.sh
|
- createmissingdirectories.sh
|
||||||
|
- removesuid.sh
|
||||||
Reference in New Issue
Block a user