diff --git a/.github/workflows/tests/justfile_tests.bats b/.github/workflows/tests/justfile_tests.bats index 5e95c74..7ff184c 100644 --- a/.github/workflows/tests/justfile_tests.bats +++ b/.github/workflows/tests/justfile_tests.bats @@ -17,7 +17,7 @@ setup() { } @test "Ensure ujust is configured correctly for tests" { - run ujust bios + run ujust logs-this-boot [ "$status" -eq 0 ] } diff --git a/cosign.pub b/cosign.pub index 701a462..e3d20a8 100644 --- a/cosign.pub +++ b/cosign.pub @@ -1,4 +1,4 @@ -----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELYK0cZjzpDF+bmiOMd6D7F+mi0Hv -MhgXMA/VJvvwWJowh3izN28j4wAIA5T6HlTNqnr8CqJRDVciNpgtv0ACFA== +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEh4g4er65FA6Bn134y2MPFM+WJeFk +Xt939y/Pf/LpP/UREPSybAabRj2eWFyBqWWe1x2SQl0ptkHGg+M3h+SZ1w== -----END PUBLIC KEY----- diff --git a/docs/POSTINSTALL-README.md b/docs/POSTINSTALL-README.md index 0ecc8c4..4792afe 100644 --- a/docs/POSTINSTALL-README.md +++ b/docs/POSTINSTALL-README.md @@ -61,8 +61,9 @@ Setting a GRUB password helps protect the device from physical tampering and mit To set a GRUB password, use the following command. By default, the password will be required when modifying boot entries, but not when booting existing entries. -1. `run0` -2. `grub2-setpassword` +``` +sudo grub2-setpassword +``` GRUB will prompt for a username and password. The default username is root. diff --git a/files/justfiles/hardening.just b/files/justfiles/hardening.just index ca639d5..e68d67e 100644 --- a/files/justfiles/hardening.just +++ b/files/justfiles/hardening.just @@ -19,7 +19,7 @@ setup-usbguard: #!/usr/bin/bash echo "Notice: This will generate a policy based on your existing connected USB devices." ACTIVE_USERNAME=$(whoami) - run0 sh -c ' + pkexec sh -c ' mkdir -p /var/log/usbguard mkdir -p /etc/usbguard chmod 755 /etc/usbguard diff --git a/files/justfiles/toggles.just b/files/justfiles/toggles.just index 24ac459..93a4fde 100644 --- a/files/justfiles/toggles.just +++ b/files/justfiles/toggles.just @@ -1,6 +1,6 @@ # Toggle the cups service on/off toggle-cups: - #! /bin/run0 /bin/bash + #!/usr/bin/pkexec /usr/bin/bash if systemctl is-enabled --quiet cups; then firewall-cmd --permanent --remove-port=631/tcp firewall-cmd --permanent --remove-port=631/udp @@ -23,21 +23,21 @@ toggle-cups: # Toggle bluetooth kernel modules on/off (requires reboot) toggle-bluetooth-modules: - #! /bin/run0 /bin/bash + #!/usr/bin/pkexec /usr/bin/bash BLUE_MOD_FILE="/etc/modprobe.d/99-bluetooth.conf" if test -e $BLUE_MOD_FILE; then - rm -f $BLUE_MOD_FILE + sudo rm -f $BLUE_MOD_FILE echo "Bluetooth kernel modules disabled. Reboot to take effect." else - sh -c 'echo "install bluetooth /sbin/modprobe --ignore-install bluetooth" >> "$1"' _ "$BLUE_MOD_FILE" - sh -c 'echo "install btusb /sbin/modprobe --ignore-install btusb" >> "$1"' _ "$BLUE_MOD_FILE" - chmod 644 $BLUE_MOD_FILE + sudo sh -c 'echo "install bluetooth /sbin/modprobe --ignore-install bluetooth" >> "$1"' _ "$BLUE_MOD_FILE" + sudo sh -c 'echo "install btusb /sbin/modprobe --ignore-install btusb" >> "$1"' _ "$BLUE_MOD_FILE" + sudo chmod 644 $BLUE_MOD_FILE echo "Bluetooth kernel modules enabled. Reboot to take effect." fi # Toggle GHNS (KDE Get New Stuff) toggle-ghns: - #! /bin/run0 /bin/bash + #!/usr/bin/pkexec /usr/bin/bash KDE_GLOBALS_FILE="/etc/xdg/kdeglobals" if test -e $KDE_GLOBALS_FILE; then if grep -q "ghns=false" "$KDE_GLOBALS_FILE"; then @@ -55,24 +55,24 @@ toggle-ghns: # enable a kernel module that is disabled by modprobe.d (requires restart) override-enable-module mod_name: - #! /bin/run0 /bin/bash + #!/usr/bin/pkexec /usr/bin/bash MOD_NAME="{{ mod_name }}" MOD_FILE="/etc/modprobe.d/99-$MOD_NAME.conf" if test -e $MOD_FILE; then echo "$MOD_NAME module is already enabled." else - sh -c 'echo "install $1 /sbin/modprobe --ignore-install $1" >> "$2"' _ "$MOD_NAME" "$MOD_FILE" - chmod 644 $MOD_FILE + sudo sh -c 'echo "install $1 /sbin/modprobe --ignore-install $1" >> "$2"' _ "$MOD_NAME" "$MOD_FILE" + sudo chmod 644 $MOD_FILE echo "Override created to enable $MOD_NAME module. Reboot to take effect." fi # reset the override by `just override-enable-module`, i.e. disable the module again (requires restart) override-reset-module mod_name: - #! /bin/run0 /bin/bash + #!/usr/bin/pkexec /usr/bin/bash MOD_NAME="{{ mod_name }}" MOD_FILE="/etc/modprobe.d/99-$MOD_NAME.conf" if test -e $MOD_FILE; then - rm -f $MOD_FILE + sudo rm -f $MOD_FILE echo "The override for $MOD_NAME module has been reset. Reboot to take effect." else echo "No override found for $MOD_NAME module." @@ -80,7 +80,7 @@ override-reset-module mod_name: # Toggle anticheat support by changing ptrace scope (requires restart) toggle-anticheat-support: - #! /bin/run0 /bin/bash + #!/usr/bin/pkexec /usr/bin/bash SYSCTL_HARDENING_FILE="/etc/sysctl.d/hardening.conf" if grep -q "kernel.yama.ptrace_scope = 3" "$SYSCTL_HARDENING_FILE"; then sed -i "s/kernel.yama.ptrace_scope = 3/kernel.yama.ptrace_scope = 1/" "$SYSCTL_HARDENING_FILE" @@ -94,14 +94,14 @@ toggle-anticheat-support: # Toggle Gnome JIT JavaScript for GJS and WebkitGTK (requires session restart) toggle-gnome-jit-js: - #! /bin/run0 /bin/bash + #!/usr/bin/pkexec /usr/bin/bash ENV_FILE="/etc/profile.d/gnome-disable-jit.sh" if test -e $ENV_FILE; then - rm -f $ENV_FILE + sudo rm -f $ENV_FILE echo "JIT JavaScript for Gnome and WebkitGTK has been enabled." else - cp /usr$ENV_FILE $ENV_FILE - chmod 644 $ENV_FILE + sudo cp /usr$ENV_FILE $ENV_FILE + sudo chmod 644 $ENV_FILE echo "JIT JavaScript for Gnome and WebkitGTK has been disabled." fi @@ -119,7 +119,7 @@ toggle-gnome-extensions: # Toggle Xwayland support toggle-xwayland ACTION="prompt": - #! /bin/run0 /bin/bash + #!/usr/bin/pkexec /usr/bin/bash source /usr/lib/ujust/ujust.sh OPTION={{ ACTION }} if [ "$OPTION" == "prompt" ]; then @@ -137,31 +137,31 @@ toggle-xwayland ACTION="prompt": if [ "$OPTION" == "GNOME" ] || [ "${OPTION,,}" == "gnome" ]; then GNOME_XWAYLAND_FILE="/etc/systemd/user/org.gnome.Shell@wayland.service.d/override.conf" if test -e $GNOME_XWAYLAND_FILE; then - rm -f $GNOME_XWAYLAND_FILE + sudo rm -f $GNOME_XWAYLAND_FILE echo "Xwayland for GNOME has been enabled." else - cp /usr$GNOME_XWAYLAND_FILE $GNOME_XWAYLAND_FILE - chmod 644 $GNOME_XWAYLAND_FILE + sudo cp /usr$GNOME_XWAYLAND_FILE $GNOME_XWAYLAND_FILE + sudo chmod 644 $GNOME_XWAYLAND_FILE echo "Xwayland for GNOME has been disabled." fi elif [ "$OPTION" == "KDE Plasma" ] || [ "${OPTION,,}" == "plasma" ]; then PLASMA_XWAYLAND_FILE="/etc/systemd/user/plasma-kwin_wayland.service.d/override.conf" if test -e $PLASMA_XWAYLAND_FILE; then - rm -f $PLASMA_XWAYLAND_FILE + sudo rm -f $PLASMA_XWAYLAND_FILE echo "Xwayland for KDE Plasma has been enabled." else - cp /usr$PLASMA_XWAYLAND_FILE $PLASMA_XWAYLAND_FILE - chmod 644 $PLASMA_XWAYLAND_FILE + sudo cp /usr$PLASMA_XWAYLAND_FILE $PLASMA_XWAYLAND_FILE + sudo chmod 644 $PLASMA_XWAYLAND_FILE echo "Xwayland for KDE Plasma has been disabled." fi elif [ "$OPTION" == "Sway" ] || [ "${OPTION,,}" == "sway" ]; then SWAY_XWAYLAND_FILE="/etc/sway/config.d/99-noxwayland.conf" if test -e $SWAY_XWAYLAND_FILE; then - rm -f $SWAY_XWAYLAND_FILE + sudo rm -f $SWAY_XWAYLAND_FILE echo "Xwayland for Sway has been enabled." else - cp /usr$SWAY_XWAYLAND_FILE $SWAY_XWAYLAND_FILE - chmod 644 $SWAY_XWAYLAND_FILE + sudo cp /usr$SWAY_XWAYLAND_FILE $SWAY_XWAYLAND_FILE + sudo chmod 644 $SWAY_XWAYLAND_FILE echo "Xwayland for Sway has been disabled." fi fi @@ -179,7 +179,7 @@ toggle-bash-environment-lockdown: if lsattr "${BASH_ENV_FILES[0]}" 2>/dev/null | awk '{print $1}' | grep -q 'i'; then echo "Bash environment '(${BASH_ENV_FILES[@]})' is locked down. Unlocking it." for file in "${BASH_ENV_FILES[@]}"; do - run0 chattr -i "$file" + pkexec chattr -i "$file" done else echo "Bash environment '(${BASH_ENV_FILES[@]})' is unlocked. Locking it." @@ -215,7 +215,7 @@ toggle-bash-environment-lockdown: " > ~/.bash_profile for file in "${BASH_ENV_FILES[@]}"; do - run0 chattr +i "$file" + pkexec chattr +i "$file" done fi else diff --git a/files/justfiles/utilities.just b/files/justfiles/utilities.just index bde9d5d..5f4f738 100644 --- a/files/justfiles/utilities.just +++ b/files/justfiles/utilities.just @@ -25,28 +25,26 @@ bios: # Show all messages from this boot logs-this-boot: - #! /bin/run0 /bin/bash - journalctl -b 0 + sudo journalctl -b 0 # Show all messages from last boot logs-last-boot: - #! /bin/run0 /bin/bash - journalctl -b -1 + sudo journalctl -b -1 # Regenerate GRUB config, useful in dual-boot scenarios where a second operating system isn't listed regenerate-grub: - #! /bin/run0 /bin/bash + #!/usr/bin/bash if [ -d /sys/firmware/efi ]; then - grub2-mkconfig -o /etc/grub2-efi.cfg + sudo grub2-mkconfig -o /etc/grub2-efi.cfg else - grub2-mkconfig -o /etc/grub2.cfg + sudo grub2-mkconfig -o /etc/grub2.cfg fi # Enroll Nvidia driver & KMOD signing key for secure boot - Enter password "universalblue" if prompted enroll-secure-boot-key: - run0 mokutil --timeout -1 + sudo mokutil --timeout -1 echo 'The next line will prompt for a MOK password. Then, input "universalblue"' - run0 mokutil --import /etc/pki/akmods/certs/akmods-ublue.der + sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der echo 'At next reboot, the mokutil UEFI menu UI will be displayed (*QWERTY* keyboard input and navigation).\nThen, select "Enroll MOK", and input "universalblue" as the password' # Toggle display of the user-motd in terminal diff --git a/files/scripts/removesuid.sh b/files/scripts/removesuid.sh index 7307495..bcd0b2a 100644 --- a/files/scripts/removesuid.sh +++ b/files/scripts/removesuid.sh @@ -12,13 +12,34 @@ whitelist=( "/usr/lib/polkit-1/polkit-agent-helper-1" # Needed for flatpak on no-userns images "/usr/bin/bwrap" - # Required for chrome suid sandbox on no-userns images - "/usr/lib64/chromium-browser/chrome-sandbox" + # Requires cap_setuid if the suid bit is removed + "/usr/bin/gpasswd" + # "In effect, when the SUID bit is unset on /usr/bin/mount, mount(8) will never drop permissions. If /usr/bin/mount were to have a" + # "nonempty permitted capability set and its effective capability bit were set, then mount(8) would never have its effective " + # "capability set cleared during execution, potentially allowing unprivileged users to perform actions they shouldn’t be able to perform" + # https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#can-we-replace-the-suid-bit-with-zero-or-more-file-capabilities-4 + "/usr/bin/mount" + # Required for nvidia images + "/usr/bin/nvidia-modprobe" + # https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#can-we-replace-the-suid-bit-with-zero-or-more-file-capabilities + "/usr/bin/passwd" + # https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#why-does-this-binary-need-to-be-suid-root-9 + "/usr/bin/pkexec" + # https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#can-we-replace-the-suid-bit-with-zero-or-more-file-capabilities-6 + "/usr/bin/su" + # https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#can-we-replace-the-suid-bit-with-zero-or-more-file-capabilities-6 + "/usr/bin/sudo" + # See /usr/bin/mount + "/usr/bin/umount" + # https://gitlab.freedesktop.org/polkit/polkit/-/issues/168 + "/usr/lib/polkit-1/polkit-agent-helper-1" # https://github.com/secureblue/secureblue/issues/119 - # Required for hardened_malloc to be used by suid-root processes "/usr/lib64/libhardened_malloc-light.so" "/usr/lib64/libhardened_malloc-pkey.so" "/usr/lib64/libhardened_malloc.so" + # Required for chrome suid sandbox on no-userns images + "/usr/lib64/chromium-browser/chrome-sandbox" + # https://github.com/secureblue/secureblue/issues/119 "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-light.so" "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-pkey.so" "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc.so" @@ -31,6 +52,8 @@ whitelist=( "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-light.so" "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-pkey.so" "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc.so" + # Requires cap_setgid,cap_setuid if the SUID bit is removed + "/usr/sbin/grub2-set-bootflag" ) @@ -62,10 +85,4 @@ find /usr -type f -perm /2000 | fi done - -rm -f /usr/bin/chsh -rm -f /usr/bin/pkexec -rm -f /usr/bin/sudo -rm -f /usr/bin/su - systemctl enable setcapsforunsuidbinaries.service diff --git a/files/scripts/unprotectsudo.sh b/files/scripts/unprotectsudo.sh deleted file mode 100644 index 90e7cbb..0000000 --- a/files/scripts/unprotectsudo.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/usr/bin/env bash - -# Tell build process to exit if there are any errors. -set -oue pipefail - -rm -f /etc/dnf/protected.d/sudo.conf \ No newline at end of file diff --git a/recipes/common/common-modules.yml b/recipes/common/common-modules.yml index 4463802..8b306b5 100644 --- a/recipes/common/common-modules.yml +++ b/recipes/common/common-modules.yml @@ -5,7 +5,6 @@ modules: - type: script scripts: - installrpmfusion.sh - - unprotectsudo.sh - from-file: common/common-packages.yml - type: files files: diff --git a/recipes/common/common-scripts.yml b/recipes/common/common-scripts.yml index ddede0c..c4ad3e9 100644 --- a/recipes/common/common-scripts.yml +++ b/recipes/common/common-scripts.yml @@ -5,6 +5,7 @@ scripts: - disablesealertpopups.sh - httpsmirrors.sh - createmissingdirectories.sh + - removesuid.sh - disablegeoclue.sh - enablesecurebluefirstrun.sh - createjustcompletions.sh diff --git a/recipes/common/desktop-packages.yml b/recipes/common/desktop-packages.yml index bf85665..6855409 100644 --- a/recipes/common/desktop-packages.yml +++ b/recipes/common/desktop-packages.yml @@ -35,9 +35,6 @@ remove: - open-vm-tools-desktop - virtualbox-guest-additions - passim - - sudo - - sudo-python-plugin - diff --git a/recipes/common/desktop-scripts.yml b/recipes/common/desktop-scripts.yml index f4b2d9d..75dac12 100644 --- a/recipes/common/desktop-scripts.yml +++ b/recipes/common/desktop-scripts.yml @@ -7,4 +7,4 @@ scripts: - disablealsastate.sh - disablemodemmanager.sh - disablenfsdaemons.sh - - disablesssd.sh + - disablesssd.sh \ No newline at end of file diff --git a/recipes/common/final-modules.yml b/recipes/common/final-modules.yml index 407d6b9..36918fb 100644 --- a/recipes/common/final-modules.yml +++ b/recipes/common/final-modules.yml @@ -2,5 +2,4 @@ modules: - type: script scripts: - removeunusedrepos.sh - - removesuid.sh - regenerateinitramfs.sh \ No newline at end of file diff --git a/recipes/common/server-modules.yml b/recipes/common/server-modules.yml index ae027f2..d2b6a1b 100644 --- a/recipes/common/server-modules.yml +++ b/recipes/common/server-modules.yml @@ -16,8 +16,6 @@ modules: - usbguard - firewalld - policycoreutils-python-utils - remove: - - sudo - type: files files: @@ -30,6 +28,3 @@ modules: scripts: - excludepcsc.sh - setserverdefaultzone.sh - - setservermotd.sh - - removebrewjust.sh - - removesuid.sh