Revert "feat: (almost) entirely remove suid (#606)"

This reverts commit 5f7a6d2a6f.

.github/workflows/tests/justfile_tests.bats

@@ -17,7 +17,7 @@ setup() {
 }
 
 @test "Ensure ujust is configured correctly for tests" {
-    run ujust bios
+    run ujust logs-this-boot
     [ "$status" -eq 0 ]
 }
 

cosign.pub

@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELYK0cZjzpDF+bmiOMd6D7F+mi0Hv
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEh4g4er65FA6Bn134y2MPFM+WJeFk
-MhgXMA/VJvvwWJowh3izN28j4wAIA5T6HlTNqnr8CqJRDVciNpgtv0ACFA==
+Xt939y/Pf/LpP/UREPSybAabRj2eWFyBqWWe1x2SQl0ptkHGg+M3h+SZ1w==
 -----END PUBLIC KEY-----

docs/POSTINSTALL-README.md

@@ -61,8 +61,9 @@ Setting a GRUB password helps protect the device from physical tampering and mit
 
 To set a GRUB password, use the following command. By default, the password will be required when modifying boot entries, but not when booting existing entries.
 
-1. `run0`
+```
-2. `grub2-setpassword`
+sudo grub2-setpassword
+```
 
 GRUB will prompt for a username and password. The default username is root.
 

files/justfiles/hardening.just

@@ -19,7 +19,7 @@ setup-usbguard:
     #!/usr/bin/bash
     echo "Notice: This will generate a policy based on your existing connected USB devices."
     ACTIVE_USERNAME=$(whoami)
-    run0 sh -c '
+    pkexec sh -c '
         mkdir -p /var/log/usbguard
         mkdir -p /etc/usbguard
         chmod 755 /etc/usbguard

files/justfiles/toggles.just

@@ -1,6 +1,6 @@
 # Toggle the cups service on/off
 toggle-cups:
-    #! /bin/run0 /bin/bash
+    #!/usr/bin/pkexec /usr/bin/bash
     if systemctl is-enabled --quiet cups; then
       firewall-cmd --permanent --remove-port=631/tcp
       firewall-cmd --permanent --remove-port=631/udp 
@@ -23,21 +23,21 @@ toggle-cups:
 
 # Toggle bluetooth kernel modules on/off (requires reboot)
 toggle-bluetooth-modules:
-    #! /bin/run0 /bin/bash
+    #!/usr/bin/pkexec /usr/bin/bash
     BLUE_MOD_FILE="/etc/modprobe.d/99-bluetooth.conf"
     if test -e $BLUE_MOD_FILE; then
-      rm -f $BLUE_MOD_FILE
+      sudo rm -f $BLUE_MOD_FILE
       echo "Bluetooth kernel modules disabled. Reboot to take effect."
     else
-      sh -c 'echo "install bluetooth /sbin/modprobe --ignore-install bluetooth" >> "$1"' _ "$BLUE_MOD_FILE"
+      sudo sh -c 'echo "install bluetooth /sbin/modprobe --ignore-install bluetooth" >> "$1"' _ "$BLUE_MOD_FILE"
-      sh -c 'echo "install btusb /sbin/modprobe --ignore-install btusb" >> "$1"' _ "$BLUE_MOD_FILE"
+      sudo sh -c 'echo "install btusb /sbin/modprobe --ignore-install btusb" >> "$1"' _ "$BLUE_MOD_FILE"
-      chmod 644 $BLUE_MOD_FILE
+      sudo chmod 644 $BLUE_MOD_FILE
       echo "Bluetooth kernel modules enabled. Reboot to take effect."
     fi
 
 # Toggle GHNS (KDE Get New Stuff)
 toggle-ghns:
-    #! /bin/run0 /bin/bash
+    #!/usr/bin/pkexec /usr/bin/bash
     KDE_GLOBALS_FILE="/etc/xdg/kdeglobals"
     if test -e $KDE_GLOBALS_FILE; then
       if grep -q "ghns=false" "$KDE_GLOBALS_FILE"; then
@@ -55,24 +55,24 @@ toggle-ghns:
 
 # enable a kernel module that is disabled by modprobe.d (requires restart)
 override-enable-module mod_name:
-    #! /bin/run0 /bin/bash
+    #!/usr/bin/pkexec /usr/bin/bash
     MOD_NAME="{{ mod_name }}"
     MOD_FILE="/etc/modprobe.d/99-$MOD_NAME.conf"
     if test -e $MOD_FILE; then
       echo "$MOD_NAME module is already enabled."
     else
-      sh -c 'echo "install $1 /sbin/modprobe --ignore-install $1" >> "$2"' _ "$MOD_NAME" "$MOD_FILE" 
+      sudo sh -c 'echo "install $1 /sbin/modprobe --ignore-install $1" >> "$2"' _ "$MOD_NAME" "$MOD_FILE" 
-      chmod 644 $MOD_FILE
+      sudo chmod 644 $MOD_FILE
       echo "Override created to enable $MOD_NAME module. Reboot to take effect."
     fi
 
 # reset the override by `just override-enable-module`, i.e. disable the module again (requires restart)
 override-reset-module mod_name:
-    #! /bin/run0 /bin/bash
+    #!/usr/bin/pkexec /usr/bin/bash
     MOD_NAME="{{ mod_name }}"
     MOD_FILE="/etc/modprobe.d/99-$MOD_NAME.conf"
     if test -e $MOD_FILE; then
-      rm -f $MOD_FILE
+      sudo rm -f $MOD_FILE
       echo "The override for $MOD_NAME module has been reset. Reboot to take effect."
     else
       echo "No override found for $MOD_NAME module."
@@ -80,7 +80,7 @@ override-reset-module mod_name:
 
 # Toggle anticheat support by changing ptrace scope (requires restart)
 toggle-anticheat-support:
-    #! /bin/run0 /bin/bash
+    #!/usr/bin/pkexec /usr/bin/bash
     SYSCTL_HARDENING_FILE="/etc/sysctl.d/hardening.conf"
     if grep -q "kernel.yama.ptrace_scope = 3" "$SYSCTL_HARDENING_FILE"; then
         sed -i "s/kernel.yama.ptrace_scope = 3/kernel.yama.ptrace_scope = 1/" "$SYSCTL_HARDENING_FILE"
@@ -94,14 +94,14 @@ toggle-anticheat-support:
 
 # Toggle Gnome JIT JavaScript for GJS and WebkitGTK (requires session restart)
 toggle-gnome-jit-js:
-    #! /bin/run0 /bin/bash
+    #!/usr/bin/pkexec /usr/bin/bash
     ENV_FILE="/etc/profile.d/gnome-disable-jit.sh"
     if test -e $ENV_FILE; then
-        rm -f $ENV_FILE
+        sudo rm -f $ENV_FILE
         echo "JIT JavaScript for Gnome and WebkitGTK has been enabled."
     else
-        cp /usr$ENV_FILE $ENV_FILE
+        sudo cp /usr$ENV_FILE $ENV_FILE
-        chmod 644 $ENV_FILE
+        sudo chmod 644 $ENV_FILE
         echo "JIT JavaScript for Gnome and WebkitGTK has been disabled."
     fi
 
@@ -119,7 +119,7 @@ toggle-gnome-extensions:
 
 # Toggle Xwayland support
 toggle-xwayland ACTION="prompt":
-    #! /bin/run0 /bin/bash
+    #!/usr/bin/pkexec /usr/bin/bash
     source /usr/lib/ujust/ujust.sh
     OPTION={{ ACTION }}
     if [ "$OPTION" == "prompt" ]; then
@@ -137,31 +137,31 @@ toggle-xwayland ACTION="prompt":
     if [ "$OPTION" == "GNOME" ] || [ "${OPTION,,}" == "gnome" ]; then
       GNOME_XWAYLAND_FILE="/etc/systemd/user/org.gnome.Shell@wayland.service.d/override.conf"
       if test -e $GNOME_XWAYLAND_FILE; then
-        rm -f $GNOME_XWAYLAND_FILE
+        sudo rm -f $GNOME_XWAYLAND_FILE
         echo "Xwayland for GNOME has been enabled."
       else
-        cp /usr$GNOME_XWAYLAND_FILE $GNOME_XWAYLAND_FILE
+        sudo cp /usr$GNOME_XWAYLAND_FILE $GNOME_XWAYLAND_FILE
-        chmod 644 $GNOME_XWAYLAND_FILE
+        sudo chmod 644 $GNOME_XWAYLAND_FILE
         echo "Xwayland for GNOME has been disabled."
       fi
     elif [ "$OPTION" == "KDE Plasma" ] || [ "${OPTION,,}" == "plasma" ]; then
       PLASMA_XWAYLAND_FILE="/etc/systemd/user/plasma-kwin_wayland.service.d/override.conf"
       if test -e $PLASMA_XWAYLAND_FILE; then
-        rm -f $PLASMA_XWAYLAND_FILE
+        sudo rm -f $PLASMA_XWAYLAND_FILE
         echo "Xwayland for KDE Plasma has been enabled."
       else
-        cp /usr$PLASMA_XWAYLAND_FILE $PLASMA_XWAYLAND_FILE
+        sudo cp /usr$PLASMA_XWAYLAND_FILE $PLASMA_XWAYLAND_FILE
-        chmod 644 $PLASMA_XWAYLAND_FILE
+        sudo chmod 644 $PLASMA_XWAYLAND_FILE
         echo "Xwayland for KDE Plasma has been disabled."
       fi
     elif [ "$OPTION" == "Sway" ] || [ "${OPTION,,}" == "sway" ]; then
       SWAY_XWAYLAND_FILE="/etc/sway/config.d/99-noxwayland.conf"
       if test -e $SWAY_XWAYLAND_FILE; then
-        rm -f $SWAY_XWAYLAND_FILE
+        sudo rm -f $SWAY_XWAYLAND_FILE
         echo "Xwayland for Sway has been enabled."
       else
-        cp /usr$SWAY_XWAYLAND_FILE $SWAY_XWAYLAND_FILE
+        sudo cp /usr$SWAY_XWAYLAND_FILE $SWAY_XWAYLAND_FILE
-        chmod 644 $SWAY_XWAYLAND_FILE
+        sudo chmod 644 $SWAY_XWAYLAND_FILE
         echo "Xwayland for Sway has been disabled."
       fi
     fi
@@ -179,7 +179,7 @@ toggle-bash-environment-lockdown:
       if lsattr "${BASH_ENV_FILES[0]}" 2>/dev/null | awk '{print $1}' | grep -q 'i'; then
         echo "Bash environment '(${BASH_ENV_FILES[@]})' is locked down. Unlocking it."
         for file in "${BASH_ENV_FILES[@]}"; do
-            run0 chattr -i "$file"
+            pkexec chattr -i "$file"
         done
       else
         echo "Bash environment '(${BASH_ENV_FILES[@]})' is unlocked. Locking it."
@@ -215,7 +215,7 @@ toggle-bash-environment-lockdown:
         " > ~/.bash_profile
 
         for file in "${BASH_ENV_FILES[@]}"; do
-            run0 chattr +i "$file"
+            pkexec chattr +i "$file"
         done
       fi
     else

files/justfiles/utilities.just

@@ -25,28 +25,26 @@ bios:
 
 # Show all messages from this boot
 logs-this-boot:
-    #! /bin/run0 /bin/bash
+    sudo journalctl -b 0
-    journalctl -b 0
 
 # Show all messages from last boot
 logs-last-boot:
-    #! /bin/run0 /bin/bash
+    sudo journalctl -b -1
-    journalctl -b -1
 
 # Regenerate GRUB config, useful in dual-boot scenarios where a second operating system isn't listed
 regenerate-grub:
-    #! /bin/run0 /bin/bash
+    #!/usr/bin/bash
     if [ -d /sys/firmware/efi ]; then
-      grub2-mkconfig -o /etc/grub2-efi.cfg
+      sudo grub2-mkconfig -o /etc/grub2-efi.cfg
     else
-      grub2-mkconfig -o /etc/grub2.cfg
+      sudo grub2-mkconfig -o /etc/grub2.cfg
     fi
 
 # Enroll Nvidia driver & KMOD signing key for secure boot - Enter password "universalblue" if prompted
 enroll-secure-boot-key:
-    run0 mokutil --timeout -1
+    sudo mokutil --timeout -1
     echo 'The next line will prompt for a MOK password. Then, input "universalblue"'
-    run0 mokutil --import /etc/pki/akmods/certs/akmods-ublue.der
+    sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der
     echo 'At next reboot, the mokutil UEFI menu UI will be displayed (*QWERTY* keyboard input and navigation).\nThen, select "Enroll MOK", and input "universalblue" as the password'
 
 # Toggle display of the user-motd in terminal

files/scripts/removesuid.sh

@@ -12,13 +12,34 @@ whitelist=(
     "/usr/lib/polkit-1/polkit-agent-helper-1"
     # Needed for flatpak on no-userns images
     "/usr/bin/bwrap"
-    # Required for chrome suid sandbox on no-userns images
+    # Requires cap_setuid if the suid bit is removed
-    "/usr/lib64/chromium-browser/chrome-sandbox"
+    "/usr/bin/gpasswd"
+    # "In effect, when the SUID bit is unset on /usr/bin/mount, mount(8) will never drop permissions. If /usr/bin/mount were to have a"
+    # "nonempty permitted capability set and its effective capability bit were set, then mount(8) would never have its effective " 
+    # "capability set cleared during execution, potentially allowing unprivileged users to perform actions they shouldn’t be able to perform"
+    # https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#can-we-replace-the-suid-bit-with-zero-or-more-file-capabilities-4
+    "/usr/bin/mount"
+    # Required for nvidia images
+    "/usr/bin/nvidia-modprobe"
+    # https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#can-we-replace-the-suid-bit-with-zero-or-more-file-capabilities
+    "/usr/bin/passwd"
+    # https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#why-does-this-binary-need-to-be-suid-root-9
+    "/usr/bin/pkexec"
+    # https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#can-we-replace-the-suid-bit-with-zero-or-more-file-capabilities-6
+    "/usr/bin/su"
+    # https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#can-we-replace-the-suid-bit-with-zero-or-more-file-capabilities-6
+    "/usr/bin/sudo"
+    # See /usr/bin/mount
+    "/usr/bin/umount"
+    # https://gitlab.freedesktop.org/polkit/polkit/-/issues/168
+    "/usr/lib/polkit-1/polkit-agent-helper-1"
     # https://github.com/secureblue/secureblue/issues/119
-    # Required for hardened_malloc to be used by suid-root processes
     "/usr/lib64/libhardened_malloc-light.so"
     "/usr/lib64/libhardened_malloc-pkey.so"
     "/usr/lib64/libhardened_malloc.so"
+    # Required for chrome suid sandbox on no-userns images
+    "/usr/lib64/chromium-browser/chrome-sandbox"
+    # https://github.com/secureblue/secureblue/issues/119
     "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-light.so"
     "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-pkey.so"
     "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc.so"
@@ -31,6 +52,8 @@ whitelist=(
     "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-light.so"
     "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-pkey.so"
     "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc.so"
+    # Requires cap_setgid,cap_setuid if the SUID bit is removed
+    "/usr/sbin/grub2-set-bootflag"
 )
 
 
@@ -62,10 +85,4 @@ find /usr -type f -perm /2000 |
         fi
     done
 
-
-rm -f /usr/bin/chsh
-rm -f /usr/bin/pkexec
-rm -f /usr/bin/sudo
-rm -f /usr/bin/su
-
 systemctl enable setcapsforunsuidbinaries.service

files/scripts/unprotectsudo.sh

@@ -1,6 +0,0 @@
-#!/usr/bin/env bash
-
-# Tell build process to exit if there are any errors.
-set -oue pipefail
-
-rm -f /etc/dnf/protected.d/sudo.conf

recipes/common/common-modules.yml

@@ -5,7 +5,6 @@ modules:
     - type: script
       scripts:
         - installrpmfusion.sh
-        - unprotectsudo.sh
     - from-file: common/common-packages.yml
     - type: files
       files:

recipes/common/common-scripts.yml

@@ -5,6 +5,7 @@ scripts:
   - disablesealertpopups.sh
   - httpsmirrors.sh
   - createmissingdirectories.sh
+  - removesuid.sh
   - disablegeoclue.sh
   - enablesecurebluefirstrun.sh
   - createjustcompletions.sh

recipes/common/desktop-packages.yml

@@ -35,9 +35,6 @@ remove:
   - open-vm-tools-desktop
   - virtualbox-guest-additions
   - passim
-  - sudo
-  - sudo-python-plugin
-
 
 
 

recipes/common/desktop-scripts.yml

@@ -7,4 +7,4 @@ scripts:
   - disablealsastate.sh
   - disablemodemmanager.sh
   - disablenfsdaemons.sh
-  - disablesssd.sh
+  - disablesssd.sh

recipes/common/final-modules.yml

@@ -2,5 +2,4 @@ modules:
     - type: script
       scripts:
         - removeunusedrepos.sh
-        - removesuid.sh
         - regenerateinitramfs.sh

recipes/common/server-modules.yml

@@ -16,8 +16,6 @@ modules:
         - usbguard
         - firewalld
         - policycoreutils-python-utils
-      remove:
-        - sudo
         
     - type: files
       files:
@@ -30,6 +28,3 @@ modules:
       scripts:
         - excludepcsc.sh
         - setserverdefaultzone.sh
-        - setservermotd.sh
-        - removebrewjust.sh
-        - removesuid.sh