scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-10-30 18:07:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5f7a6d2a6fdd2852a4ab1a86de3578cac9ffb96a
secureblue/files/scripts/removesuid.sh
RoyalOughtness 5f7a6d2a6f feat: (almost) entirely remove suid (#606)
2024-11-26 15:06:03 -08:00

70 lines
2.3 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# Tell build process to exit if there are any errors.
set -oue pipefail
# Reference: https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#usrbinchage
whitelist=(
# https://gitlab.freedesktop.org/polkit/polkit/-/issues/168
"/usr/lib/polkit-1/polkit-agent-helper-1"
# Needed for flatpak on no-userns images
"/usr/bin/bwrap"
# Required for chrome suid sandbox on no-userns images
"/usr/lib64/chromium-browser/chrome-sandbox"
# https://github.com/secureblue/secureblue/issues/119
# Required for hardened_malloc to be used by suid-root processes
"/usr/lib64/libhardened_malloc-light.so"
"/usr/lib64/libhardened_malloc-pkey.so"
"/usr/lib64/libhardened_malloc.so"
"/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-light.so"
"/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-pkey.so"
"/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc.so"
"/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-light.so"
"/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-pkey.so"
"/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc.so"
"/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-light.so"
"/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-pkey.so"
"/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so"
"/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-light.so"
"/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-pkey.so"
"/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc.so"
)
is_in_whitelist() {
local binary="$1"
for allowed_binary in "${whitelist[@]}"; do
if [ "$binary" = "$allowed_binary" ]; then
return 0
fi
done
return 1
}
find /usr -type f -perm /4000 |
while IFS= read -r binary; do
if ! is_in_whitelist "$binary"; then
echo "Removing SUID bit from $binary"
chmod u-s "$binary"
echo "Removed SUID bit from $binary"
fi
done
find /usr -type f -perm /2000 |
while IFS= read -r binary; do
if ! is_in_whitelist "$binary"; then
echo "Removing SGID bit from $binary"
chmod g-s "$binary"
echo "Removed SGID bit from $binary"
fi
done
rm -f /usr/bin/chsh
rm -f /usr/bin/pkexec
rm -f /usr/bin/sudo
rm -f /usr/bin/su
systemctl enable setcapsforunsuidbinaries.service
Reference in New Issue View Git Blame Copy Permalink