Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arraybolt3/permission hardener refactor #293

Merged
merged 5 commits into from
Jan 10, 2025
Merged

Arraybolt3/permission hardener refactor #293

merged 5 commits into from
Jan 10, 2025

Conversation

ArrayBolt3
Copy link
Contributor

Changes

This PR is a large-scale refactor of the entire permission-hardener script.

Previously, permission-hardener worked by scanning through a set of config files, applying the changes required by those files in "real time" as it scanned through the filesystem. This had a number of problems, mostly with undoing changes. For one, if you had a rule set to restrict the permissions on a particular executable, and then removed that rule, the next permission-hardener enable would not "fix" the executable and return it to its original permissions. For two, permission-hardener disable was unreliable because different paths pointing at the same file might have different "original" permissions. For instance, if a policy applies to /usr/bin/sudo and /bin/sudo, permission-hardener would save /usr/bin/sudo's original permissions, and change the permissions to match the policy. Then, when permission-hardener got around to /bin/sudo, it would save its "original" permissions again, unintentionally saving the permissions that it applied to /usr/bin/sudo. This meant that the same file would end up with two sets of "original" permissions, which of course confused permission-hardener remove quite badly.

In order to fix these issues and hopefully dodge any further edge cases that might be lurking, I changed the architecture of permission-hardener entirely.

  • There are now four distinct data "areas" that are handled by permission-hardener - the configuration, the policy, the state, and the filesystem state.
    • The configuration is defined by the config files under /usr/lib/permission-hardener.d and other config directories.
    • The policy is the concrete "this file should be owned by this user and this group and have these permissions" results calculated from the configuration.
    • The state is the original user, group, and permissions for each file that the policy has ever had an effect on during any run of permission-hardener.
    • The filesystem state is the actual user, group, and permissions set on each file.

The basic idea behind the new architecture is to first calculate the policy and state, then apply the policy to the state, then ensure that the filesystem state matches the calculated policy-enhanced state. In this way, if the policy changes so that it no longer modifies the permissions of a file that it used to modify, the original permissions will "show through", and be restored on the next permission-hardener enable run. By carefully maintaining the state separately from the policy and ensuring no non-original permissions end up in the state, the policy can change however the user wants it to, and permission-hardener will ensure that the state described by the policy is the state applied to the filesystem. One need not worry that configuration changes will end up "piling up" and resulting in an inconsistent filesystem state.

While the new permission-hardener obviously does not behave identically to the old one (most notably because it cleans up after itself when configured rules are removed), I have been careful to preserve the way in which the configuration is interpreted. This means that if the old permission-hardener would have applied a particular configuration to a "clean" filesystem in a particular way, the new permission-hardener should apply the same configuration to the same filesystem in the same way. I also wrote the script to use mostly the same state format as the original permission-hardener, although I did away with the need for the private/passwd and private/group files by using Bash regex matching instead of grep.

To test that the behavior of the new permission-hardener is correct, I created a Python script named statall.py that basically captures a snapshot of the system's current file ownership and permissions state. The script is as follows:

import os
import stat

stat_list=[ '/bin', '/boot', '/etc', '/home', '/lib', '/lib64', '/media', '/mnt', '/opt', '/root', '/sbin', '/srv', '/tmp', '/usr', '/var', '/initrd.img', '/vmlinuz' ]

output_file='/root/statall'
idx=0
with open(output_file, "w") as f:
    while idx < len(stat_list):
        item = stat_list[idx]
        try:
            statrslt = os.stat(item)
            print("{} |-| {} |-| {} |-| {}".format(item, statrslt[stat.ST_UID], statrslt[stat.ST_GID], stat.filemode(statrslt[stat.ST_MODE])), file=f)
            if os.path.isdir(item) and not os.path.islink(item):
                subitems=os.listdir(item)
                for subitem in subitems:
                    stat_list.append(item + '/' + subitem)
        except:
            pass
        idx += 1

To run it, use sudo python3 statall.py. It will save the results to /root/statall.

I then took a mostly clean installation of Kicksecure, and ran this script on it, extracting the /root/statall file and saving it in a safe location as kicksecure-statall-old. With that done, I then did the following sequence of steps to restore the filesystem to an unhardened state, before re-hardening it with the refactored permission-hardener:

sudo permission-hardener disable all
# /usr/bin/passwd's permissions will be messed up because of the 'multiple old permissions' bug described above, so fix it manually
sudo chmod 4755 /usr/bin/passwd
sudo cp /path/to/new/permission-hardener /usr/bin/
sudo permission-hardener enable

(Note to testers, you should probably sudo safe-rm -rf /var/lib/permission-hardener before running sudo permission-hardener enable, to get rid of potentially messed-up state that the original permission-hardener created. I didn't remember to do this, thus why I don't mention it above, but it should be done and the state files themselves should be audited in some way.)

With that done, I captured another snapshot of the system's permissions state using statall.py, and copied the results to a file named kicksecure-statall-new. I then compared the files using Meld. Aside from some temp files and files that didn't have anything to do with the permission hardener policy, the resulting snapshots were identical. (I did have quite a few reboots and snapshot restores in between capturing the old and new statall files, since my initial iterations of permission-hardener were buggy.) These are the files produced:

kicksecure-statall-old.txt

kicksecure-statall-new.txt

One situations that would be good to test in that I haven't tested yet is this: Undo all of the original permission-hardener's changes, wipe the old permission-hardener state, and then take a statall snapshot. Then, using the new permission-hardener, harden the filesystem with sudo permission-hardener enable, and then unharden it with sudo permission-hardener disable all. Then take another statall snapshot and compare them. Are they basically identical, or are there worrying discrepancies with files like /usr/bin/sudo or /usr/bin/passwd? I'll probably test this myself soon.

I've tested this code in a variety of situations and expect it to behave mostly correctly, but due to the scope and scale of the changes made I don't expect it to be perfect. Other than the ever-present risk of bugs, there's probably room for some hardening, and while I tried to optimize the script some, there may be room for speed improvements (which would be welcome since both the old and new scripts are kind of slow).

Mandatory Checklist

  • Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:

Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

Optional Checklist

The following items are optional but might be requested in certain cases.

  • I have tested it locally
  • I have reviewed and updated any documentation if relevant
  • I am providing new code and test(s) for it

ben-grande
ben-grande suggested changes Dec 30, 2024
View reviewed changes
Copy link
Contributor

@ben-grande ben-grande left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this work. Seems good, haven't tested yet but will later.
Left some comments, all appear to be minor issues.

usr/bin/permission-hardener Outdated Show resolved Hide resolved
usr/bin/permission-hardener Outdated Show resolved Hide resolved
usr/bin/permission-hardener Show resolved Hide resolved
usr/bin/permission-hardener Outdated Show resolved Hide resolved
usr/bin/permission-hardener Outdated Show resolved Hide resolved
usr/bin/permission-hardener Outdated Show resolved Hide resolved
usr/bin/permission-hardener Outdated Show resolved Hide resolved
usr/bin/permission-hardener Outdated Show resolved Hide resolved
usr/bin/permission-hardener Outdated Show resolved Hide resolved
ben-grande
ben-grande suggested changes Dec 31, 2024
View reviewed changes
usr/bin/permission-hardener Outdated Show resolved Hide resolved
@ben-grande
Copy link
Contributor

I did create the statall before and after the recommended commands. Here is the output on sys-whonix (Qubes):

% diff statall.prev statall.new      
254a255
> /tmp/systemd-private-27364e1427a84d29a29e800d5b4d62bf-man-db.service-cCMJJH |-| 0 |-| 0 |-| drwx------
1106a1108
> /tmp/systemd-private-27364e1427a84d29a29e800d5b4d62bf-man-db.service-cCMJJH/tmp |-| 0 |-| 0 |-| drwxrwxrwt
2081c2083
< /usr/bin/wall |-| 0 |-| 0 |-| -rwxr-xr-x
---
> /usr/bin/wall |-| 0 |-| 5 |-| -rwxr--r--
2454c2456
< /usr/bin/write |-| 0 |-| 0 |-| -rwxr-xr-x
---
> /usr/bin/write |-| 0 |-| 5 |-| -rwxr--r--
3214a3217
> /var/tmp/systemd-private-27364e1427a84d29a29e800d5b4d62bf-man-db.service-4HCTEC |-| 0 |-| 0 |-| drwx------
9625a9629,9661
> /var/cache/man/fi |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/fr |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ko |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/zh_TW |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/pt |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ja |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/cat4 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/tr |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/cat3 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/gl |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/hu |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/sr |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/sv |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/id |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/es |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/hr |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/pl |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/sl |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ro |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ru |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/cs |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/it |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/uk |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/pt_BR |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/nl |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/da |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/de |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/CACHEDIR.TAG |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/cat7 |-| 6 |-| 12 |-| drwxr-xr-x
9687a9724
> /var/tmp/systemd-private-27364e1427a84d29a29e800d5b4d62bf-man-db.service-4HCTEC/tmp |-| 0 |-| 0 |-| drwxrwxrwt
9862a9900
> /home/user/QubesIncoming/dev/statall.prev |-| 0 |-| 0 |-| -rw-r--r--
31436a31475,31575
> /var/cache/man/fi/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/fi/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/fi/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/fr/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/fr/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/fr/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/fr/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/fr/cat7 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ko/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ko/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ko/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ko/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/zh_TW/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/zh_TW/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/zh_TW/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/zh_TW/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/pt/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/pt/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/pt/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/pt/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/pt/cat7 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ja/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ja/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ja/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ja/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/tr/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/tr/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/tr/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/tr/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/gl/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/gl/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/hu/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/hu/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/hu/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/hu/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/sr/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/sr/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/sr/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/sr/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/sv/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/sv/cat3 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/sv/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/sv/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/sv/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/sv/cat7 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/id/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/id/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/id/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/id/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/es/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/es/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/es/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/es/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/hr/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/hr/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/pl/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/pl/cat3 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/pl/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/pl/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/pl/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/sl/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/sl/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/sl/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/ro/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ro/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ro/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ro/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/ru/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ru/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ru/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/ru/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/cs/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/cs/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/cs/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/cs/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/it/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/it/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/it/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/it/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/uk/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/uk/cat3 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/uk/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/uk/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/uk/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/pt_BR/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/pt_BR/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/pt_BR/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/pt_BR/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/nl/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/nl/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/nl/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/nl/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/nl/cat7 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/da/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/da/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/da/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/da/index.db |-| 6 |-| 12 |-| -rw-r--r--
> /var/cache/man/de/cat1 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/de/cat5 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/de/cat8 |-| 6 |-| 12 |-| drwxr-xr-x
> /var/cache/man/de/cat7 |-| 6 |-| 12 |-| drwxr-xr-x

Besides the cache junk, do you know why wall and write differ?

Your output:

245c245,246
< /root/statall |-| 0 |-| 0 |-| -rw-r--r--
---
> /root/.bash_history |-| 0 |-| 0 |-| -rw-------
> /root/statall |-| 1000 |-| 1000 |-| -rw-r--r--
250,255c251,256
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-tor@default.service-BapKkp |-| 0 |-| 0 |-| drwx------
< /tmp/tmp.oeaK0RblCY |-| 0 |-| 0 |-| -rw-------
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-jitterentropy.service-xWMGoB |-| 0 |-| 0 |-| drwx------
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-spice-vdagentd.service-qOjFfw |-| 0 |-| 0 |-| drwx------
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-haveged.service-Rvixxu |-| 0 |-| 0 |-| drwx------
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-canary.service-RlsmGQ |-| 0 |-| 0 |-| drwx------
---
> /tmp/systemd-private-04478c70967846f58a14a014ceed02b2-jitterentropy.service-WwM1lE |-| 0 |-| 0 |-| drwx------
> /tmp/tmp.NMVi0YXhQ4 |-| 0 |-| 0 |-| -rw-------
> /tmp/tmp.6zuoMPLvUl |-| 109 |-| 122 |-| prw-r--r--
> /tmp/ssh-XXXXXXdJUibH |-| 1000 |-| 1000 |-| drwx------
> /tmp/tmp.8BZPHg0V5K |-| 0 |-| 0 |-| -rw-------
> /tmp/systemd-private-04478c70967846f58a14a014ceed02b2-spice-vdagentd.service-4sD51k |-| 0 |-| 0 |-| drwx------
257c258
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-systemd-hostnamed.service-ymHuQz |-| 0 |-| 0 |-| drwx------
---
> /tmp/systemd-private-04478c70967846f58a14a014ceed02b2-systemd-logind.service-2h52AU |-| 0 |-| 0 |-| drwx------
259d259
< /tmp/ssh-XXXXXXjM6Nmg |-| 1000 |-| 1000 |-| drwx------
261d260
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-systemd-logind.service-gZoDyH |-| 0 |-| 0 |-| drwx------
262a262,263
> /tmp/systemd-private-04478c70967846f58a14a014ceed02b2-canary.service-a3Rr1D |-| 0 |-| 0 |-| drwx------
> /tmp/systemd-private-04478c70967846f58a14a014ceed02b2-tor@default.service-NMvg47 |-| 0 |-| 0 |-| drwx------
264,267c265,267
< /tmp/tmp.t74oWpwrME |-| 0 |-| 0 |-| -rw-------
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-upower.service-KVFMQI |-| 0 |-| 0 |-| drwx------
< /tmp/tmp.cBjutBqzL2 |-| 109 |-| 122 |-| prw-r--r--
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-sdwdate.service-2CDPdQ |-| 0 |-| 0 |-| drwx------
---
> /tmp/systemd-private-04478c70967846f58a14a014ceed02b2-upower.service-2ynxrO |-| 0 |-| 0 |-| drwx------
> /tmp/systemd-private-04478c70967846f58a14a014ceed02b2-haveged.service-mqWoQZ |-| 0 |-| 0 |-| drwx------
> /tmp/systemd-private-04478c70967846f58a14a014ceed02b2-sdwdate.service-saiYrt |-| 0 |-| 0 |-| drwx------
1098a1099
> /home/user/.viminfo |-| 1000 |-| 1000 |-| -rw-------
1115,1121c1116,1119
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-tor@default.service-BapKkp/tmp |-| 0 |-| 0 |-| drwxrwxrwt
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-jitterentropy.service-xWMGoB/tmp |-| 0 |-| 0 |-| drwxrwxrwt
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-spice-vdagentd.service-qOjFfw/tmp |-| 0 |-| 0 |-| drwxrwxrwt
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-haveged.service-Rvixxu/tmp |-| 0 |-| 0 |-| drwxrwxrwt
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-canary.service-RlsmGQ/tmp |-| 0 |-| 0 |-| drwxrwxrwt
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-systemd-hostnamed.service-ymHuQz/tmp |-| 0 |-| 0 |-| drwxrwxrwt
< /tmp/ssh-XXXXXXjM6Nmg/agent.1188 |-| 1000 |-| 1000 |-| srw-------
---
> /tmp/systemd-private-04478c70967846f58a14a014ceed02b2-jitterentropy.service-WwM1lE/tmp |-| 0 |-| 0 |-| drwxrwxrwt
> /tmp/ssh-XXXXXXdJUibH/agent.1189 |-| 1000 |-| 1000 |-| srw-------
> /tmp/systemd-private-04478c70967846f58a14a014ceed02b2-spice-vdagentd.service-4sD51k/tmp |-| 0 |-| 0 |-| drwxrwxrwt
> /tmp/systemd-private-04478c70967846f58a14a014ceed02b2-systemd-logind.service-2h52AU/tmp |-| 0 |-| 0 |-| drwxrwxrwt
1124d1121
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-systemd-logind.service-gZoDyH/tmp |-| 0 |-| 0 |-| drwxrwxrwt
1126,1128c1123,1128
< /tmp/.ICE-unix/1188 |-| 1000 |-| 1000 |-| srwxrwxrwx
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-upower.service-KVFMQI/tmp |-| 0 |-| 0 |-| drwxrwxrwt
< /tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-sdwdate.service-2CDPdQ/tmp |-| 0 |-| 0 |-| drwxrwxrwt
---
> /tmp/systemd-private-04478c70967846f58a14a014ceed02b2-canary.service-a3Rr1D/tmp |-| 0 |-| 0 |-| drwxrwxrwt
> /tmp/systemd-private-04478c70967846f58a14a014ceed02b2-tor@default.service-NMvg47/tmp |-| 0 |-| 0 |-| drwxrwxrwt
> /tmp/.ICE-unix/1189 |-| 1000 |-| 1000 |-| srwxrwxrwx
> /tmp/systemd-private-04478c70967846f58a14a014ceed02b2-upower.service-2ynxrO/tmp |-| 0 |-| 0 |-| drwxrwxrwt
> /tmp/systemd-private-04478c70967846f58a14a014ceed02b2-haveged.service-mqWoQZ/tmp |-| 0 |-| 0 |-| drwxrwxrwt
> /tmp/systemd-private-04478c70967846f58a14a014ceed02b2-sdwdate.service-saiYrt/tmp |-| 0 |-| 0 |-| drwxrwxrwt
3644,3652c3644,3651
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-systemd-logind.service-QrlVqf |-| 0 |-| 0 |-| drwx------
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-haveged.service-9zhbJb |-| 0 |-| 0 |-| drwx------
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-tor@default.service-DA7k6M |-| 0 |-| 0 |-| drwx------
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-upower.service-06Snjt |-| 0 |-| 0 |-| drwx------
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-systemd-hostnamed.service-u19rXr |-| 0 |-| 0 |-| drwx------
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-sdwdate.service-8TYrqq |-| 0 |-| 0 |-| drwx------
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-jitterentropy.service-GwRESQ |-| 0 |-| 0 |-| drwx------
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-spice-vdagentd.service-pbKCGp |-| 0 |-| 0 |-| drwx------
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-canary.service-L2eGr9 |-| 0 |-| 0 |-| drwx------
---
> /var/tmp/systemd-private-04478c70967846f58a14a014ceed02b2-canary.service-0fQUz8 |-| 0 |-| 0 |-| drwx------
> /var/tmp/systemd-private-04478c70967846f58a14a014ceed02b2-upower.service-jULUfq |-| 0 |-| 0 |-| drwx------
> /var/tmp/systemd-private-04478c70967846f58a14a014ceed02b2-jitterentropy.service-cbm5Ma |-| 0 |-| 0 |-| drwx------
> /var/tmp/systemd-private-04478c70967846f58a14a014ceed02b2-systemd-logind.service-8orN1s |-| 0 |-| 0 |-| drwx------
> /var/tmp/systemd-private-04478c70967846f58a14a014ceed02b2-tor@default.service-pxcA33 |-| 0 |-| 0 |-| drwx------
> /var/tmp/systemd-private-04478c70967846f58a14a014ceed02b2-haveged.service-LtPL8f |-| 0 |-| 0 |-| drwx------
> /var/tmp/systemd-private-04478c70967846f58a14a014ceed02b2-spice-vdagentd.service-JVTjqx |-| 0 |-| 0 |-| drwx------
> /var/tmp/systemd-private-04478c70967846f58a14a014ceed02b2-sdwdate.service-E5vVGe |-| 0 |-| 0 |-| drwx------
4802c4801
< /tmp/user/1000/.xfsm-ICE-U44YY2 |-| 1000 |-| 1000 |-| -rw-------
---
> /tmp/user/1000/.xfsm-ICE-1KGVY2 |-| 1000 |-| 1000 |-| -rw-------
12822,12830c12821,12828
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-systemd-logind.service-QrlVqf/tmp |-| 0 |-| 0 |-| drwxrwxrwt
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-haveged.service-9zhbJb/tmp |-| 0 |-| 0 |-| drwxrwxrwt
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-tor@default.service-DA7k6M/tmp |-| 0 |-| 0 |-| drwxrwxrwt
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-upower.service-06Snjt/tmp |-| 0 |-| 0 |-| drwxrwxrwt
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-systemd-hostnamed.service-u19rXr/tmp |-| 0 |-| 0 |-| drwxrwxrwt
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-sdwdate.service-8TYrqq/tmp |-| 0 |-| 0 |-| drwxrwxrwt
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-jitterentropy.service-GwRESQ/tmp |-| 0 |-| 0 |-| drwxrwxrwt
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-spice-vdagentd.service-pbKCGp/tmp |-| 0 |-| 0 |-| drwxrwxrwt
< /var/tmp/systemd-private-995330c81dc44b02b50ab3d71e6c4632-canary.service-L2eGr9/tmp |-| 0 |-| 0 |-| drwxrwxrwt
---
> /var/tmp/systemd-private-04478c70967846f58a14a014ceed02b2-canary.service-0fQUz8/tmp |-| 0 |-| 0 |-| drwxrwxrwt
> /var/tmp/systemd-private-04478c70967846f58a14a014ceed02b2-upower.service-jULUfq/tmp |-| 0 |-| 0 |-| drwxrwxrwt
> /var/tmp/systemd-private-04478c70967846f58a14a014ceed02b2-jitterentropy.service-cbm5Ma/tmp |-| 0 |-| 0 |-| drwxrwxrwt
> /var/tmp/systemd-private-04478c70967846f58a14a014ceed02b2-systemd-logind.service-8orN1s/tmp |-| 0 |-| 0 |-| drwxrwxrwt
> /var/tmp/systemd-private-04478c70967846f58a14a014ceed02b2-tor@default.service-pxcA33/tmp |-| 0 |-| 0 |-| drwxrwxrwt
> /var/tmp/systemd-private-04478c70967846f58a14a014ceed02b2-haveged.service-LtPL8f/tmp |-| 0 |-| 0 |-| drwxrwxrwt
> /var/tmp/systemd-private-04478c70967846f58a14a014ceed02b2-spice-vdagentd.service-JVTjqx/tmp |-| 0 |-| 0 |-| drwxrwxrwt
> /var/tmp/systemd-private-04478c70967846f58a14a014ceed02b2-sdwdate.service-E5vVGe/tmp |-| 0 |-| 0 |-| drwxrwxrwt
12853a12852
> /var/lib/dpkg/statoverride-old |-| 0 |-| 0 |-| -rw-r--r--
41832a41832
> /var/lib/security-misc/faillock/root |-| 0 |-| 1000 |-| -rw-rw----

@ArrayBolt3
Copy link
Contributor Author

@ben-grande I really don't know what's going on with wall. If I were to guess, you probably have something in your state directory that is affecting the permissions there separately from the policies in /usr/lib/permission-hardener.d, but I will double-check and see if I can reproduce. I might have introduced a bug with one of the recent changes (although wall would be a rather weird executable to be hit by a string matching bug...).

@adrelanos
Copy link
Member

There's merge conflict.

@ArrayBolt3
Copy link
Contributor Author

@adrelanos Will fix after I finish verifying the behavior on Whonix.

@ArrayBolt3
Copy link
Contributor Author

@ben-grande Could you try again with a freshly created Whonix 17.2.8.5 VM pair? I can't reproduce this under Whonix-Gateway or Whonix-Workstation on my end, and I just deleted my old Whonix VMs and imported the OVA into VirtualBox again since I broke the old ones.

@ArrayBolt3
Copy link
Contributor Author

@adrelanos Merge conflict should be resolved. Not sure what Github saw wrong, I didn't even have to resolve any conflicts, I just merged master back to arraybolt3/permission-hardener-refactor and it just worked.

@ben-grande ben-grande mentioned this pull request Jan 2, 2025
Closed
4 tasks
@ben-grande
Copy link
Contributor

Could you try again with a freshly created Whonix 17.2.8.5 VM pair? I can't reproduce this under Whonix-Gateway or Whonix-Workstation on my end, and I just deleted my old Whonix VMs and imported the OVA into VirtualBox again since I broke the old ones.

Sure, I can test later on OVAs but as now my available platform is Qubes, I will show the output on a fresh disposable whonix workstation:

% git checkout arraybolt3/permission-hardener-refactor 
branch 'arraybolt3/permission-hardener-refactor' set up to track 'origin/arraybolt3/permission-hardener-refactor'.
Switched to a new branch 'arraybolt3/permission-hardener-refactor'

% cd usr/bin
% sudo python3 ~/statall.py
% sudo permission-hardener disable all 
% #sudo ./permission-hardener enable
% #sudo cp /var/lib/permission-hardener/ /tmp
% mkdir /tmp/pm
% sudo cp -r /var/lib/permission-hardener/ /tmp/pm
% mv ~/statall ~/statall.prev  
% sudo ./permission-hardener enable
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/bin/passwd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 744 /usr/bin/passwd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 755 /bin/passwd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 755 /bin/passwd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 745 /bin/mount
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 745 /bin/mount
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /boot
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /boot
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 600 /etc/permission-hardener.d
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 600 /etc/permission-hardener.d
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /usr/lib/modules
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /usr/lib/modules
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /usr/src
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /usr/src
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 600 /etc/crontab
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 600 /etc/crontab
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /etc/cron.d
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /etc/cron.d
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /etc/cron.daily
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /etc/cron.daily
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /etc/sudoers.d
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /etc/sudoers.d
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /etc/cron.hourly
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /etc/cron.hourly
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /etc/cron.weekly
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /etc/cron.weekly
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /etc/cron.monthly
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /etc/cron.monthly
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 644 /etc/issue
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 644 /etc/issue
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 644 /etc/motd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 644 /etc/motd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root crontab 744 /usr/bin/crontab
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root crontab 744 /usr/bin/crontab
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/bin/gpasswd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 744 /usr/bin/gpasswd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root plocate 744 /usr/bin/plocate
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root plocate 744 /usr/bin/plocate
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/bin/umount
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 744 /usr/bin/umount
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/bin/newgrp
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 744 /usr/bin/newgrp
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root tty 744 /usr/bin/wall
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root tty 744 /usr/bin/wall
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/bin/chfn
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 744 /usr/bin/chfn
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/bin/expiry
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root shadow 744 /usr/bin/expiry
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/bin/su
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 744 /usr/bin/su
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root tty 744 /usr/bin/write
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root tty 744 /usr/bin/write
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/bin/chage
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root shadow 744 /usr/bin/chage
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/bin/chsh
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 744 /usr/bin/chsh
permission-hardener: [NOTICE]: Executing: setcap -r /bin/ping

% sudo python3 ~/statall.py
% mv ~/statall ~/statall.new 
% diff ~/statall.prev ~/statall.new
266a267
> /tmp/pm |-| 1000 |-| 1000 |-| drwxr-xr-x
1134a1136
> /home/user/statall.prev |-| 0 |-| 0 |-| -rw-r--r--
1156a1159
> /tmp/pm/permission-hardener |-| 0 |-| 0 |-| drwxr-xr-x
1495c1498
< /usr/bin/wall |-| 0 |-| 0 |-| -rwxr-xr-x
---
> /usr/bin/wall |-| 0 |-| 5 |-| -rwxr--r--
2307c2310
< /usr/bin/write |-| 0 |-| 0 |-| -rwxr-xr-x
---
> /usr/bin/write |-| 0 |-| 5 |-| -rwxr--r--

I still see write and wall...

% sudo permission-hardener disable all
% sudo rm -rf -- /var/lib/permission-hardener 
% sudo ./permission-hardener enable          
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/bin/passwd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 744 /usr/bin/passwd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 755 /bin/passwd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 755 /bin/passwd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 745 /bin/mount
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 745 /bin/mount
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /boot
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /boot
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 600 /etc/permission-hardener.d
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 600 /etc/permission-hardener.d
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /usr/lib/modules
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /usr/lib/modules
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /usr/src
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /usr/src
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 600 /etc/crontab
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 600 /etc/crontab
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /etc/cron.d
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /etc/cron.d
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /etc/cron.daily
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /etc/cron.daily
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /etc/sudoers.d
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /etc/sudoers.d
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /etc/cron.hourly
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /etc/cron.hourly
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /etc/cron.weekly
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /etc/cron.weekly
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 700 /etc/cron.monthly
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 700 /etc/cron.monthly
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 644 /etc/issue
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 644 /etc/issue
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 644 /etc/motd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 644 /etc/motd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root crontab 744 /usr/bin/crontab
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root crontab 744 /usr/bin/crontab
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/bin/gpasswd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 744 /usr/bin/gpasswd
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root plocate 744 /usr/bin/plocate
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root plocate 744 /usr/bin/plocate
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/bin/umount
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 744 /usr/bin/umount
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/bin/newgrp
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 744 /usr/bin/newgrp
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root tty 744 /usr/bin/wall
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root tty 744 /usr/bin/wall
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/bin/chfn
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 744 /usr/bin/chfn
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/bin/expiry
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root shadow 744 /usr/bin/expiry
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/bin/su
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 744 /usr/bin/su
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root tty 744 /usr/bin/write
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root tty 744 /usr/bin/write
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root shadow 744 /usr/bin/chage
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root shadow 744 /usr/bin/chage
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --add --update root root 744 /usr/bin/chsh
permission-hardener: [NOTICE]: Executing: dpkg-statoverride --admindir /var/lib/permission-hardener/new_mode --add root root 744 /usr/bin/chsh
permission-hardener: [NOTICE]: Executing: setcap -r /bin/ping

% sudo python3 ~/statall.py           
% mv ~/statall ~/statall.last
% diff ~/statall.prev ~/statall.last 
266a267
> /tmp/pm |-| 1000 |-| 1000 |-| drwxr-xr-x
1125a1127
> /home/user/statall.new |-| 0 |-| 0 |-| -rw-r--r--
1134a1137
> /home/user/statall.prev |-| 0 |-| 0 |-| -rw-r--r--
1156a1160
> /tmp/pm/permission-hardener |-| 0 |-| 0 |-| drwxr-xr-x
1495c1499
< /usr/bin/wall |-| 0 |-| 0 |-| -rwxr-xr-x
---
> /usr/bin/wall |-| 0 |-| 5 |-| -rwxr--r--
2307c2311
< /usr/bin/write |-| 0 |-| 0 |-| -rwxr-xr-x
---
> /usr/bin/write |-| 0 |-| 5 |-| -rwxr--r--
4440a4445,4447
> /tmp/pm/permission-hardener/new_mode |-| 0 |-| 0 |-| drwxr-xr-x
> /tmp/pm/permission-hardener/existing_mode |-| 0 |-| 0 |-| drwxr-xr-x
> /tmp/pm/permission-hardener/private |-| 0 |-| 0 |-| drwxr-xr-x
11175d11181
< /var/lib/permission-hardener/private |-| 0 |-| 0 |-| drwxr-xr-x
11435a11442,11447
> /tmp/pm/permission-hardener/new_mode/statoverride |-| 0 |-| 0 |-| -rw-r--r--
> /tmp/pm/permission-hardener/new_mode/statoverride-old |-| 0 |-| 0 |-| -rw-r--r--
> /tmp/pm/permission-hardener/existing_mode/statoverride |-| 0 |-| 0 |-| -rw-r--r--
> /tmp/pm/permission-hardener/existing_mode/statoverride-old |-| 0 |-| 0 |-| -rw-r--r--
> /tmp/pm/permission-hardener/private/group |-| 0 |-| 0 |-| -rw-------
> /tmp/pm/permission-hardener/private/passwd |-| 0 |-| 0 |-| -rw-------
37686,37687d37697
< /var/lib/permission-hardener/private/group |-| 0 |-| 0 |-| -rw-------
< /var/lib/permission-hardener/private/passwd |-| 0 |-| 0 |-| -rw-------
% diff ~/statall.new ~/statall.last
1126a1127
> /home/user/statall.new |-| 0 |-| 0 |-| -rw-r--r--
11181d11181
< /var/lib/permission-hardener/private |-| 0 |-| 0 |-| drwxr-xr-x
37698,37699d37697
< /var/lib/permission-hardener/private/group |-| 0 |-| 0 |-| -rw-------
< /var/lib/permission-hardener/private/passwd |-| 0 |-| 0 |-| -rw-------

I also tried disabling with your script: sudo ./permission-hardener disable all followed by sudo ./permission-hardener enable. Then made a new statall file. All the iterations, this last one, the .new and .last were similar. Only .prev (current permission hardener) makes the diff of wall and write.

@ArrayBolt3
Copy link
Contributor Author

Ah, Qubes. I'll give it a shot there and see what happens.

@ArrayBolt3
Copy link
Contributor Author

I just tried it on a whonix-workstation-17-dvm qube under Qubes OS R4.2.3, and got this:

[workstation user ~]% diff -u statall-old.txt statall-new.txt
--- statall-old.txt	2025-01-05 18:27:04.472867028 +0000
+++ statall-new.txt	2025-01-05 18:28:07.826862823 +0000
@@ -238,7 +238,7 @@
 /etc/security |-| 0 |-| 0 |-| drwxr-xr-x
 /etc/os-release |-| 0 |-| 0 |-| -rw-r--r--
 /home/user |-| 1000 |-| 1000 |-| drwx------
-/root/statall |-| 0 |-| 0 |-| -rw-r--r--
+/root/statall |-| 1000 |-| 1000 |-| -rw-r--r--
 /root/.cache |-| 0 |-| 0 |-| drwx------
 /root/.sudo_as_admin_successful |-| 0 |-| 0 |-| -rw-r--r--
 /root/.bashrc |-| 0 |-| 0 |-| -rw-r--r--
@@ -1088,6 +1088,7 @@
 /home/user/.viminfo |-| 1000 |-| 1000 |-| -rw-------
 /home/user/.cache |-| 1000 |-| 1000 |-| drwxr-xr-x
 /home/user/Videos |-| 1000 |-| 1000 |-| drwxr-xr-x
+/home/user/statall-old.txt |-| 0 |-| 0 |-| -rw-r--r--
 /home/user/Public |-| 1000 |-| 1000 |-| drwxr-xr-x
 /home/user/.bashrc |-| 1000 |-| 1000 |-| -rw-r--r--
 /home/user/.local |-| 1000 |-| 1000 |-| drwxr-xr-x

I then tried again, but I wiped the permission-hardener state directory before running sudo permission-hardener enable with the new code, and got this:

[workstation user ~]% diff -u statall-old.txt statall-new.txt 
--- statall-old.txt	2025-01-05 18:35:49.650272386 +0000
+++ statall-new.txt	2025-01-05 18:37:06.783267267 +0000
@@ -1077,6 +1077,7 @@
 /home/user/.xsession-errors |-| 1000 |-| 1000 |-| -rw-------
 /home/user/.local |-| 1000 |-| 1000 |-| drwxr-xr-x
 /home/user/security-misc |-| 1000 |-| 1000 |-| drwxr-xr-x
+/home/user/statall-old.txt |-| 1000 |-| 1000 |-| -rw-r--r--
 /home/user/.cache |-| 1000 |-| 1000 |-| drwxr-xr-x
 /home/user/Desktop |-| 1000 |-| 1000 |-| drwxr-xr-x
 /home/user/.profile |-| 1000 |-| 1000 |-| -rw-r--r--
@@ -10962,7 +10963,6 @@
 /var/lib/polkit-1/localauthority |-| 0 |-| 0 |-| drwxr-xr-x
 /var/lib/ispell/README |-| 0 |-| 0 |-| -rw-r--r--
 /var/lib/permission-hardener/existing_mode |-| 0 |-| 0 |-| drwxr-xr-x
-/var/lib/permission-hardener/private |-| 0 |-| 0 |-| drwxr-xr-x
 /var/lib/permission-hardener/new_mode |-| 0 |-| 0 |-| drwxr-xr-x
 /var/lib/sdwdate/time-replay-protection-utc-unixtime |-| 105 |-| 117 |-| -rw-r--r--
 /var/lib/sdwdate/time-replay-protection-utc-humanreadable |-| 105 |-| 117 |-| -rw-r--r--
@@ -31421,8 +31421,6 @@
 /var/lib/polkit-1/localauthority/10-vendor.d |-| 0 |-| 0 |-| drwxr-xr-x
 /var/lib/permission-hardener/existing_mode/statoverride-old |-| 0 |-| 0 |-| -rw-r--r--
 /var/lib/permission-hardener/existing_mode/statoverride |-| 0 |-| 0 |-| -rw-r--r--
-/var/lib/permission-hardener/private/group |-| 0 |-| 0 |-| -rw-------
-/var/lib/permission-hardener/private/passwd |-| 0 |-| 0 |-| -rw-------
 /var/lib/permission-hardener/new_mode/statoverride-old |-| 0 |-| 0 |-| -rw-r--r--
 /var/lib/permission-hardener/new_mode/statoverride |-| 0 |-| 0 |-| -rw-r--r--
 /var/lib/systemd/deb-systemd-helper-enabled/openvpn.service.dsh-also |-| 0 |-| 0 |-| -rw-r--r--

I still don't seem to be seeing write or wall appearing.

Could you share the contents of your /usr/lib/permission-hardener.d, /etc/permission-hardener.d if it exists, and also /var/lib/permission-hardener, assuming there's no sensitive info in any of those?

adrelanos added a commit to Kicksecure/helper-scripts that referenced this pull request Jan 6, 2025
@adrelanos
initial import from
5764a2c 
Kicksecure/security-misc#293
@adrelanos
Copy link
Member

https://github.com/Kicksecure/helper-scripts/blob/master/usr/bin/stat-all

@adrelanos
Copy link
Member

  • Tested in Qubes App Qube without cleaning state folder.
  • No additional non-default configuration files.

diff after first run.

diff ~/statall-old ~/statall-new
2301c2301
< /usr/lib/modules |-| 0 |-| 0 |-| drwx------
---
> /usr/lib/modules |-| 0 |-| 0 |-| drwxr-xr-x
2600c2600
< /usr/sbin/pppd |-| 0 |-| 30 |-| -rwxr--r--
---
> /usr/sbin/pppd |-| 0 |-| 30 |-| -rwsr-xr--
3387c3387
< /usr/bin/newgidmap |-| 0 |-| 0 |-| -rwxr--r--
---
> /usr/bin/newgidmap |-| 0 |-| 0 |-| -rwsr-xr-x
3522c3522
< /usr/bin/crontab |-| 0 |-| 101 |-| -rwxr--r--
---
> /usr/bin/crontab |-| 0 |-| 101 |-| -rwxr-sr-x
3785c3785
< /usr/bin/newuidmap |-| 0 |-| 0 |-| -rwxr--r--
---
> /usr/bin/newuidmap |-| 0 |-| 0 |-| -rwsr-xr-x
4010c4010
< /usr/bin/chfn |-| 0 |-| 0 |-| -rwxr--r--
---
> /usr/bin/chfn |-| 0 |-| 0 |-| -rwsr-xr-x
4112c4112
< /usr/bin/su |-| 0 |-| 0 |-| -rwxr--r--
---
> /usr/bin/su |-| 0 |-| 0 |-| -rwsr-xr-x
4401c4401
< /usr/bin/chage |-| 0 |-| 42 |-| -rwxr--r--
---
> /usr/bin/chage |-| 0 |-| 42 |-| -rwxr-sr-x
4488c4488
< /usr/bin/write |-| 0 |-| 0 |-| -rwxr-xr-x
---
> /usr/bin/write |-| 0 |-| 5 |-| -rwxr-sr-x
4490c4490
< /usr/bin/newgrp |-| 0 |-| 0 |-| -rwxr--r--
---
> /usr/bin/newgrp |-| 0 |-| 0 |-| -rwsr-xr-x
4516c4516
< /usr/bin/wall |-| 0 |-| 0 |-| -rwxr-xr-x
---
> /usr/bin/wall |-| 0 |-| 5 |-| -rwxr-sr-x
4697c4697
< /usr/bin/sg |-| 0 |-| 0 |-| -rwxr--r--
---
> /usr/bin/sg |-| 0 |-| 0 |-| -rwsr-xr-x
4930c4930
< /usr/bin/dotlockfile |-| 0 |-| 8 |-| -rwxr--r--
---
> /usr/bin/dotlockfile |-| 0 |-| 8 |-| -rwxr-sr-x
5083c5083
< /usr/bin/chsh |-| 0 |-| 0 |-| -rwxr--r--
---
> /usr/bin/chsh |-| 0 |-| 0 |-| -rwsr-xr-x
5438c5438
< /usr/bin/expiry |-| 0 |-| 42 |-| -rwxr--r--
---
> /usr/bin/expiry |-| 0 |-| 42 |-| -rwxr-sr-x
5701c5701
< /usr/bin/gpasswd |-| 0 |-| 0 |-| -rwxr--r--
---
> /usr/bin/gpasswd |-| 0 |-| 0 |-| -rwsr-xr-x
13746c13746
< /usr/lib/xorg/Xorg.wrap |-| 0 |-| 0 |-| -rwxr--r--
---
> /usr/lib/xorg/Xorg.wrap |-| 0 |-| 0 |-| -rwsr-sr-x
92873a92874

After first run, suid got re-enabled rather than stay disabled.

diff after second run.

diff ~/statall-old ~/statall-new2
1904a1905
> /home/user/statall-new2 |-| 1000 |-| 1000 |-| -rw-r-----
2301c2302
< /usr/lib/modules |-| 0 |-| 0 |-| drwx------
---
> /usr/lib/modules |-| 0 |-| 0 |-| drwxr-xr-x
4488c4489
< /usr/bin/write |-| 0 |-| 0 |-| -rwxr-xr-x
---
> /usr/bin/write |-| 0 |-| 5 |-| -rwxr--r--
4516c4517
< /usr/bin/wall |-| 0 |-| 0 |-| -rwxr-xr-x
---
> /usr/bin/wall |-| 0 |-| 5 |-| -rwxr--r--
92804a92806
  • Why two runs lead to a better result?
  • Seems like /usr/lib/modules permissions got actually relaxed instead of hardened?
  • wall, write permissions got hardened as expected.

@adrelanos
Copy link
Member

Re-running sudo permission-hardener enable yet again results in re-enabling the SUIDs. Seems to be going and and forth.

@adrelanos
Copy link
Member

/var/lib/permission-hardener/existing_mode/statoverride

root root 644 /etc/passwd-
root root 755 /etc/cron.monthly
root root 755 /etc/sudoers.d
root plocate 2755 /usr/bin/plocate
root root 755 /usr/bin/umount
root root 700 /usr/lib/modules
root root 644 /etc/issue.net
root root 644 /etc/group-
root root 4755 /bin/ntfs-3g
root root 755 /etc/cron.weekly
root root 644 /etc/cups/cupsd.conf
root root 644 /etc/hosts.deny
root shadow 2755 /bin/chage
root root 4755 /bin/umount
root root 644 /etc/hosts.allow
root root 700 /root
root mail 2755 /bin/dotlockfile
root root 755 /etc/cron.daily
root root 4755 /bin/chfn
root root 6755 /usr/lib/xorg/Xorg.wrap
root root 777 /etc/motd
root root 644 /etc/crontab
root root 755 /boot
root tty 2755 /bin/write
root root 755 /home
root dip 4754 /sbin/pppd
root shadow 2755 /bin/expiry
root root 4755 /bin/chsh
root root 4755 /usr/bin/ntfs-3g
root crontab 2755 /bin/crontab
root root 4755 /bin/newuidmap
root root 4755 /usr/bin/passwd
root root 644 /etc/group
root tty 2755 /bin/wall
root root 755 /bin/passwd
root root 6755 /lib/xorg/Xorg.wrap
root root 755 /etc/permission-hardener.d
root root 4755 /bin/su
root root 644 /etc/passwd
root root 755 /etc/permission-hardening.d
root root 4755 /bin/newgrp
root root 755 /usr/src
root root 745 /usr/bin/mount
root root 755 /etc/cron.hourly
root root 4755 /bin/gpasswd
root root 777 /etc/issue
root root 4755 /bin/mount
root root 4755 /bin/newgidmap
root root 755 /lib/modules
root root 755 /etc/cron.d

/var/lib/permission-hardener/new_mode/statoverride

root root 644 /etc/passwd-
root root 700 /etc/cron.monthly
root root 700 /etc/sudoers.d
root plocate 744 /usr/bin/plocate
root root 755 /usr/bin/umount
root root 700 /usr/lib/modules
root root 644 /etc/issue.net
root root 644 /etc/group-
root root 744 /bin/ntfs-3g
root root 700 /etc/cron.weekly
root root 400 /etc/cups/cupsd.conf
root root 644 /etc/hosts.deny
root shadow 744 /bin/chage
root root 755 /bin/umount
root root 644 /etc/hosts.allow
root root 700 /root
root mail 744 /bin/dotlockfile
root root 700 /etc/cron.daily
root root 744 /bin/chfn
root root 744 /usr/lib/xorg/Xorg.wrap
root root 644 /etc/motd
root root 600 /etc/crontab
root root 700 /boot
root tty 744 /bin/write
root root 755 /home
root dip 744 /sbin/pppd
root shadow 744 /bin/expiry
root root 744 /bin/chsh
root root 744 /usr/bin/ntfs-3g
root crontab 744 /bin/crontab
root root 744 /bin/newuidmap
root root 755 /usr/bin/passwd
root root 644 /etc/group
root tty 744 /bin/wall
root root 755 /bin/passwd
root root 744 /lib/xorg/Xorg.wrap
root root 600 /etc/permission-hardener.d
root root 744 /bin/su
root root 644 /etc/passwd
root root 600 /etc/permission-hardening.d
root root 744 /bin/newgrp
root root 700 /usr/src
root root 755 /usr/bin/mount
root root 700 /etc/cron.hourly
root root 744 /bin/gpasswd
root root 644 /etc/issue
root root 755 /bin/mount
root root 744 /bin/newgidmap
root root 700 /lib/modules
root root 700 /etc/cron.d

@ArrayBolt3
Copy link
Contributor Author

Re-running sudo permission-hardener enable yet again results in re-enabling the SUIDs. Seems to be going and and forth.

You're might be using an outdated version of the code, or this might be an artifact of failing to clean the old state files, I'll double-check. I went out of my way to fix this bug, so it's surprising to see that happen.

@adrelanos
Copy link
Member

If old state files can cause this issue, perhaps it would be best to discard the old state do_once during upgrade?

Pretty sure I got the correct version.

Compared with https://github.com/Kicksecure/security-misc/blob/93ebf176c5f38bd268e5394e01421e46b9ae7dff/usr/bin/permission-hardener just now.

sha512sum usr/bin/permission-hardener

1a320a5df89b287e6a20d67060f45f2deceb941cc530d6b9f8f748581b27674c230ce089d185f18f130f6687786b8499dd0bb8352a5a9ee3ed97cc19a0d3981a usr/bin/permission-hardener

I've also got the latest commit in this branch:

commit 93ebf176c5f38bd268e5394e01421e46b9ae7dff (ArrayBolt3/arraybolt3/permission-hardener-refactor)
Author: Aaron Rainbolt redacted email address
Date:   Thu Jan 2 20:41:40 2025 -0500

    Make the main field count check in permission-hardener a bit more elegant

Seems all right.

I'll delete state files and do another test.

@ArrayBolt3
Copy link
Contributor Author

@adrelanos Using the latest permission-hardener from my branch on a Kicksecure VM under KVM, I cannot reproduce this, even when using the new permission-hardener in broken ways. I think you have to have outdated code somehow. One easy way to tell for sure is to open the new permission-hardener, and search for a function called load_late_nosuid_policy. If it's absent, your code is outdated and this bug is expected. If it's present, then the bug should not occur. (It was one of the functions I created when fixing this issue.)

@adrelanos
Copy link
Member

load_late_nosuid_policy is available.

load_late_nosuid_policy() {
  local target_file state_idx state_file_item state_user_owner_item \
    state_group_owner_item new_mode

  target_file="${1:-}"
  for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do
    state_file_item="${state_file_list[state_idx]}"
    check_nosuid_whitelist "${state_file_item}" || continue

    match_dir "${target_file}" "${state_file_item}" || continue

    if [ -h "${state_file_item}" ]; then
      ## https://forums.whonix.org/t/disable-suid-binaries/7706/14
      log info "Skip symlink: '${state_file_item}'"
      continue
    fi

    if [ -d "${state_file_item}" ]; then
      log info "Skip directory: '${state_file_item}'"
      continue
    fi

    state_user_owner_item="${state_user_owner_list[state_idx]}"
    state_group_owner_item="${state_group_owner_list[state_idx]}"
    new_mode='744'
    add_to_policy "${state_file_item}" "${new_mode}" \
      "${state_user_owner_item}" "${state_group_owner_item}"
  done
}

sha512sum usr/bin/permission-hardener

1a320a5df89b287e6a20d67060f45f2deceb941cc530d6b9f8f748581b27674c230ce089d185f18f130f6687786b8499dd0bb8352a5a9ee3ed97cc19a0d3981a usr/bin/permission-hardener

Does sha512sum match?

@adrelanos
Copy link
Member

Should probably be merged at the same time.

@adrelanos adrelanos merged commit c4cfb85 into Kicksecure:master Jan 10, 2025
@ArrayBolt3 ArrayBolt3 deleted the arraybolt3/permission-hardener-refactor branch January 12, 2025 18:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ben-grande ben-grande ben-grande requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ArrayBolt3 @ben-grande @adrelanos