Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable umask hardening #282

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Enable umask hardening #282

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 9 additions & 5 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ Kernel space:

- Force the kernel to panic on both "oopses", which can potentially indicate and thwart
certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path.

- Optional - Force immediate reboot on the occurrence of a single kernel panic and also
(when using Linux kernel >= 6.2) limit the number of allowed panics to one.

Expand Down Expand Up @@ -573,9 +573,7 @@ See:
#### umask

Default `umask` is set to `027` for files created by non-root users such as
user `user`. Broken. Disabled. See:

* https://github.com/Kicksecure/security-misc/issues/184
user `user`.

This is done using the PAM module `pam_mkhomedir.so umask=027`.

Expand All @@ -589,7 +587,13 @@ https://wiki.debian.org/UserPrivateGroups

Default `umask` is unchanged for root because then configuration files created
in `/etc` by the system administrator would be unreadable by "others" and break
applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`.
applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. The
`umask` is also set to 022 via `sudoers` configuration, so that files created
as root are world-readable even when using commands such as `sudo vi
/etc/file` or `sudo -i; touch /etc/file`.

`umask` is set to 022 rather than 027 when using `sudo`, so that commands such
as `sudo vi /etc/configfile` and `sudo -i; touch /etc/file`

See:

Expand Down
5 changes: 5 additions & 0 deletions etc/sudoers.d/security-misc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,8 @@

user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops

## Use a more open umask when executing commands with sudo
## Can be overridden on a per-user basis using .[z]profile if desirable
Defaults umask_override
Defaults umask=0022
8 changes: 8 additions & 0 deletions usr/share/pam-configs/umask-security-misc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
Name: Restrict umask to 027 (by package security-misc)
Default: yes
Priority: 100
Session-Type: Additional
Session-Interactive-Only: yes
Session:
[success=1 default=ignore] pam_succeed_if.so uid eq 0
optional pam_umask.so umask=027