## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/restrict-root-access/7658/116 ## This restricts the file permissions of the 'sudo' executable so that a vulnerability ## in the program will not be exploitable by any users not in the "sysmaint" group. 'sudo' ## is a very complex program and is 'setuid' so vulnerabilities in it can allow privilege ## escalation, regardless of other root access restrictions. For example, the following ## buffer overflow vulnerability could have been exploited by any user on the system: ## https://www.openwall.com/lists/oss-security/2021/01/26/3 ## With this restriction, only users explicitly permitted to use 'sysmaint' by being added to ## the "sysmaint" group could exploit such vulnerabilities. For example, this would prevent a ## compromised network-facing daemon (such as web servers, time synchronization daemons, ## etc.) running as its own user from exploiting 'sudo' to escalate privileges. /usr/bin/sudo 4750 root sysmaint /usr/bin/pkexec 4750 root sysmaint /usr/bin/su-to-root 4750 root sysmaint ## '/usr/lib/policykit-1/polkit-agent-helper-1' ## - is a symlink to: '../polkit-1/polkit-agent-helper-1' ## - real path is: '/usr/lib/polkit-1/polkit-agent-helper-1' ## ## See also: ## /usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf /usr/lib/polkit-1/polkit-agent-helper-1 4750 root sysmaint ## 'su' is already handled by permission-hardener default. ## 'su' does not have a whitelist entry by permission-hardener default. ## As a result... ## ## chmod-calc /usr/bin/su ## ## Owner: root ## Group: root ## Octal Permissions: 744 ## ... ## Category Read Write Execute ## Owner Yes Yes Yes ## Group Yes No No ## Public Yes No No ## ## In summary: ## - 'su' is no longer SUID. ## - Group and public lack permission to execute it. ## - Therefore 'su' does not require a special mention in this file. ## ## In case you need to use 'su,' see also: ## https://www.kicksecure.com/wiki/root#su