ansible-playbooks/remove_suid.sh

117 lines
4.1 KiB
Bash
Raw Normal View History

#!/usr/bin/env bash
# Copied from The Secureblue Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and limitations under the License.
set -oue pipefail
# Reference: https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#usrbinchage
whitelist=(
2025-09-17 02:26:03 +02:00
# Need to allowlist qrexec binaries to ensure qubes templates (hopefully) don't break, not sure why they're duplicated in /usr/bin and /usr/sbin
"/usr/bin/qfile-unpacker"
2025-09-17 02:26:03 +02:00
"/usr/sbin/qfile-unpacker"
"/usr/lib/qubes/qfile-unpacker"
2025-09-17 02:26:03 +02:00
"/usr/bin/qrexec-client-vm"
"/usr/sbin/qrexec-client-vm"
"/usr/bin/qrexec-fork-server"
"/usr/sbin/qrexec-fork-server"
"/usr/bin/qrexec-legacy-convert"
"/usr/sbin/qrexec-legacy-convert"
"/usr/bin/qrexec-policy"
"/usr/sbin/qrexec-policy"
"/usr/bin/qrexec-policy-agent"
"/usr/sbin/qrexec-policy-agent"
"/usr/bin/qrexec-policy-daemon"
"/usr/sbin/qrexec-policy-daemon"
"/usr/bin/qrexec-policy-exec"
"/usr/sbin/qrexec-policy-exec"
"/usr/bin/qrexec-policy-graph"
"/usr/sbin/qrexec-policy-graph"
"/usr/bin/qrexec-policy-restore"
"/usr/sbin/qrexec-policy-restore"
# Required for nvidia closed driver images
"/usr/bin/nvidia-modprobe"
# https://gitlab.freedesktop.org/polkit/polkit/-/issues/168
"/usr/lib/polkit-1/polkit-agent-helper-1"
# https://github.com/secureblue/secureblue/issues/119
# Required for hardened_malloc to be used by suid-root processes
"/usr/lib64/libhardened_malloc-light.so"
"/usr/lib64/libhardened_malloc-pkey.so"
"/usr/lib64/libhardened_malloc.so"
"/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-light.so"
"/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-pkey.so"
"/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc.so"
"/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-light.so"
"/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-pkey.so"
"/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc.so"
"/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-light.so"
"/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-pkey.so"
"/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so"
"/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-light.so"
"/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-pkey.so"
"/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc.so"
)
is_in_whitelist() {
local binary="$1"
for allowed_binary in "${whitelist[@]}"; do
if [ "$binary" = "$allowed_binary" ]; then
return 0
fi
done
return 1
}
passwd -l root
dnf remove sudo-python-plugin
find /usr -type f -perm /4000 |
while IFS= read -r binary; do
if ! is_in_whitelist "$binary"; then
echo "Removing SUID bit from $binary"
chmod u-s "$binary"
echo "Removed SUID bit from $binary"
fi
done
find /usr -type f -perm /2000 |
while IFS= read -r binary; do
if ! is_in_whitelist "$binary"; then
echo "Removing SGID bit from $binary"
chmod g-s "$binary"
echo "Removed SGID bit from $binary"
fi
done
rm -f /usr/bin/chsh
rm -f /usr/bin/chfn
rm -f /usr/bin/pkexec
rm -f /usr/bin/sudo
rm -f /usr/bin/su
2025-09-15 22:04:27 +02:00
rm -f /usr/bin/run0
set_caps_if_present() {
local caps="$1"
local binary_path="$2"
if [ -f "$binary_path" ]; then
echo "Setting caps $caps on $binary_path"
setcap "$caps" "$binary_path"
echo "Set caps $caps on $binary_path"
fi
}
set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/bin/chage"
set_caps_if_present "cap_sys_admin=ep" "/usr/bin/fusermount3"
set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/sbin/unix_chkpwd"