From b53b92cb0d21ca137b340c3d9a47a53d6cb00c45 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 19 Oct 2016 18:09:30 +0200 Subject: blacklisted common suid programms --- etc/disable-common.inc | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'etc/disable-common.inc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 4f854c8d8..506d4e258 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -172,3 +172,29 @@ blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd + +# disable common suid programms +blacklist ${PATH}/firejail +blacklist ${PATH}/sudo +blacklist ${PATH}/su +blacklist ${PATH}/mount +blacklist ${PATH}/umount +blacklist ${PATH}/fusermount +blacklist ${PATH}/passwd +blacklist ${PATH}/gpasswd +blacklist ${PATH}/newgidmap +blacklist ${PATH}/newgrp +blacklist ${PATH}/newuidmap +blacklist ${PATH}/pkexec +blacklist ${PATH}/sg +blacklist ${PATH}/rsh +blacklist ${PATH}/rlogin +blacklist ${PATH}/rcp +blacklist ${PATH}/crontab +blacklist ${PATH}/ksu +blacklist ${PATH}/chsh +blacklist ${PATH}/chfn +blacklist ${PATH}/chage +blacklist ${PATH}/expiry +blacklist ${PATH}/ping +blacklist ${PATH}/unix_chkpwd -- cgit v1.2.3-70-g09d2 From 287dc95bac1abce140459a7ecd0213833626b800 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 20 Oct 2016 15:47:34 +0200 Subject: removed blacklist duplate --- etc/disable-common.inc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'etc/disable-common.inc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 506d4e258..19a23d764 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -138,11 +138,11 @@ blacklist /etc/ssh blacklist /var/backup # system management -blacklist ${PATH}/umount -blacklist ${PATH}/mount -blacklist ${PATH}/fusermount -blacklist ${PATH}/su -blacklist ${PATH}/sudo +# blacklist ${PATH}/umount +# blacklist ${PATH}/mount +# blacklist ${PATH}/fusermount +# blacklist ${PATH}/su +# blacklist ${PATH}/sudo blacklist ${PATH}/xinput blacklist ${PATH}/evtest blacklist ${PATH}/xev -- cgit v1.2.3-70-g09d2 From 3b8453d5301608386d9a933c0862e5e049c4879e Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 24 Oct 2016 15:21:41 -0500 Subject: blacklisted kernel files --- etc/disable-common.inc | 4 ++++ etc/spotify.profile | 4 ---- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'etc/disable-common.inc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 4f854c8d8..29de8cca9 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -172,3 +172,7 @@ blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd + +# kernel files +blacklist /vmlinuz* +blacklist /initrd* diff --git a/etc/spotify.profile b/etc/spotify.profile index 24e5c1023..6dbcc03ee 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -41,7 +41,3 @@ blacklist /sbin blacklist /srv blacklist /sys blacklist /var -blacklist /initrd.img -blacklist /initrd.img.old -blacklist /vmlinuz -blacklist /vmlinuz.old -- cgit v1.2.3-70-g09d2 From b588020b4540480fdd3aaa11da8bd472b2dfdb60 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 25 Oct 2016 12:26:17 -0400 Subject: fixes --- README | 2 ++ etc/disable-common.inc | 27 ++++++++++++++++++++++----- 2 files changed, 24 insertions(+), 5 deletions(-) (limited to 'etc/disable-common.inc') diff --git a/README b/README index f4fd52666..6ed82907f 100644 --- a/README +++ b/README @@ -47,6 +47,7 @@ Aleksey Manevich (https://github.com/manevich) - added --join-or-start command - CVE-2016-7545 Fred-Barclay (https://github.com/Fred-Barclay) + - lots of profile fixes - added Vivaldi, Atril profiles - added PaleMoon profile - split Icedove and Thunderbird profiles @@ -83,6 +84,7 @@ valoq (https://github.com/valoq) - cherrytree profile fixes - added support for /srv in --whitelist feature - Eye of GNOME and Evolution profiles + - blacklist suid binaries in disable-common.inc Rafael Cavalcanti (https://github.com/rccavalcanti) - chromium profile fixes for Arch Linux Deelvesh Bunjun (https://github.com/DeelveshBunjun) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 29de8cca9..3c0b2160c 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -137,6 +137,11 @@ blacklist /etc/gshadow+ blacklist /etc/ssh blacklist /var/backup +# system directories +blacklist /sbin +blacklist /usr/sbin +blacklist /usr/local/sbin + # system management blacklist ${PATH}/umount blacklist ${PATH}/mount @@ -149,11 +154,23 @@ blacklist ${PATH}/xev blacklist ${PATH}/strace blacklist ${PATH}/nc blacklist ${PATH}/ncat - -# system directories -blacklist /sbin -blacklist /usr/sbin -blacklist /usr/local/sbin +blacklist ${PATH}/gpasswd +blacklist ${PATH}/newgidmap +blacklist ${PATH}/newgrp +blacklist ${PATH}/newuidmap +blacklist ${PATH}/pkexec +blacklist ${PATH}/sg +blacklist ${PATH}/rsh +blacklist ${PATH}/rlogin +blacklist ${PATH}/rcp +blacklist ${PATH}/crontab +blacklist ${PATH}/ksu +blacklist ${PATH}/chsh +blacklist ${PATH}/chfn +blacklist ${PATH}/chage +blacklist ${PATH}/expiry +blacklist ${PATH}/ping +blacklist ${PATH}/unix_chkpwd # prevent lxterminal connecting to an existing lxterminal session blacklist /tmp/.lxterminal-socket* -- cgit v1.2.3-70-g09d2 From 834da29e4c467ca074209b51effef38f8a238e84 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 26 Oct 2016 09:15:50 -0400 Subject: removed ping blacklisting --- etc/disable-common.inc | 1 - 1 file changed, 1 deletion(-) (limited to 'etc/disable-common.inc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 3c0b2160c..848513454 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -169,7 +169,6 @@ blacklist ${PATH}/chsh blacklist ${PATH}/chfn blacklist ${PATH}/chage blacklist ${PATH}/expiry -blacklist ${PATH}/ping blacklist ${PATH}/unix_chkpwd # prevent lxterminal connecting to an existing lxterminal session -- cgit v1.2.3-70-g09d2 From ef0b9705614d061f6e974155fa1799964bc313ee Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 26 Oct 2016 18:10:30 +0200 Subject: minor fixes --- etc/disable-common.inc | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) (limited to 'etc/disable-common.inc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 82398473d..38a8b86d6 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -1,6 +1,7 @@ # History files in $HOME blacklist-nolog ${HOME}/.history blacklist-nolog ${HOME}/.*_history +blacklist-nolog ${HOME}/.bash_history blacklist ${HOME}/.local/share/systemd blacklist-nolog ${HOME}/.adobe blacklist-nolog ${HOME}/.macromedia @@ -23,6 +24,7 @@ blacklist ${HOME}/.config/openbox/autostart blacklist ${HOME}/.config/openbox/environment blacklist ${HOME}/.gnomerc blacklist /etc/X11/Xsession.d/ +blacklist ${HOME}/.xpra # VirtualBox blacklist ${HOME}/.VirtualBox @@ -96,9 +98,6 @@ read-only ${HOME}/.emacs.d read-only ${HOME}/.nano read-only ${HOME}/.tmux.conf read-only ${HOME}/.iscreenrc -read-only ${HOME}/.muttrc -read-only ${HOME}/.mutt/muttrc -read-only ${HOME}/.msmtprc read-only ${HOME}/.reportbugrc read-only ${HOME}/.xmonad read-only ${HOME}/.xscreensaver @@ -143,11 +142,11 @@ blacklist /usr/sbin blacklist /usr/local/sbin # system management -# blacklist ${PATH}/umount -# blacklist ${PATH}/mount -# blacklist ${PATH}/fusermount -# blacklist ${PATH}/su -# blacklist ${PATH}/sudo +blacklist ${PATH}/umount +blacklist ${PATH}/mount +blacklist ${PATH}/fusermount +blacklist ${PATH}/su +blacklist ${PATH}/sudo blacklist ${PATH}/xinput blacklist ${PATH}/evtest blacklist ${PATH}/xev -- cgit v1.2.3-70-g09d2