Re: making Debian secure by default
Hi,
On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote:
> I just saw this advisory
> Escape sequence injection in util-linux wall (CVE-2024-28085)
> https://seclists.org/fulldisclosure/2024/Mar/35
> where they're talking about grabbing other users sudo password.
It doesn't work by default on Debian as it relies on
command-not-found automatically running on the user's input.
command-not-found can be installed, however…
> oof. Are there instructions somewhere on how to make Debian secure by default?
Between the fact that "secure" means different things to different
people and that this advisory was only released a few hours ago, I
don't think you can reasonably expect documentation to already be
published for your standard of "secure".
There is a general push to get rid of setuid/setgid binaries. A lot
of "hardening" guides will suggest looking for setuid/setgid
binaries and deciding if you really need them.
As you've never heard of "mesg" and probably don't use "wall" I
doubt you will have any issues chmod 0 /usr/bin/wall and then
setting it immutable¹ with chattr +i.
You could put a call to "mesg n" into a file in /etc/profile.d so
that all users execute it.
Thanks,
Andy
¹ The next update of bsdutils will complain it can't write that file.
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Reply to: