Re: making Debian secure by default
On Wed, Mar 27, 2024 at 10:07 PM Andy Smith wrote:
>
> Hi,
>
> On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote:
> > I just saw this advisory
> > Escape sequence injection in util-linux wall (CVE-2024-28085)
> > https://seclists.org/fulldisclosure/2024/Mar/35
> > where they're talking about grabbing other users sudo password.
>
> It doesn't work by default on Debian as it relies on
> command-not-found automatically running on the user's input.
> command-not-found can be installed, however…
>
> > oof. Are there instructions somewhere on how to make Debian secure by default?
>
> Between the fact that "secure" means different things to different
> people and that this advisory was only released a few hours ago, I
> don't think you can reasonably expect documentation to already be
> published for your standard of "secure".
You snipped the bit from the man page about users becoming more more
conscious of various security risks & removing write access by
default.
Considering how long it takes something to migrate into stable I'm
guessing that man page is pretty old. So I don't think it's
unreasonable to expect some kind of secure by default installation
option.
> There is a general push to get rid of setuid/setgid binaries. A lot
> of "hardening" guides will suggest looking for setuid/setgid
> binaries and deciding if you really need them.
The problem with that is how many users are knowledgeable enough to
know if something is necessary or not?
> As you've never heard of "mesg" and probably don't use "wall" I
> doubt you will have any issues chmod 0 /usr/bin/wall and then
> setting it immutable¹ with chattr +i.
I suppose that's one way. I'd rather uninstall it.
> You could put a call to "mesg n" into a file in /etc/profile.d so
> that all users execute it.
Good idea:
$ ls -l /etc/profile.d/disable_mesg.sh
-rw-r--r-- 1 root root 383 Mar 28 00:15 /etc/profile.d/disable_mesg.sh
$ cat /etc/profile.d/disable_mesg.sh
# man mesg
# ...
# Traditionally, write access is allowed by default. However, as users
# become more conscious of various security risks, there is a trend to
# remove write access by default, at least for the primary login shell.
# To make sure your ttys are set the way you want them to be set, mesg
# should be executed in your login scripts.
/usr/bin/mesg n
Then logout / login and..
$ mesg
is n
Thanks
Lee
Reply to: