Re: making Debian secure by default

To: Andy Smith <andy@strugglers.net>
Cc: debian-user@lists.debian.org
Subject: Re: making Debian secure by default
From: Lee <ler762@gmail.com>
Date: Thu, 28 Mar 2024 00:28:56 -0400
Message-id: <[🔎] CAD8GWsswLPH327tvj64HkWuMfayXczJyyviSk9Um2CAHHjoovg@mail.gmail.com>
In-reply-to: <[🔎] ZgSljhflfCtsnnCq@mail.bitfolk.com>
References: <[🔎] CAD8GWssBoRrCzW0TSUGxMeuY=y_bTM-nMuSO7_4g1Kyk79fgqQ@mail.gmail.com> <[🔎] ZgSljhflfCtsnnCq@mail.bitfolk.com>

On Wed, Mar 27, 2024 at 10:07 PM Andy Smith wrote:
>
> Hi,
>
> On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote:
> > I just saw this advisory
> >   Escape sequence injection in util-linux wall (CVE-2024-28085)
> >     https://seclists.org/fulldisclosure/2024/Mar/35
> > where they're talking about grabbing other users sudo password.
>
> It doesn't work by default on Debian as it relies on
> command-not-found automatically running on the user's input.
> command-not-found can be installed, however…
>
> > oof.  Are there instructions somewhere on how to make Debian secure by default?
>
> Between the fact that "secure" means different things to different
> people and that this advisory was only released a few hours ago, I
> don't think you can reasonably expect documentation to already be
> published for your standard of "secure".

You snipped the bit from the man page about users becoming more more
conscious of various security risks & removing write access by
default.
Considering how long it takes something to migrate into stable I'm
guessing that man page is pretty old.  So I don't think it's
unreasonable to expect some kind of secure by default installation
option.

> There is a general push to get rid of setuid/setgid binaries. A lot
> of "hardening" guides will suggest looking for setuid/setgid
> binaries and deciding if you really need them.

The problem with that is how many users are knowledgeable enough to
know if something is necessary or not?

> As you've never heard of "mesg" and probably don't use "wall" I
> doubt you will have any issues chmod 0 /usr/bin/wall and then
> setting it immutable¹ with chattr +i.

I suppose that's one way.  I'd rather uninstall it.

> You could put a call to "mesg n" into a file in /etc/profile.d so
> that all users execute it.

Good idea:
$ ls -l /etc/profile.d/disable_mesg.sh
-rw-r--r-- 1 root root 383 Mar 28 00:15 /etc/profile.d/disable_mesg.sh

$ cat /etc/profile.d/disable_mesg.sh
# man mesg
#    ...
#  Traditionally, write access is allowed by default.  However,  as  users
#  become  more  conscious  of various security risks, there is a trend to
#  remove write access by default, at least for the primary  login  shell.
#  To  make  sure  your ttys are set the way you want them to be set, mesg
#  should be executed in your login scripts.

/usr/bin/mesg n

Then logout / login and..
$ mesg
is n

Thanks
Lee

Reply to:

Follow-Ups:
- Re: making Debian secure by default
  - From: Andy Smith <andy@strugglers.net>

References:
- making Debian secure by default
  - From: Lee <ler762@gmail.com>
- Re: making Debian secure by default
  - From: Andy Smith <andy@strugglers.net>

Prev by Date: Re: making Debian secure by default
Next by Date: Re: making Debian secure by default
Previous by thread: Re: making Debian secure by default
Next by thread: Re: making Debian secure by default
Index(es):
- Date
- Thread