richardphibel / rpms / systemd

Forked from rpms/systemd 2 years ago
Clone
b9a53a
From 3d338556760632b9c8b646a719d56e02e3ad2088 Mon Sep 17 00:00:00 2001
b9a53a
From: Lennart Poettering <lennart@poettering.net>
b9a53a
Date: Wed, 20 Mar 2019 19:20:35 +0100
b9a53a
Subject: [PATCH] analyze: check for RestrictSUIDSGID= in "systemd-analyze
b9a53a
 security"
b9a53a
b9a53a
And let's give it a heigh weight, since it pretty much can be used for
b9a53a
bad things only.
b9a53a
b9a53a
(cherry picked from commit 9d880b70ba5c6ca83c82952f4c90e86e56c7b70c)
b9a53a
Related: #1687512
b9a53a
---
b9a53a
 src/analyze/analyze-security.c | 12 ++++++++++++
b9a53a
 1 file changed, 12 insertions(+)
b9a53a
b9a53a
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
b9a53a
index eec040d5c3..969101c57b 100644
b9a53a
--- a/src/analyze/analyze-security.c
b9a53a
+++ b/src/analyze/analyze-security.c
b9a53a
@@ -69,6 +69,7 @@ struct security_info {
b9a53a
 
b9a53a
         uint64_t restrict_namespaces;
b9a53a
         bool restrict_realtime;
b9a53a
+        bool restrict_suid_sgid;
b9a53a
 
b9a53a
         char *root_directory;
b9a53a
         char *root_image;
b9a53a
@@ -1130,6 +1131,16 @@ static const struct security_assessor security_assessor_table[] = {
b9a53a
                 .assess = assess_bool,
b9a53a
                 .offset = offsetof(struct security_info, restrict_realtime),
b9a53a
         },
b9a53a
+        {
b9a53a
+                .id = "RestrictSUIDSGID=",
b9a53a
+                .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictSUIDSGID=",
b9a53a
+                .description_good = "SUID/SGID file creation by service is restricted",
b9a53a
+                .description_bad = "Service may create SUID/SGID files",
b9a53a
+                .weight = 1000,
b9a53a
+                .range = 1,
b9a53a
+                .assess = assess_bool,
b9a53a
+                .offset = offsetof(struct security_info, restrict_suid_sgid),
b9a53a
+        },
b9a53a
         {
b9a53a
                 .id = "RestrictNamespaces=~CLONE_NEWUSER",
b9a53a
                 .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
b9a53a
@@ -1862,6 +1873,7 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_
b9a53a
                 { "RestrictAddressFamilies", "(bas)",   property_read_restrict_address_families, 0                                                         },
b9a53a
                 { "RestrictNamespaces",      "t",       NULL,                                    offsetof(struct security_info, restrict_namespaces)       },
b9a53a
                 { "RestrictRealtime",        "b",       NULL,                                    offsetof(struct security_info, restrict_realtime)         },
b9a53a
+                { "RestrictSUIDSGID",        "b",       NULL,                                    offsetof(struct security_info, restrict_suid_sgid)        },
b9a53a
                 { "RootDirectory",           "s",       NULL,                                    offsetof(struct security_info, root_directory)            },
b9a53a
                 { "RootImage",               "s",       NULL,                                    offsetof(struct security_info, root_image)                },
b9a53a
                 { "SupplementaryGroups",     "as",      NULL,                                    offsetof(struct security_info, supplementary_groups)      },