diff options
| author | Lennart Poettering <lennart@poettering.net> | 2019-03-20 19:20:35 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2019-04-02 16:56:48 +0200 |
| commit | 9d880b70ba5c6ca83c82952f4c90e86e56c7b70c (patch) | |
| tree | 90ab11db1abde8c3156c90b1dbdb30ba37c1622b | |
| parent | f69567cbe26d09eac9d387c0be0fc32c65a83ada (diff) | |
| download | systemd-9d880b70ba5c6ca83c82952f4c90e86e56c7b70c.tar.gz systemd-9d880b70ba5c6ca83c82952f4c90e86e56c7b70c.tar.bz2 systemd-9d880b70ba5c6ca83c82952f4c90e86e56c7b70c.zip | |
analyze: check for RestrictSUIDSGID= in "systemd-analyze security"
And let's give it a heigh weight, since it pretty much can be used for
bad things only.
| -rw-r--r-- | src/analyze/analyze-security.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c index a978ed6da8..b1b88855af 100644 --- a/src/analyze/analyze-security.c +++ b/src/analyze/analyze-security.c @@ -75,6 +75,7 @@ struct security_info { uint64_t restrict_namespaces; bool restrict_realtime; + bool restrict_suid_sgid; char *root_directory; char *root_image; @@ -1149,6 +1150,16 @@ static const struct security_assessor security_assessor_table[] = { .offset = offsetof(struct security_info, restrict_realtime), }, { + .id = "RestrictSUIDSGID=", + .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictSUIDSGID=", + .description_good = "SUID/SGID file creation by service is restricted", + .description_bad = "Service may create SUID/SGID files", + .weight = 1000, + .range = 1, + .assess = assess_bool, + .offset = offsetof(struct security_info, restrict_suid_sgid), + }, + { .id = "RestrictNamespaces=~CLONE_NEWUSER", .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=", .description_good = "Service cannot create user namespaces", @@ -1881,6 +1892,7 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_ { "RestrictAddressFamilies", "(bas)", property_read_restrict_address_families, 0 }, { "RestrictNamespaces", "t", NULL, offsetof(struct security_info, restrict_namespaces) }, { "RestrictRealtime", "b", NULL, offsetof(struct security_info, restrict_realtime) }, + { "RestrictSUIDSGID", "b", NULL, offsetof(struct security_info, restrict_suid_sgid) }, { "RootDirectory", "s", NULL, offsetof(struct security_info, root_directory) }, { "RootImage", "s", NULL, offsetof(struct security_info, root_image) }, { "SupplementaryGroups", "as", NULL, offsetof(struct security_info, supplementary_groups) }, |