Whonix /etc/sudoers.d exceptions wildcard / asterix * hardening

[adrelanos]

Whonix uses * in a few /etc/sudoers.d files.

Quote @marmarek #2695 (comment)

As for actual sudo configuration - I see several files in /etc/sudoers.d have commands with * as argument. If in practice the command is called only with one or two specific arguments, IMO it's better to be verbose here.

TODO: harden this. Don't use * wherever possible.

find . -type f | grep sudoers | xargs cat | grep '*'

sdwdate ALL=NOPASSWD: /bin/date *
sdwdate ALL=NOPASSWD: /usr/lib/sdwdate/sclockadj *
sdwdate ALL=NOPASSWD: /sbin/hwclock *
sdwdate ALL=NOPASSWD: /usr/lib/sdwdate/sclockadj_kill_helper *
ALL ALL=NOPASSWD: /usr/lib/sdwdate/restart_fresh *
user ALL=NOPASSWD: /usr/bin/clock-random-manual-cli *
user ALL=NOPASSWD: /usr/bin/clock-random-manual-gui *
%sudo ALL=NOPASSWD: /usr/bin/whonix-setup-wizard *
%sudo ALL=NOPASSWD: /usr/lib/whonix-setup-wizard/whonix-setup-wizard-setup *
#tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn *
%sudo ALL=NOPASSWD: /usr/bin/whonixsetup *
user ALL=(whonixcheck) NOPASSWD: /usr/lib/whonixcheck/whonixcheck *
user ALL=(whonixcheck) NOPASSWD: /bin/bash -x /usr/lib/whonixcheck/whonixcheck *
ALL ALL=NOPASSWD: /usr/lib/msgcollector/msgprogressbar_kill_helper *

• https://github.com/Whonix/sdwdate/blob/master/etc/sudoers.d/sdwdate
• https://github.com/Whonix/whonix-setup-wizard/blob/master/etc/sudoers.d/whonix-setup-wizard
• https://github.com/Whonix/usability-misc/blob/master/etc/sudoers.d/tunnel_unpriv
• https://github.com/Whonix/whonixcheck/blob/master/etc/sudoers.d/whonixcheck
• https://github.com/Whonix/msgcollector/blob/master/etc/sudoers.d/msgcollector

Do you think you could work on this? @tasket @crat0z

[tasket]

I can start looking at a few of the commands to see how they're used in Whonix under core use cases such as 'browse web site' and 'update system'. Just want to say that Whonix is not my strong suit, though.

Tightening these entries means for some commands like date, specifying additional parameters to narrow the modes of use while still leaving * in there or whatever EBNF syntax allows. Obviously, it can't be completely nailed-down if it accepts data to set the system time, for example.

Optimal configuration should take into account whether the command is used in a purely automatic function or user-initiated. With the former, system startup and cron should not be an issue because as a general rule these are run as root user. With the latter, it may be best to let the system trigger an auth prompt in certain cases.

Whether a user-initiated function is considered an admin tool or just an app (like Torbrowser) also matters; the latter type should be usable without any auth prompts. OTOH, admin functions launched from dom0 menu could simply specify a privileged user like root to avoid auth prompts.

[tasket]

Initial look at sdwdate:

These rules are specified by the sdwdate documentation for using this service as "non-root user". Its precarious to second-guess Patrick's design; normally I would say this is a security issue internal to the tool. I would leave most of those (first 7) rules as-is, or re-factor sdwdate in some way such as running only the HTTP part as unpriv user.

Apart from that, the line referencing '/usr/lib/sdwdate/restart_fresh' is a script that takes no parameters anyway, so '*' can be removed there.

---

For whonix-setup-wizard, I think these lines

%sudo ALL=NOPASSWD: /usr/bin/whonix-setup-wizard *
%sudo ALL=NOPASSWD: /usr/lib/whonix-setup-wizard/whonix-setup-wizard-setup *

...can be changed to

%sudo ALL=NOPASSWD: /usr/bin/whonix-setup-wizard
%sudo ALL=NOPASSWD: /usr/bin/whonix-setup-wizard locale_settings
%sudo ALL=NOPASSWD: /usr/lib/whonix-setup-wizard/whonix-setup-wizard-setup

However, the script '/usr/bin/whonixsetup' appears to accept multiple 'command' options. Perhaps @adrelanos could elaborate on that.

[adrelanos]

tasket:

Initial look at `sdwdate`: These rules are specified by the `sdwdate` documentation for using this service as "non-root user". Its precarious to second-guess Patrick's design; normally I would say this is a security issue internal to the tool. I would leave most of those (first 7) rules as-is, or re-factor sdwdate in some way such as running only the HTTP part as unpriv user.

Please feel free to review and improve that design.

Apart from that, the line referencing '/usr/lib/sdwdate/restart_fresh' is a script that takes no parameters anyway, so '*' can be removed there.

Yes.

--- For whonix-setup-wizard, I think these lines ``` %sudo ALL=NOPASSWD: /usr/bin/whonix-setup-wizard * %sudo ALL=NOPASSWD: /usr/lib/whonix-setup-wizard/whonix-setup-wizard-setup * ``` ...can be changed to ``` %sudo ALL=NOPASSWD: /usr/bin/whonix-setup-wizard %sudo ALL=NOPASSWD: /usr/bin/whonix-setup-wizard locale_settings %sudo ALL=NOPASSWD: /usr/lib/whonix-setup-wizard/whonix-setup-wizard-setup ```

Possible /usr/bin/whonix-setup-wizard parameters are: setup repository locale_settings Please add.

However, the script '/usr/bin/whonixsetup' appears to accept multiple 'command' options. Perhaps @adrelanos could elaborate on that.

There are none. Just "sudo whonixsetup" (cli version).

[tasket]

FYI this is still on my todo list, I just want to get to VPN and template-reinstall fixes first.

[adrelanos]

The use of asterix * in /etc/sudoers.d was considerably reduced in Whonix 14 / git master.

find . -type f | grep sudoers | xargs cat | grep '*'
sdwdate ALL=NOPASSWD: /bin/date --set *
sdwdate ALL=NOPASSWD: /usr/lib/sdwdate/sclockadj *
#tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn *
user ALL=(whonixcheck) NOPASSWD: /usr/lib/whonixcheck/whonixcheck *
user ALL=(whonixcheck) NOPASSWD: /bin/bash -x /usr/lib/whonixcheck/whonixcheck *

Suggestions on how to get rid of the remaining ones?

[tasket]

The easier ones should be whonixcheck and openvpn.

My first inclination is to disable the whonixcheck lines and then investigate where/why its being run from an unprivileged 'user' context.

Suggestion for openvpn is to specify a static --config file.ovpn option pointing to a file in a privileged dir like /etc/openvpn; this still allows the user flexibility in config options (they can put anything in file.ovpn) while closing the sudoers loophole.

[adrelanos]

whonixcheck is sorted. Let's look into sdwdate / sclockadj. Two ideas:

• A) Would it help to write the time (unixtime, just numbers) for /bin/date into a text file, add a shell wrapper that reads the argument from the text file? (Not sure writing to a text file would significantly mess up accuracy.) [We introduce hypothetical vulnerabilities by bash / file parsing.]
• B) Would it help to call a shell wrapper from sdwdate like echo "1533921121.245112658" | sudo /usr/lib/sdwdate/date-wrapper [We introduce hypothetical vulnerabilities by bash / stdout parsing.]

/usr/lib/sdwdate/date-wrapper:

#!/bin/bash
date --set "@$1"

Then sudoers could be as simple as:

sdwdate ALL=NOPASSWD: /usr/lib/sdwdate/date-wrapper

---

• C) Using sudoers.d supports shell-style wildcards. [We introduce hypothetical vulnerabilities by sudo's wildcards parsing code.]

sdwdate log:
Aug 10 17:15:03 work sdwdate[29542]: 2018-08-10 17:15:03 - sdwdate - INFO - Instantly setting the time by using command: sudo --non-interactive /bin/date --set "@1533921121.245112658"
/etc/sudoers.d/sdwdate:

sdwdate ALL=NOPASSWD: /bin/date --set *

I am not good at regex.

/bin/date: Could anyone provide a regex for @1533921121.245112658?

(An @ sign followed by 10 digits followed by . followed by 9 digits.)

---

Aug 10 17:28:08 work sdwdate[636]: 2018-08-10 17:28:08 - sdwdate - INFO - Gradually adjusting the time by running sclockadj using command: sudo --non-interactive /usr/lib/sdwdate/sclockadj "-24123423912"

sclockadj: Could anyone provide a regex for 24123423912?
sclockadj: Could anyone provide a regex for -24123423912?

(Maybe a - followed by "20" digits.)

(Probably not "20" but I would have to think about a good maximum and modify sdwdate accordingly.)

[marmarek]

In what context is it callled? Is it only sdwdate service running as unprivileged user? Maybe adding CAP_SYS_TIME to its systemd unit file is enough and no root access is needed at all?

[adrelanos]

In what context is it callled? Is it only sdwdate service running as unprivileged user?

Yes.

Maybe adding CAP_SYS_TIME to its systemd unit file is enough and no root access is needed at all?

Great suggestion, implemented!

---

The use of asterix / wildcard * in /etc/sudoers.d was elimited in Whonix git master.

#tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn *

The remaining one is a comment / documentation issue (out commented by default) and should be fixable as well.

[adrelanos]

This looks really good in Whonix 15 (still).

find . -type f | grep sudoers | xargs cat | grep '*'

The following is a comment only.

#tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn *

Ideally it should get fixed too.

So no default sudo wildcard / asterix * in Whonix 15.

[adrelanos]

This is good enough.

All solved. Except for that comment.

• https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor#sudoers_configuration
• https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN#sudoers_configuration
• https://www.whonix.org/wiki/Template:VPN/Setup/sudoers_configuration

But even then I think it is OK. Documentation issue. User tunnel needs to be able to run openvpn with any combination of commands. Would be hard to restrict that and needs to be left as an exercise for the user. Added a documentation comment.