Make NoNewPrivs/no_new_privs (no setuid binaries) the default
a project by kukuk
Updated 1 day ago. 1 hackers ♥️. 1 follower.

Description

The kernel has the "nonewprivs" flag, which can be enabled with the NoNewPrivs option of systemd during boot. This option allows you to prevent privilege escalation in any process when this behavior is undesirable. After the flag is set, it persists across execve, clone and fork syscalls, and cannot be cleared. This can help to avoid exploitation of vulnerable software, since the attacker will be running as an ordinary user.

Practical this means: setuid/setgid binaries will stop working.

Currently there is a PoC with openSUSE MicroOS as container host, including rootless podman container.

Goals

The goal is to enhance this to a full Desktop machine:

  • test with KDE, document what's not working and try to solve that.
  • test with GNOME, document what's not working and try to solve that <= GNOME user needed for this!
  • test with k3s
  • test with k8s
  • create list of setuid/setgid services in Tumbleweed and find ideas to get rid of them.

Resources

  • openSUSE MicroOS for container
  • openSUSE Tumbleweed for Desktop
  • https://build.opensuse.org/project/show/home:kukuk:nonewprivs

Join this project

Looking for hackers with the skills:

Nothing? Add some keywords!

This project is part of:

Hack Week 25

Activity

  • 1 day ago: epaolantonio liked this project.
  • 1 day ago: kukuk started this project.
  • 1 day ago: kukuk originated this project.


    • Comments

    Be the first to comment!

    Similar Projects

    This project is one of its kind!