From 9a86c0037392b731cc41f4c24377a45e49cef76b Mon Sep 17 00:00:00 2001 From: Neved4 <63655535+Neved4@users.noreply.github.com> Date: Mon, 21 Oct 2024 13:36:52 +0200 Subject: [PATCH 1/3] Run `brew` as regular user in place of root --- include/functions | 17 +++++++++++++++++ include/tests_ports_packages | 4 ++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/include/functions b/include/functions index df27db8b7..c5fd71a4a 100644 --- a/include/functions +++ b/include/functions @@ -91,6 +91,7 @@ # ReportManual Log manual actions to report file # ReportSuggestion Add a suggestion to report file # ReportWarning Add a warning and priority to report file +# RunBrewCmd Run Homebrew commands as a normal user instead of root # SafeFile Security tests to perform on a file before using it # SafePerms Check if a file has safe permissions # SafeInput Test provided string to see if it contains unwanted characters @@ -3036,6 +3037,22 @@ } + ################################################################################ + # Name : RunBrewCmd() + # Description : Run Homebrew commands as a normal user instead of root + # + # Parameters : $@ = Homebrew command arguments + # Returns : None (executes the command as the appropriate user) + ################################################################################ + + RunBrewCmd() { + case "$(id -u)" in + 0) sudo -u "$SUDO_USER" brew "$@" ;; + *) brew "$@" + esac + } + + ################################################################################ # Name : SafeInput() # Description : Test provided string to see if it contains unwanted characters diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 35de8cd53..c8ec4b2e8 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -127,7 +127,7 @@ LogText "Test: Querying brew to get package list" Display --indent 4 --text "- Querying brew for installed packages" LogText "Output:"; LogText "-----" - GPACKAGES=$(brew list --versions) + GPACKAGES=$(RunBrewCmd list --versions) while IFS= read -r PKG; do PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f1) PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f2) @@ -183,7 +183,7 @@ EOF PACKAGE_VERSION=$(defaults read "$CS/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "N/A") LogText "Found CoreServices: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" - done + done fi # ################################################################################# From ae64484955ba4cbe38b8976a1b7d0b168fd6c0d4 Mon Sep 17 00:00:00 2001 From: Neved4 <63655535+Neved4@users.noreply.github.com> Date: Fri, 25 Oct 2024 22:12:15 +0200 Subject: [PATCH 2/3] Refactor `RunBrewCmd()` into a generalised `RunCmdAsUser()` --- include/functions | 24 +++++++++++++++++------- include/tests_ports_packages | 2 +- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/include/functions b/include/functions index c5fd71a4a..2bfae8db8 100644 --- a/include/functions +++ b/include/functions @@ -91,7 +91,7 @@ # ReportManual Log manual actions to report file # ReportSuggestion Add a suggestion to report file # ReportWarning Add a warning and priority to report file -# RunBrewCmd Run Homebrew commands as a normal user instead of root +# RunCmdAsUser Run commands as a normal user instead of root # SafeFile Security tests to perform on a file before using it # SafePerms Check if a file has safe permissions # SafeInput Test provided string to see if it contains unwanted characters @@ -3038,17 +3038,27 @@ ################################################################################ - # Name : RunBrewCmd() - # Description : Run Homebrew commands as a normal user instead of root + # Name : RunCmdAsUser() + # Description : Run commands as a normal user instead of root # - # Parameters : $@ = Homebrew command arguments + # Parameters : $@ = command arguments # Returns : None (executes the command as the appropriate user) ################################################################################ - RunBrewCmd() { + RunCmdAsUser() { case "$(id -u)" in - 0) sudo -u "$SUDO_USER" brew "$@" ;; - *) brew "$@" + 0) + if command -v sudo >/dev/null + then + sudo -u "$SUDO_USER" "$@" + elif command -v su >/dev/null + then + su "$(id -un)" -c "$@" + else + "$@" + fi + ;; + *) "$@" esac } diff --git a/include/tests_ports_packages b/include/tests_ports_packages index c8ec4b2e8..8802d117e 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -127,7 +127,7 @@ LogText "Test: Querying brew to get package list" Display --indent 4 --text "- Querying brew for installed packages" LogText "Output:"; LogText "-----" - GPACKAGES=$(RunBrewCmd list --versions) + GPACKAGES=$(RunCmdAsUser brew list --versions) while IFS= read -r PKG; do PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f1) PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f2) From 181f59c2aff07eb46b0130b08775797bb579550a Mon Sep 17 00:00:00 2001 From: Neved4 <63655535+Neved4@users.noreply.github.com> Date: Fri, 25 Oct 2024 22:29:35 +0200 Subject: [PATCH 3/3] Add `Notes` section to `RunCmdAsUser()` comments --- include/functions | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/include/functions b/include/functions index 2bfae8db8..1459c0721 100644 --- a/include/functions +++ b/include/functions @@ -3043,6 +3043,18 @@ # # Parameters : $@ = command arguments # Returns : None (executes the command as the appropriate user) + # Notes : This allows dropping permissions for specific commands when + # lynis is invoked as root, preventing privilege escalation + # risks (CWE-250, CWE-271). + # + # By isolating privileged code and dropping said privileges as + # soon as possible, we can execute tools with their proper + # permissions, such as in the case of Homebrew. + # + # When available, we use `sudo` and `su`. For a strictly + # POSIX-compliant environment, a C implementation could be + # made using `setgid()` and `setuid()`. + ################################################################################ ################################################################################ RunCmdAsUser() {