summaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2018-08-22 11:48:41 +0000
committerintrigeri <intrigeri@boum.org>2018-08-22 11:59:27 +0000
commit5547323075bd7a2193033e0d4d154c5a96627be7 (patch)
tree1d459ea37cdd293dc24851f41e0ed590f9e47873 /config
parentfc2fd6319767857e8b537943a6a9882bb7ef5b40 (diff)
Harden sudo configuration (refs: #15829).
This should not be needed because at the moment, none of these commands do anything with their command-line arguments (except poweroff and reboot but their argument don't allow further privilege escalation), but better safe than sorry.
Diffstat (limited to 'config')
-rw-r--r--config/chroot_local-includes/etc/sudoers.d/zzz_boot_profile2
-rw-r--r--config/chroot_local-includes/etc/sudoers.d/zzz_halt4
-rw-r--r--config/chroot_local-includes/etc/sudoers.d/zzz_persistence-setup2
-rw-r--r--config/chroot_local-includes/etc/sudoers.d/zzz_unsafe-browser2
4 files changed, 5 insertions, 5 deletions
diff --git a/config/chroot_local-includes/etc/sudoers.d/zzz_boot_profile b/config/chroot_local-includes/etc/sudoers.d/zzz_boot_profile
index 3703f79..4a08035 100644
--- a/config/chroot_local-includes/etc/sudoers.d/zzz_boot_profile
+++ b/config/chroot_local-includes/etc/sudoers.d/zzz_boot_profile
@@ -1 +1 @@
-amnesia ALL = NOPASSWD: /usr/local/lib/kill-boot-profile
+amnesia ALL = NOPASSWD: /usr/local/lib/kill-boot-profile ""
diff --git a/config/chroot_local-includes/etc/sudoers.d/zzz_halt b/config/chroot_local-includes/etc/sudoers.d/zzz_halt
index d0d146f..f5897bf 100644
--- a/config/chroot_local-includes/etc/sudoers.d/zzz_halt
+++ b/config/chroot_local-includes/etc/sudoers.d/zzz_halt
@@ -1,2 +1,2 @@
-amnesia ALL = NOPASSWD: /sbin/poweroff
-amnesia ALL = NOPASSWD: /sbin/reboot
+amnesia ALL = NOPASSWD: /sbin/poweroff ""
+amnesia ALL = NOPASSWD: /sbin/reboot ""
diff --git a/config/chroot_local-includes/etc/sudoers.d/zzz_persistence-setup b/config/chroot_local-includes/etc/sudoers.d/zzz_persistence-setup
index 2ed2aab..456d03b 100644
--- a/config/chroot_local-includes/etc/sudoers.d/zzz_persistence-setup
+++ b/config/chroot_local-includes/etc/sudoers.d/zzz_persistence-setup
@@ -1,4 +1,4 @@
Cmnd_Alias PERSISTENCE_SETUP = /usr/bin/tails-persistence-setup "", /usr/bin/tails-persistence-setup --verbose, /usr/bin/tails-persistence-setup --step delete, /usr/bin/tails-persistence-setup --step delete --verbose, /usr/bin/tails-persistence-setup --force-enable-preset AdditionalSoftware
amnesia ALL = (tails-persistence-setup) NOPASSWD: PERSISTENCE_SETUP
-tails-persistence-setup ALL = (root) NOPASSWD: /usr/bin/tails-fix-persistent-volume-permissions
+tails-persistence-setup ALL = (root) NOPASSWD: /usr/bin/tails-fix-persistent-volume-permissions ""
diff --git a/config/chroot_local-includes/etc/sudoers.d/zzz_unsafe-browser b/config/chroot_local-includes/etc/sudoers.d/zzz_unsafe-browser
index 938429a..0fec530 100644
--- a/config/chroot_local-includes/etc/sudoers.d/zzz_unsafe-browser
+++ b/config/chroot_local-includes/etc/sudoers.d/zzz_unsafe-browser
@@ -1 +1 @@
-amnesia ALL = NOPASSWD: /usr/local/sbin/unsafe-browser
+amnesia ALL = NOPASSWD: /usr/local/sbin/unsafe-browser ""