On Wed, Mar 27, 2024 at 10:07 PM Andy Smith wrote: > > Hi, > > On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote: > > I just saw this advisory > > Escape sequence injection in util-linux wall (CVE-2024-28085) > > https://seclists.org/fulldisclosure/2024/Mar/35 > > where they're talking about grabbing other users sudo password. > > It doesn't work by default on Debian as it relies on > command-not-found automatically running on the user's input. > command-not-found can be installed, however… > > > oof. Are there instructions somewhere on how to make Debian secure by > > default? > > Between the fact that "secure" means different things to different > people and that this advisory was only released a few hours ago, I > don't think you can reasonably expect documentation to already be > published for your standard of "secure".
You snipped the bit from the man page about users becoming more more conscious of various security risks & removing write access by default. Considering how long it takes something to migrate into stable I'm guessing that man page is pretty old. So I don't think it's unreasonable to expect some kind of secure by default installation option. > There is a general push to get rid of setuid/setgid binaries. A lot > of "hardening" guides will suggest looking for setuid/setgid > binaries and deciding if you really need them. The problem with that is how many users are knowledgeable enough to know if something is necessary or not? > As you've never heard of "mesg" and probably don't use "wall" I > doubt you will have any issues chmod 0 /usr/bin/wall and then > setting it immutable¹ with chattr +i. I suppose that's one way. I'd rather uninstall it. > You could put a call to "mesg n" into a file in /etc/profile.d so > that all users execute it. Good idea: $ ls -l /etc/profile.d/disable_mesg.sh -rw-r--r-- 1 root root 383 Mar 28 00:15 /etc/profile.d/disable_mesg.sh $ cat /etc/profile.d/disable_mesg.sh # man mesg # ... # Traditionally, write access is allowed by default. However, as users # become more conscious of various security risks, there is a trend to # remove write access by default, at least for the primary login shell. # To make sure your ttys are set the way you want them to be set, mesg # should be executed in your login scripts. /usr/bin/mesg n Then logout / login and.. $ mesg is n Thanks Lee