Hi, On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote: > I just saw this advisory > Escape sequence injection in util-linux wall (CVE-2024-28085) > https://seclists.org/fulldisclosure/2024/Mar/35 > where they're talking about grabbing other users sudo password.
It doesn't work by default on Debian as it relies on command-not-found automatically running on the user's input. command-not-found can be installed, however… > oof. Are there instructions somewhere on how to make Debian secure by > default? Between the fact that "secure" means different things to different people and that this advisory was only released a few hours ago, I don't think you can reasonably expect documentation to already be published for your standard of "secure". There is a general push to get rid of setuid/setgid binaries. A lot of "hardening" guides will suggest looking for setuid/setgid binaries and deciding if you really need them. As you've never heard of "mesg" and probably don't use "wall" I doubt you will have any issues chmod 0 /usr/bin/wall and then setting it immutable¹ with chattr +i. You could put a call to "mesg n" into a file in /etc/profile.d so that all users execute it. Thanks, Andy ¹ The next update of bsdutils will complain it can't write that file. -- https://bitfolk.com/ -- No-nonsense VPS hosting
