View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0008105Kali LinuxKali Package Bugpublic2022-12-16 16:022022-12-19 03:01
ReporterX0RW3LL Assigned Toarnaudr  
PrioritynormalSeveritytrivialReproducibilityalways
Status resolvedResolutionfixed 
Product Version2022.4 
Fixed in Versionkali-dev 
Summary0008105: kali-tweaks 2023.1.0 does not unset unprivileged ports
Description

kali-tweaks will only set unprivileged port hardening, but fail to unset it

The issue is that systemd-sysctl (as far as I understand it) will only take into account the relevant config files found in /etc/sysctl.d in this case
When the script unsets privileged port hardening, it removes said config file /etc/sysctl.d/50-kali-tweaks-unprivileged-ports.conf, leaving systemd-sysctl without a proper directive to write to /proc/sys/net/ipv4/ip_unprivileged_port_start

So, upon initial configuration, ip_unprivileged_port_start is set to 1024
When the config file is removed as per the unselected option in kali-tweaks, systemd-sysctl no longer has a reference as to what the "new" value should be.

Suggested mitigation:

  • Update /etc/sysctl.d/50-kali-tweaks-unprivileged-ports.conf to set the port start to 0, update systemd-sysctl with the prefix, and remove the file afterwards
diff --git a/kali_tweaks/settings/sysctl.py b/kali_tweaks/settings/sysctl.py
index 1d04710..173087c 100644
--- a/kali_tweaks/settings/sysctl.py
+++ b/kali_tweaks/settings/sysctl.py
@@ -128,5 +128,9 @@ class SysctlSetting:
                 )
             else:
                 # Restore Kali's default
+                self._write_sysctl_setting(
+                    "unprivileged-ports", "net.ipv4.ip_unprivileged_port_start", "0"
+                )
+                self._apply_setting("net.ipv4.ip_unprivileged_port_start")
                 self._remove_sysctl_setting("unprivileged-ports")
             self._apply_setting("net.ipv4.ip_unprivileged_port_start")

A similar fix might also be needed for dmesg-restrict

Additionally, there's a typo in the choice description where it reads (Restrict ports > 1024) as opposed to (Restrict ports < 1024)

Steps To Reproduce
kali@kali:~$ kali-tweaks

# Hardening => [*] Privileged Ports
# Apply and relaunch the tool, toggling off the switch this time
# Notice the option will still be locked in when trying to unset it after the third relaunch
Additional Information
$ cat /etc/os-release
PRETTY_NAME=&quot;Kali GNU/Linux Rolling&quot;
NAME=&quot;Kali GNU/Linux&quot;
VERSION=&quot;2022.4&quot;
VERSION_ID=&quot;2022.4&quot;
VERSION_CODENAME=&quot;kali-rolling&quot;
ID=kali
ID_LIKE=debian
HOME_URL=&quot;https://www.kali.org/&quot;
SUPPORT_URL=&quot;https://forums.kali.org/&quot;
BUG_REPORT_URL=&quot;https://bugs.kali.org/&quot;
ANSI_COLOR=&quot;1;31&quot;
$ uname -a
Linux FX7 6.0.0-kali5-amd64 0000001 SMP PREEMPT_DYNAMIC Debian 6.0.10-2kali1 (2022-12-06) x86_64 GNU/Linux
$ apt policy kali-tweaks
kali-tweaks:
  Installed: 2023.1.0
  Candidate: 2023.1.0
  Version table:
 *** 2023.1.0 500
        500 https://kali.download/kali kali-rolling/main amd64 Packages
        500 https://kali.download/kali kali-rolling/main i386 Packages
        100 /var/lib/dpkg/status

Activities

X0RW3LL

X0RW3LL

2022-12-16 16:25

reporter   ~0017248

P.s apologies for the horrible Discord formatting
P.s2 s/unprivileged/privileged/g
arnaudr

arnaudr

2022-12-19 02:32

manager   ~0017254

Thanks for the quick feedback!

The issue in this case is that the latest version of kali-defaults (2023.1.0) is not yet in kali-rolling. It's stuck in kali-dev, waiting for automatic tests to run, before it can migrate to kali-rolling. This new version of kali-defaults provides the missing sysctl config files in /usr/lib/sysctl.d, and those files define the default values.

So it's a packaging issue, I should have been more careful and make kali-tweaks Depend on kali-defaults >= 2023.1.0, my mistake. Sorry that you spend your time on this. Let me see if I can speed up the migration of the package kali-defaults.
X0RW3LL

X0RW3LL

2022-12-19 02:38

reporter   ~0017255

No worries at all..I still learned something new, and I like debugging, so that wasn't a waste of time for me at all.
Thank you for the explanation!
arnaudr

arnaudr

2022-12-19 03:01

manager   ~0017256

kali-defaults 2023.1.0 is now in kali-rolling. It will take a few hours until it hits the mirrors. Closing this bug then. Thanks again for the report !

Issue History

Date Modified Username Field Change
2022-12-16 16:02 X0RW3LL New Issue
2022-12-16 16:25 X0RW3LL Note Added: 0017248
2022-12-16 22:58 Gamb1t Assigned To => arnaudr
2022-12-16 22:58 Gamb1t Status new => assigned
2022-12-19 02:32 arnaudr Note Added: 0017254
2022-12-19 02:38 X0RW3LL Note Added: 0017255
2022-12-19 03:01 arnaudr Note Added: 0017256
2022-12-19 03:01 arnaudr Status assigned => resolved
2022-12-19 03:01 arnaudr Resolution open => fixed
2022-12-19 03:01 arnaudr Fixed in Version => kali-dev