View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0008105 | Kali Linux | [All Projects] Kali Package Bug | public | 2022-12-16 16:02 | 2022-12-19 03:01 |
| Reporter | X0RW3LL | Assigned To | arnaudr | ||
| Priority | normal | Severity | trivial | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 2022.4 | ||||
| Target Version | Fixed in Version | kali-dev | |||
| Summary | 0008105: kali-tweaks 2023.1.0 does not unset unprivileged ports | ||||
| Description | kali-tweaks will only set unprivileged port hardening, but fail to unset it The issue is that systemd-sysctl (as far as I understand it) will only take into account the relevant config files found in /etc/sysctl.d in this case When the script unsets privileged port hardening, it removes said config file `/etc/sysctl.d/50-kali-tweaks-unprivileged-ports.conf`, leaving systemd-sysctl without a proper directive to write to `/proc/sys/net/ipv4/ip_unprivileged_port_start` So, upon initial configuration, ip_unprivileged_port_start is set to 1024 When the config file is removed as per the unselected option in kali-tweaks, systemd-sysctl no longer has a reference as to what the "new" value should be. Suggested mitigation: - Update `/etc/sysctl.d/50-kali-tweaks-unprivileged-ports.conf` to set the port start to 0, update systemd-sysctl with the prefix, and remove the file afterwards ```diff diff --git a/kali_tweaks/settings/sysctl.py b/kali_tweaks/settings/sysctl.py index 1d04710..173087c 100644 --- a/kali_tweaks/settings/sysctl.py +++ b/kali_tweaks/settings/sysctl.py @@ -128,5 +128,9 @@ class SysctlSetting: ) else: # Restore Kali's default + self._write_sysctl_setting( + "unprivileged-ports", "net.ipv4.ip_unprivileged_port_start", "0" + ) + self._apply_setting("net.ipv4.ip_unprivileged_port_start") self._remove_sysctl_setting("unprivileged-ports") self._apply_setting("net.ipv4.ip_unprivileged_port_start") ``` A similar fix might also be needed for dmesg-restrict Additionally, there's a typo in the choice description where it reads (Restrict ports > 1024) as opposed to (Restrict ports < 1024) | ||||
| Steps To Reproduce | ```sh kali@kali:~$ kali-tweaks # Hardening => [*] Privileged Ports # Apply and relaunch the tool, toggling off the switch this time # Notice the option will still be locked in when trying to unset it after the third relaunch ``` | ||||
| Additional Information | ``` $ cat /etc/os-release PRETTY_NAME="Kali GNU/Linux Rolling" NAME="Kali GNU/Linux" VERSION="2022.4" VERSION_ID="2022.4" VERSION_CODENAME="kali-rolling" ID=kali ID_LIKE=debian HOME_URL="https://www.kali.org/" SUPPORT_URL="https://forums.kali.org/" BUG_REPORT_URL="https://bugs.kali.org/" ANSI_COLOR="1;31" ``` ``` $ uname -a Linux FX7 6.0.0-kali5-amd64 0000001 SMP PREEMPT_DYNAMIC Debian 6.0.10-2kali1 (2022-12-06) x86_64 GNU/Linux ``` ``` $ apt policy kali-tweaks kali-tweaks: Installed: 2023.1.0 Candidate: 2023.1.0 Version table: *** 2023.1.0 500 500 https://kali.download/kali kali-rolling/main amd64 Packages 500 https://kali.download/kali kali-rolling/main i386 Packages 100 /var/lib/dpkg/status ``` | ||||
|
|
P.s apologies for the horrible Discord formatting P.s2 s/unprivileged/privileged/g |
|
|
Thanks for the quick feedback! The issue in this case is that the latest version of kali-defaults (2023.1.0) is not yet in kali-rolling. It's stuck in kali-dev, waiting for automatic tests to run, before it can migrate to kali-rolling. This new version of kali-defaults provides the missing sysctl config files in /usr/lib/sysctl.d, and those files define the default values. So it's a packaging issue, I should have been more careful and make kali-tweaks Depend on kali-defaults >= 2023.1.0, my mistake. Sorry that you spend your time on this. Let me see if I can speed up the migration of the package kali-defaults. |
|
|
No worries at all..I still learned something new, and I like debugging, so that wasn't a waste of time for me at all. Thank you for the explanation! |
|
|
kali-defaults 2023.1.0 is now in kali-rolling. It will take a few hours until it hits the mirrors. Closing this bug then. Thanks again for the report ! |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2022-12-16 16:02 | X0RW3LL | New Issue | |
| 2022-12-16 16:25 | X0RW3LL | Note Added: 0017248 | |
| 2022-12-16 22:58 | Gamb1t | Assigned To | => arnaudr |
| 2022-12-16 22:58 | Gamb1t | Status | new => assigned |
| 2022-12-19 02:32 | arnaudr | Note Added: 0017254 | |
| 2022-12-19 02:38 | X0RW3LL | Note Added: 0017255 | |
| 2022-12-19 03:01 | arnaudr | Note Added: 0017256 | |
| 2022-12-19 03:01 | arnaudr | Status | assigned => resolved |
| 2022-12-19 03:01 | arnaudr | Resolution | open => fixed |
| 2022-12-19 03:01 | arnaudr | Fixed in Version | => kali-dev |