security-misc/debian/security-misc.postinst

#!/bin/bash

## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
   source /usr/lib/helper-scripts/pre.bsh
fi

set -e

true "
#####################################################################
## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
#####################################################################
"

home_folder_access_rights_lockdown() {
   mkdir -p /var/cache/security-misc/state-files

   shopt -s nullglob

   ## Not using dotglob.
   ## touch /var/cache/security-misc/state-files//home/.Trash
   ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory

   local folder_name base_name

   for folder_name in /home/* ; do
      base_name="$(basename "$folder_name")"
      if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
         continue
      fi
      chmod o-rwx "$folder_name"
      ## Create a state-file so we do this only once.
      ## Therefore a user who will manually undo this, will not get
      ## annoyed by this being done over and over again.
      touch "/var/cache/security-misc/state-files/$base_name"
   done

   shopt -u nullglob
}

case "$1" in
    configure)
        glib-compile-schemas /usr/share/glib-2.0/schemas || true
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
    ;;

    *)
        echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac

addgroup root sudo

pam-auth-update --package

home_folder_access_rights_lockdown

true "INFO: debhelper beginning here."

#DEBHELPER#

true "INFO: Done with debhelper."

true "
#####################################################################
## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
#####################################################################
"

## Explicitly "exit 0", so eventually trapped errors can be ignored.
exit 0
disable previews in nautilus by default for better security copied solution by @unman https://github.com/QubesOS/qubes-issues/issues/1108 https://github.com/QubesOS/qubes-core-agent-linux/pull/39 https://phabricator.whonix.org/T500 2017-02-19 17:25:28 -05:00			`#!/bin/bash`

update copyright 2018-01-29 10:22:05 -05:00			`## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>`
disable previews in nautilus by default for better security copied solution by @unman https://github.com/QubesOS/qubes-issues/issues/1108 https://github.com/QubesOS/qubes-core-agent-linux/pull/39 https://phabricator.whonix.org/T500 2017-02-19 17:25:28 -05:00			`## See the file COPYING for copying conditions.`

update path to pre.bsh 2019-05-12 02:58:45 -04:00			`if [ -f /usr/lib/helper-scripts/pre.bsh ]; then`
			`source /usr/lib/helper-scripts/pre.bsh`
disable previews in nautilus by default for better security copied solution by @unman https://github.com/QubesOS/qubes-issues/issues/1108 https://github.com/QubesOS/qubes-core-agent-linux/pull/39 https://phabricator.whonix.org/T500 2017-02-19 17:25:28 -05:00			`fi`

			`set -e`

			`true "`
			`#####################################################################`
"$@" 2017-03-06 10:00:33 -05:00			`## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@`
disable previews in nautilus by default for better security copied solution by @unman https://github.com/QubesOS/qubes-issues/issues/1108 https://github.com/QubesOS/qubes-core-agent-linux/pull/39 https://phabricator.whonix.org/T500 2017-02-19 17:25:28 -05:00			`#####################################################################`
			`"`

Removes read, write and execute access for others for all users who have home folders under folder /home by running for example "chmod o-rwx /home/user" during package installation or upgrade. This will be done only once per folder in folder /home so users who wish to relax file permissions are free to do so. This is to protect previously created files in user home folder which were previously created with lax file permissions prior installation of this package. 2019-07-13 12:20:14 -04:00			`home_folder_access_rights_lockdown() {`
			`mkdir -p /var/cache/security-misc/state-files`

			`shopt -s nullglob`

			`## Not using dotglob.`
			`## touch /var/cache/security-misc/state-files//home/.Trash`
			`## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory`

			`local folder_name base_name`

			`for folder_name in /home/* ; do`
			`base_name="$(basename "$folder_name")"`
			`if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then`
			`continue`
			`fi`
			`chmod o-rwx "$folder_name"`
			`## Create a state-file so we do this only once.`
			`## Therefore a user who will manually undo this, will not get`
			`## annoyed by this being done over and over again.`
			`touch "/var/cache/security-misc/state-files/$base_name"`
			`done`

			`shopt -u nullglob`
			`}`

disable previews in nautilus by default for better security copied solution by @unman https://github.com/QubesOS/qubes-issues/issues/1108 https://github.com/QubesOS/qubes-core-agent-linux/pull/39 https://phabricator.whonix.org/T500 2017-02-19 17:25:28 -05:00			`case "$1" in`
			`configure)`
override glib-compile-schemas with \|\| true in postinst https://phabricator.whonix.org/T500 2017-02-19 17:32:04 -05:00			`glib-compile-schemas /usr/share/glib-2.0/schemas \|\| true`
disable previews in nautilus by default for better security copied solution by @unman https://github.com/QubesOS/qubes-issues/issues/1108 https://github.com/QubesOS/qubes-core-agent-linux/pull/39 https://phabricator.whonix.org/T500 2017-02-19 17:25:28 -05:00			`;;`

			`abort-upgrade\|abort-remove\|abort-deconfigure)`
			`;;`

			`*)`
			echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2
			`exit 1`
			`;;`
			`esac`

description 2019-07-31 03:29:42 -04:00			`addgroup root sudo`

remove modifying to /etc/pam.d directly (unrelased) config-package-dev displace /etc/securetty remove trailing spaces https://forums.whonix.org/t/restrict-root-access/7658/31 2019-07-13 07:41:37 -04:00			`pam-auth-update --package`
Due to error: Jul 07 20:35:39 host sudo[16090]: PAM unable to dlopen(pam_cgfs.so): /lib/security/pam_cgfs.so: cannot open shared object file: No such file or directory Jul 07 20:35:39 host sudo[16090]: PAM adding faulty module: pam_cgfs.so run: pam-auth-update --package from Debian maintainer scripts 2019-07-07 16:51:40 -04:00
Removes read, write and execute access for others for all users who have home folders under folder /home by running for example "chmod o-rwx /home/user" during package installation or upgrade. This will be done only once per folder in folder /home so users who wish to relax file permissions are free to do so. This is to protect previously created files in user home folder which were previously created with lax file permissions prior installation of this package. 2019-07-13 12:20:14 -04:00			`home_folder_access_rights_lockdown`

disable previews in nautilus by default for better security copied solution by @unman https://github.com/QubesOS/qubes-issues/issues/1108 https://github.com/QubesOS/qubes-core-agent-linux/pull/39 https://phabricator.whonix.org/T500 2017-02-19 17:25:28 -05:00			`true "INFO: debhelper beginning here."`

			`#DEBHELPER#`

			`true "INFO: Done with debhelper."`

			`true "`
			`#####################################################################`
"$@" 2017-03-06 10:00:33 -05:00			`## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@`
disable previews in nautilus by default for better security copied solution by @unman https://github.com/QubesOS/qubes-issues/issues/1108 https://github.com/QubesOS/qubes-core-agent-linux/pull/39 https://phabricator.whonix.org/T500 2017-02-19 17:25:28 -05:00			`#####################################################################`
			`"`

			`## Explicitly "exit 0", so eventually trapped errors can be ignored.`
			`exit 0`