security-misc/debian/security-misc.postinst

#!/bin/bash

## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
   source /usr/lib/helper-scripts/pre.bsh
fi

set -e

true "
#####################################################################
## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
#####################################################################
"

case "$1" in
    configure)
        ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override
        glib-compile-schemas /usr/share/glib-2.0/schemas || true
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
    ;;

    *)
        echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac

## /usr/lib/security-misc/hide-hardware-info
addgroup --system sysfs
addgroup --system cpuinfo

## group 'sudo' membership required to use 'su'
## /usr/share/pam-configs/wheel-security-misc
addgroup root sudo

## Related to Console Lockdown.
## /usr/share/pam-configs/console-lockdown-security-misc
## /etc/security/access-security-misc.conf
addgroup --system console
addgroup --system console-unrestricted
addgroup --system ssh
## This has no effect since by default this package also ships and an
## /etc/securetty configuration file that contains nothing but comments, i.e.
## an "empty" /etc/securetty.
## In case a system administrator edits /etc/securetty, there is no need to
## block for this to be still blocked by console lockdown. See also:
## https://www.whonix.org/wiki/Root#Root_Login
addgroup root console

pam-auth-update --package

/usr/lib/security-misc/permission-lockdown

## https://phabricator.whonix.org/T377
## Debian has no update-grub trigger yet:
## https://bugs.debian.org/481542
if command -v update-grub >/dev/null 2>&1; then
   update-grub || \
      echo "$DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ERROR: Running \
'update-grub' failed with exit code $?. $DPKG_MAINTSCRIPT_PACKAGE is most \
likely only the trigger, not the cause. Unless you know this is not an issue, \
you should fix running 'update-grub', otherwise your system might no longer \
boot." >&2
fi

true "INFO: debhelper beginning here."

#DEBHELPER#

true "INFO: Done with debhelper."

true "
#####################################################################
## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
#####################################################################
"

## Explicitly "exit 0", so eventually trapped errors can be ignored.
exit 0
disable previews in nautilus by default for better security copied solution by @unman https://github.com/QubesOS/qubes-issues/issues/1108 https://github.com/QubesOS/qubes-core-agent-linux/pull/39 https://phabricator.whonix.org/T500 2017-02-19 17:25:28 -05:00			`#!/bin/bash`

copyright 2019-10-31 11:19:44 -04:00			`## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>`
disable previews in nautilus by default for better security copied solution by @unman https://github.com/QubesOS/qubes-issues/issues/1108 https://github.com/QubesOS/qubes-core-agent-linux/pull/39 https://phabricator.whonix.org/T500 2017-02-19 17:25:28 -05:00			`## See the file COPYING for copying conditions.`

update path to pre.bsh 2019-05-12 02:58:45 -04:00			`if [ -f /usr/lib/helper-scripts/pre.bsh ]; then`
			`source /usr/lib/helper-scripts/pre.bsh`
disable previews in nautilus by default for better security copied solution by @unman https://github.com/QubesOS/qubes-issues/issues/1108 https://github.com/QubesOS/qubes-core-agent-linux/pull/39 https://phabricator.whonix.org/T500 2017-02-19 17:25:28 -05:00			`fi`

			`set -e`

			`true "`
			`#####################################################################`
"$@" 2017-03-06 10:00:33 -05:00			`## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@`
disable previews in nautilus by default for better security copied solution by @unman https://github.com/QubesOS/qubes-issues/issues/1108 https://github.com/QubesOS/qubes-core-agent-linux/pull/39 https://phabricator.whonix.org/T500 2017-02-19 17:25:28 -05:00			`#####################################################################`
			`"`

			`case "$1" in`
			`configure)`
comment 2019-12-08 01:59:55 -05:00			`## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override`
override glib-compile-schemas with \|\| true in postinst https://phabricator.whonix.org/T500 2017-02-19 17:32:04 -05:00			`glib-compile-schemas /usr/share/glib-2.0/schemas \|\| true`
disable previews in nautilus by default for better security copied solution by @unman https://github.com/QubesOS/qubes-issues/issues/1108 https://github.com/QubesOS/qubes-core-agent-linux/pull/39 https://phabricator.whonix.org/T500 2017-02-19 17:25:28 -05:00			`;;`

			`abort-upgrade\|abort-remove\|abort-deconfigure)`
			`;;`

			`*)`
			echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2
			`exit 1`
			`;;`
			`esac`

comment 2019-12-08 02:01:22 -05:00			`## /usr/lib/security-misc/hide-hardware-info`
Create sysfs and cpuinfo groups 2019-10-15 17:02:03 -04:00			`addgroup --system sysfs`
			`addgroup --system cpuinfo`
Console Lockdown. Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592 2019-12-07 05:40:20 -05:00
comment 2019-12-08 01:56:30 -05:00			`## group 'sudo' membership required to use 'su'`
			`## /usr/share/pam-configs/wheel-security-misc`
refactoring, add all groups first before adding any users to any groups 2019-12-08 01:43:45 -05:00			`addgroup root sudo`
comment 2019-12-08 01:46:32 -05:00
			`## Related to Console Lockdown.`
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc 2019-12-08 01:57:43 -05:00			`## /usr/share/pam-configs/console-lockdown-security-misc`
comment 2019-12-08 01:46:32 -05:00			`## /etc/security/access-security-misc.conf`
refactoring 2019-12-08 01:58:58 -05:00			`addgroup --system console`
			`addgroup --system console-unrestricted`
			`addgroup --system ssh`
comment 2019-12-08 01:46:32 -05:00			`## This has no effect since by default this package also ships and an`
			`## /etc/securetty configuration file that contains nothing but comments, i.e.`
			`## an "empty" /etc/securetty.`
comment 2019-12-08 01:47:40 -05:00			`## In case a system administrator edits /etc/securetty, there is no need to`
			`## block for this to be still blocked by console lockdown. See also:`
			`## https://www.whonix.org/wiki/Root#Root_Login`
Console Lockdown. Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592 2019-12-07 05:40:20 -05:00			`addgroup root console`
description 2019-07-31 03:29:42 -04:00
remove modifying to /etc/pam.d directly (unrelased) config-package-dev displace /etc/securetty remove trailing spaces https://forums.whonix.org/t/restrict-root-access/7658/31 2019-07-13 07:41:37 -04:00			`pam-auth-update --package`
Due to error: Jul 07 20:35:39 host sudo[16090]: PAM unable to dlopen(pam_cgfs.so): /lib/security/pam_cgfs.so: cannot open shared object file: No such file or directory Jul 07 20:35:39 host sudo[16090]: PAM adding faulty module: pam_cgfs.so run: pam-auth-update --package from Debian maintainer scripts 2019-07-07 16:51:40 -04:00
run permission lockdown during pam https://forums.whonix.org/t/change-default-umask/7416 2019-08-14 04:34:03 -04:00			`/usr/lib/security-misc/permission-lockdown`
Removes read, write and execute access for others for all users who have home folders under folder /home by running for example "chmod o-rwx /home/user" during package installation or upgrade. This will be done only once per folder in folder /home so users who wish to relax file permissions are free to do so. This is to protect previously created files in user home folder which were previously created with lax file permissions prior installation of this package. 2019-07-13 12:20:14 -04:00
run update-grub from postinst so /etc/default/grub.d changes take effect 2019-09-07 01:44:23 -04:00			`## https://phabricator.whonix.org/T377`
			`## Debian has no update-grub trigger yet:`
			`## https://bugs.debian.org/481542`
			`if command -v update-grub >/dev/null 2>&1; then`
			`update-grub \|\| \`
			`echo "$DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ERROR: Running \`
			`'update-grub' failed with exit code $?. $DPKG_MAINTSCRIPT_PACKAGE is most \`
			`likely only the trigger, not the cause. Unless you know this is not an issue, \`
			`you should fix running 'update-grub', otherwise your system might no longer \`
			`boot." >&2`
			`fi`

disable previews in nautilus by default for better security copied solution by @unman https://github.com/QubesOS/qubes-issues/issues/1108 https://github.com/QubesOS/qubes-core-agent-linux/pull/39 https://phabricator.whonix.org/T500 2017-02-19 17:25:28 -05:00			`true "INFO: debhelper beginning here."`

			`#DEBHELPER#`

			`true "INFO: Done with debhelper."`

			`true "`
			`#####################################################################`
"$@" 2017-03-06 10:00:33 -05:00			`## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@`
disable previews in nautilus by default for better security copied solution by @unman https://github.com/QubesOS/qubes-issues/issues/1108 https://github.com/QubesOS/qubes-core-agent-linux/pull/39 https://phabricator.whonix.org/T500 2017-02-19 17:25:28 -05:00			`#####################################################################`
			`"`

			`## Explicitly "exit 0", so eventually trapped errors can be ignored.`
			`exit 0`