Enable smooth migration from permission-hardener-v1 to permission-hardener-v2

debian/security-misc.postinst

@@ -7,11 +7,15 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
    source /usr/libexec/helper-scripts/pre.bsh
 fi
 
+## Required since this package uses debconf - this is mandatory even though
+## the postinst itself does not use debconf commands.
+source /usr/share/debconf/confmodule
+
 set -e
 
 true "
 #####################################################################
-## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
 #####################################################################
 "
 
@@ -33,6 +37,55 @@ permission_hardening() {
     echo "$0: INFO: Permission hardening success."
 }
 
+migrate_permission_hardener_state() {
+   local v2_state_file
+
+   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
+     return 0
+   fi
+   mkdir --parents '/var/lib/security-misc/do_once'
+
+   ## This has to be stored in the postinst rather than installed by the
+   ## package, because permission-hardener *will* change it and we *cannot*
+   ## allow future package updates to overwrite it.
+   v2_state_file="root root 644 /etc/passwd-
+root root 755 /etc/cron.monthly
+root root 755 /etc/sudoers.d
+root shadow 2755 /usr/bin/expiry
+root root 4755 /usr/bin/umount
+root root 4755 /usr/bin/gpasswd
+root root 755 /usr/lib/modules
+root root 644 /etc/issue.net
+root root 644 /etc/group-
+root root 4755 /usr/bin/newgrp
+root root 755 /etc/cron.weekly
+root root 644 /etc/hosts.deny
+root root 4755 /usr/bin/su
+root root 644 /etc/hosts.allow
+root root 700 /root
+root root 755 /etc/cron.daily
+root root 755 /bin/ping
+root root 777 /etc/motd
+root root 755 /boot
+root root 755 /home
+root shadow 2755 /usr/bin/chage
+root root 4755 /usr/bin/chsh
+root root 4755 /usr/bin/passwd
+root root 4755 /usr/bin/chfn
+root root 644 /etc/group
+root root 755 /etc/permission-hardener.d
+root root 644 /etc/passwd
+root root 755 /usr/src
+root root 4755 /usr/bin/mount
+root root 777 /etc/issue
+root root 755 /etc/cron.d"
+
+   ## Not using sponge since moreutils might not be installed at this point.
+   mkdir --parents '/var/lib/permission-hardener-v2/existing_mode'
+   echo "${v2_state_file}" > '/var/lib/permission-hardener-v2/existing_mode/statoverride'
+   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
+}
+
 case "$1" in
     configure)
         if [ -d /etc/skel/.gnupg ]; then
@@ -45,13 +98,16 @@ case "$1" in
 
         ## state dir for faillock
         mkdir -p /var/lib/security-misc/faillock
+
+        ## migrate permission_hardener state to v2 if applicable
+        migrate_permission_hardener_state
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
     ;;
 
     triggered)
-      echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'"
+      echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\*: '$*' 2: '$2'"
       /usr/share/security-misc/lkrg/lkrg-virtualbox || true
       /usr/libexec/security-misc/mmap-rnd-bits || true
       permission_hardening
@@ -94,7 +150,7 @@ permission_hardening_legacy_config_folder
 
 true "
 #####################################################################
-## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
 #####################################################################
 "