run permission lockdown during pam

https://forums.whonix.org/t/change-default-umask/7416

debian/security-misc.postinst

@@ -15,32 +15,6 @@ true "
 #####################################################################
 "
 
-home_folder_access_rights_lockdown() {
-   mkdir -p /var/cache/security-misc/state-files
-
-   shopt -s nullglob
-
-   ## Not using dotglob.
-   ## touch /var/cache/security-misc/state-files//home/.Trash
-   ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
-
-   local folder_name base_name
-
-   for folder_name in /home/* ; do
-      base_name="$(basename "$folder_name")"
-      if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
-         continue
-      fi
-      chmod o-rwx "$folder_name"
-      ## Create a state-file so we do this only once.
-      ## Therefore a user who will manually undo this, will not get
-      ## annoyed by this being done over and over again.
-      touch "/var/cache/security-misc/state-files/$base_name"
-   done
-
-   shopt -u nullglob
-}
-
 case "$1" in
     configure)
         glib-compile-schemas /usr/share/glib-2.0/schemas || true
@@ -59,7 +33,7 @@ addgroup root sudo
 
 pam-auth-update --package
 
-home_folder_access_rights_lockdown
+/usr/lib/security-misc/permission-lockdown
 
 true "INFO: debhelper beginning here."
 

usr/lib/security-misc/permission-lockdown

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -x
+
+home_folder_access_rights_lockdown() {
+   mkdir -p /var/cache/security-misc/state-files
+
+   shopt -s nullglob
+
+   ## Not using dotglob.
+   ## touch /var/cache/security-misc/state-files//home/.Trash
+   ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
+
+   local folder_name base_name
+
+   for folder_name in /home/* ; do
+      base_name="$(basename "$folder_name")"
+      if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
+         continue
+      fi
+      chmod o-rwx "$folder_name"
+      ## Create a state-file so we do this only once.
+      ## Therefore a user who will manually undo this, will not get
+      ## annoyed by this being done over and over again.
+      touch "/var/cache/security-misc/state-files/$base_name"
+   done
+
+   shopt -u nullglob
+}
+
+home_folder_access_rights_lockdown
+
+exit 0

usr/share/pam-configs/permission-lockdown-security-misc

@@ -0,0 +1,6 @@
+Name: prevent others from reading one's home folder (by package security-misc)
+Default: yes
+Priority: 500
+Session-Type: Additional
+Session:
+	optional	pam_exec.so	debug seteuid log=/var/log/permission-lockdown-security-misc /usr/lib/security-misc/permission-lockdown