From 21489111d107023f150988137180154ba62e1ff2 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed, 14 Aug 2019 08:34:03 +0000
Subject: [PATCH] run permission lockdown during pam

https://forums.whonix.org/t/change-default-umask/7416
---
 debian/security-misc.postinst                 | 28 +---------------
 usr/lib/security-misc/permission-lockdown     | 33 +++++++++++++++++++
 .../permission-lockdown-security-misc         |  6 ++++
 3 files changed, 40 insertions(+), 27 deletions(-)
 create mode 100755 usr/lib/security-misc/permission-lockdown
 create mode 100644 usr/share/pam-configs/permission-lockdown-security-misc

diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst
index 194929f..ffdd07d 100644
--- a/debian/security-misc.postinst
+++ b/debian/security-misc.postinst
@@ -15,32 +15,6 @@ true "
 #####################################################################
 "
 
-home_folder_access_rights_lockdown() {
-   mkdir -p /var/cache/security-misc/state-files
-
-   shopt -s nullglob
-
-   ## Not using dotglob.
-   ## touch /var/cache/security-misc/state-files//home/.Trash
-   ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
-
-   local folder_name base_name
-
-   for folder_name in /home/* ; do
-      base_name="$(basename "$folder_name")"
-      if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
-         continue
-      fi
-      chmod o-rwx "$folder_name"
-      ## Create a state-file so we do this only once.
-      ## Therefore a user who will manually undo this, will not get
-      ## annoyed by this being done over and over again.
-      touch "/var/cache/security-misc/state-files/$base_name"
-   done
-
-   shopt -u nullglob
-}
-
 case "$1" in
     configure)
         glib-compile-schemas /usr/share/glib-2.0/schemas || true
@@ -59,7 +33,7 @@ addgroup root sudo
 
 pam-auth-update --package
 
-home_folder_access_rights_lockdown
+/usr/lib/security-misc/permission-lockdown
 
 true "INFO: debhelper beginning here."
 
diff --git a/usr/lib/security-misc/permission-lockdown b/usr/lib/security-misc/permission-lockdown
new file mode 100755
index 0000000..8a79844
--- /dev/null
+++ b/usr/lib/security-misc/permission-lockdown
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -x
+
+home_folder_access_rights_lockdown() {
+   mkdir -p /var/cache/security-misc/state-files
+
+   shopt -s nullglob
+
+   ## Not using dotglob.
+   ## touch /var/cache/security-misc/state-files//home/.Trash
+   ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
+
+   local folder_name base_name
+
+   for folder_name in /home/* ; do
+      base_name="$(basename "$folder_name")"
+      if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
+         continue
+      fi
+      chmod o-rwx "$folder_name"
+      ## Create a state-file so we do this only once.
+      ## Therefore a user who will manually undo this, will not get
+      ## annoyed by this being done over and over again.
+      touch "/var/cache/security-misc/state-files/$base_name"
+   done
+
+   shopt -u nullglob
+}
+
+home_folder_access_rights_lockdown
+
+exit 0
diff --git a/usr/share/pam-configs/permission-lockdown-security-misc b/usr/share/pam-configs/permission-lockdown-security-misc
new file mode 100644
index 0000000..ac974e8
--- /dev/null
+++ b/usr/share/pam-configs/permission-lockdown-security-misc
@@ -0,0 +1,6 @@
+Name: prevent others from reading one's home folder (by package security-misc)
+Default: yes
+Priority: 500
+Session-Type: Additional
+Session:
+	optional	pam_exec.so	debug seteuid log=/var/log/permission-lockdown-security-misc /usr/lib/security-misc/permission-lockdown