Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-02-03 16:39:54 -05:00
Code Issues Packages Projects Releases Wiki Activity

run permission lockdown during pam

Browse Source 
https://forums.whonix.org/t/change-default-umask/7416
This commit is contained in:
Patrick Schleizer 2019-08-14 08:34:03 +00:00
parent 42f2d5f666
commit 21489111d1
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
3 changed files with 40 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
debian/security-misc.postinst vendored
View File

@ -15,32 +15,6 @@ true "
##################################################################### #####################################################################
" "
home_folder_access_rights_lockdown() {
mkdir -p /var/cache/security-misc/state-files
shopt -s nullglob
## Not using dotglob.
## touch /var/cache/security-misc/state-files//home/.Trash
## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
local folder_name base_name
for folder_name in /home/* ; do
base_name="$(basename "$folder_name")"
if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
continue
fi
chmod o-rwx "$folder_name"
## Create a state-file so we do this only once.
## Therefore a user who will manually undo this, will not get
## annoyed by this being done over and over again.
touch "/var/cache/security-misc/state-files/$base_name"
done
shopt -u nullglob
}
case "$1" in case "$1" in
configure) configure)
glib-compile-schemas /usr/share/glib-2.0/schemas || true glib-compile-schemas /usr/share/glib-2.0/schemas || true
@ -59,7 +33,7 @@ addgroup root sudo
pam-auth-update --package pam-auth-update --package
home_folder_access_rights_lockdown /usr/lib/security-misc/permission-lockdown
true "INFO: debhelper beginning here." true "INFO: debhelper beginning here."

33
usr/lib/security-misc/permission-lockdown Executable file
View File

@ -0,0 +1,33 @@
#!/bin/bash
set -x
home_folder_access_rights_lockdown() {
mkdir -p /var/cache/security-misc/state-files
shopt -s nullglob
## Not using dotglob.
## touch /var/cache/security-misc/state-files//home/.Trash
## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
local folder_name base_name
for folder_name in /home/* ; do
base_name="$(basename "$folder_name")"
if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
continue
fi
chmod o-rwx "$folder_name"
## Create a state-file so we do this only once.
## Therefore a user who will manually undo this, will not get
## annoyed by this being done over and over again.
touch "/var/cache/security-misc/state-files/$base_name"
done
shopt -u nullglob
}
home_folder_access_rights_lockdown
exit 0

6
usr/share/pam-configs/permission-lockdown-security-misc Normal file
View File

@ -0,0 +1,6 @@
Name: prevent others from reading one's home folder (by package security-misc)
Default: yes
Priority: 500
Session-Type: Additional
Session:
optional pam_exec.so debug seteuid log=/var/log/permission-lockdown-security-misc /usr/lib/security-misc/permission-lockdown