diff --git a/debian/security-misc.config b/debian/security-misc.config index 71726a4..95684bc 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -22,6 +22,8 @@ true " " check_migrate_permission_hardener_state() { + local modified_pkg_data_str custom_hardening_arr config_file + ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. if [ ! -d '/var/lib/permission-hardener' ]; then return 0 @@ -82,7 +84,10 @@ check_migrate_permission_hardener_state() { '/etc/permission-hardener.d/30_default.conf' ) - readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }') + ## This will exit non-zero if some of the packages don't exist, but we + ## don't care. The packages that *are* installed will still be scanned. + modified_pkg_data_str="$(dpkg -V security-misc user-sysmaint-split anon-apps-config)" || true + readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}") ## If the above `dpkg -V` command doesn't return any permission-hardener ## related lines, the array will contain no meaningful info, just a single ## blank element at the start. Set the array to be explicitly empty in diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 0603717..d1f61d1 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -38,6 +38,7 @@ permission_hardening() { } migrate_permission_hardener_state() { + local existing_mode_dir new_mode_dir dpkg_statoverride_list ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. if [ ! -d '/var/lib/permission-hardener' ]; then return 0 @@ -48,8 +49,27 @@ migrate_permission_hardener_state() { fi mkdir --parents '/var/lib/security-misc/do_once' - mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' - cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride' + existing_mode_dir='/var/lib/permission-hardener-v2/existing_mode' + new_mode_dir='/var/lib/permission-hardener-v2/new_mode' + + mkdir --parents "${existing_mode_dir}"; + mkdir --parents "${new_mode_dir}"; + + cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' "${existing_mode_dir}/statoverride" + cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' "${new_mode_dir}/statoverride" + + dpkg_statoverride_list="$(dpkg-statoverride --admindir "${new_mode_dir}" --list)" + + if [ "$(stat --format '%G' /usr/bin/sudo)" = 'sysmaint' ]; then + if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/sudo' ]]; then + dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/sudo' + fi + fi + if [ "$(stat --format '%G' /usr/bin/pkexec)" = 'sysmaint' ]; then + if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/pkexec' ]]; then + dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/pkexec' + fi + fi touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index b2991e0..c5527e3 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -612,6 +612,11 @@ commit_policy() { -- "${policy_file_item}" fi done + + log notice "\ +To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: + sudo apt install --no-install-recommends meld + meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" } undo_policy_for_file() { diff --git a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded new file mode 100644 index 0000000..142686e --- /dev/null +++ b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded @@ -0,0 +1,24 @@ +root root 700 /etc/cron.monthly +root root 700 /etc/sudoers.d +root shadow 744 /usr/bin/expiry +root root 755 /usr/bin/umount +root root 744 /usr/bin/gpasswd +root root 700 /usr/lib/modules +root root 744 /usr/bin/newgrp +root root 700 /etc/cron.weekly +root root 744 /usr/bin/su +root root 700 /etc/cron.daily +root root 755 /bin/ping +root root 644 /etc/motd +root _ssh 744 /usr/bin/ssh-agent +root root 700 /boot +root shadow 744 /usr/bin/chage +root root 744 /usr/lib/openssh/ssh-keysign +root root 744 /usr/bin/chsh +root root 755 /usr/bin/passwd +root root 744 /usr/bin/chfn +root root 600 /etc/permission-hardener.d +root root 700 /usr/src +root root 755 /usr/bin/mount +root root 644 /etc/issue +root root 700 /etc/cron.d