Removes read, write and execute access for others for all users who have home

folders under folder /home by running for example "chmod o-rwx /home/user"
 during package installation or upgrade. This will be done only once per folder
 in folder /home so users who wish to relax file permissions are free to do so.
 This is to protect previously created files in user home folder which were
 previously created with lax file permissions prior installation of this
 package.
This commit is contained in:
Patrick Schleizer 2019-07-13 16:20:14 +00:00
parent 4740e8b335
commit 3f031a297d
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 36 additions and 0 deletions

8
debian/control vendored
View File

@ -143,6 +143,14 @@ Description: enhances misc security settings
The default umask is changed to 006. This allows only the owner and group to
read and write to newly created files.
.
Removes read, write and execute access for others for all users who have home
folders under folder /home by running for example "chmod o-rwx /home/user"
during package installation or upgrade. This will be done only once per folder
in folder /home so users who wish to relax file permissions are free to do so.
This is to protect previously created files in user home folder which were
previously created with lax file permissions prior installation of this
package.
.
The kernel now panics on oopses to prevent it from continuing running a
flawed process.
.

View File

@ -15,6 +15,32 @@ true "
#####################################################################
"
home_folder_access_rights_lockdown() {
mkdir -p /var/cache/security-misc/state-files
shopt -s nullglob
## Not using dotglob.
## touch /var/cache/security-misc/state-files//home/.Trash
## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
local folder_name base_name
for folder_name in /home/* ; do
base_name="$(basename "$folder_name")"
if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
continue
fi
chmod o-rwx "$folder_name"
## Create a state-file so we do this only once.
## Therefore a user who will manually undo this, will not get
## annoyed by this being done over and over again.
touch "/var/cache/security-misc/state-files/$base_name"
done
shopt -u nullglob
}
case "$1" in
configure)
glib-compile-schemas /usr/share/glib-2.0/schemas || true
@ -31,6 +57,8 @@ esac
pam-auth-update --package
home_folder_access_rights_lockdown
true "INFO: debhelper beginning here."
#DEBHELPER#