diff --git a/debian/control b/debian/control index b57465b..e5eb848 100644 --- a/debian/control +++ b/debian/control @@ -143,6 +143,14 @@ Description: enhances misc security settings The default umask is changed to 006. This allows only the owner and group to read and write to newly created files. . + Removes read, write and execute access for others for all users who have home + folders under folder /home by running for example "chmod o-rwx /home/user" + during package installation or upgrade. This will be done only once per folder + in folder /home so users who wish to relax file permissions are free to do so. + This is to protect previously created files in user home folder which were + previously created with lax file permissions prior installation of this + package. + . The kernel now panics on oopses to prevent it from continuing running a flawed process. . diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 9217645..1bbae43 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -15,6 +15,32 @@ true " ##################################################################### " +home_folder_access_rights_lockdown() { + mkdir -p /var/cache/security-misc/state-files + + shopt -s nullglob + + ## Not using dotglob. + ## touch /var/cache/security-misc/state-files//home/.Trash + ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory + + local folder_name base_name + + for folder_name in /home/* ; do + base_name="$(basename "$folder_name")" + if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then + continue + fi + chmod o-rwx "$folder_name" + ## Create a state-file so we do this only once. + ## Therefore a user who will manually undo this, will not get + ## annoyed by this being done over and over again. + touch "/var/cache/security-misc/state-files/$base_name" + done + + shopt -u nullglob +} + case "$1" in configure) glib-compile-schemas /usr/share/glib-2.0/schemas || true @@ -31,6 +57,8 @@ esac pam-auth-update --package +home_folder_access_rights_lockdown + true "INFO: debhelper beginning here." #DEBHELPER#