From 3f031a297dc2d54346e9c9b3d566c3fa3a469240 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 13 Jul 2019 16:20:14 +0000 Subject: [PATCH] Removes read, write and execute access for others for all users who have home folders under folder /home by running for example "chmod o-rwx /home/user" during package installation or upgrade. This will be done only once per folder in folder /home so users who wish to relax file permissions are free to do so. This is to protect previously created files in user home folder which were previously created with lax file permissions prior installation of this package. --- debian/control | 8 ++++++++ debian/security-misc.postinst | 28 ++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/debian/control b/debian/control index b57465b..e5eb848 100644 --- a/debian/control +++ b/debian/control @@ -143,6 +143,14 @@ Description: enhances misc security settings The default umask is changed to 006. This allows only the owner and group to read and write to newly created files. . + Removes read, write and execute access for others for all users who have home + folders under folder /home by running for example "chmod o-rwx /home/user" + during package installation or upgrade. This will be done only once per folder + in folder /home so users who wish to relax file permissions are free to do so. + This is to protect previously created files in user home folder which were + previously created with lax file permissions prior installation of this + package. + . The kernel now panics on oopses to prevent it from continuing running a flawed process. . diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 9217645..1bbae43 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -15,6 +15,32 @@ true " ##################################################################### " +home_folder_access_rights_lockdown() { + mkdir -p /var/cache/security-misc/state-files + + shopt -s nullglob + + ## Not using dotglob. + ## touch /var/cache/security-misc/state-files//home/.Trash + ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory + + local folder_name base_name + + for folder_name in /home/* ; do + base_name="$(basename "$folder_name")" + if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then + continue + fi + chmod o-rwx "$folder_name" + ## Create a state-file so we do this only once. + ## Therefore a user who will manually undo this, will not get + ## annoyed by this being done over and over again. + touch "/var/cache/security-misc/state-files/$base_name" + done + + shopt -u nullglob +} + case "$1" in configure) glib-compile-schemas /usr/share/glib-2.0/schemas || true @@ -31,6 +57,8 @@ esac pam-auth-update --package +home_folder_access_rights_lockdown + true "INFO: debhelper beginning here." #DEBHELPER#