lintian FHS

usr/libexec/security-misc/permission-hardening-undo

@@ -0,0 +1,136 @@
+#!/bin/bash
+
+## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+#set -x
+set -e
+set -o pipefail
+
+if [ "$1" = "all" ]; then
+   remove_file="all"
+elif [ ! "$1" = "" ]; then
+   remove_file="$1"
+else
+   echo "ERROR: need to give parameter 'all' or a filename.
+
+examples:
+
+$0 all
+
+$0 /usr/bin/newgrp
+   " >&2
+fi
+
+exit_code=0
+
+dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode"
+dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode"
+
+undo_permission_hardening() {
+   if [ ! -f /var/lib/permission-hardening/existing_mode/statoverride ]; then
+      return 0
+   fi
+
+   local line
+
+   while read -r line; do
+      ## example line:
+      ## root root 4755 /usr/lib/eject/dmcrypt-get-device
+
+      local owner group mode file_name
+      if ! read -r owner group mode file_name <<< "$line" ; then
+         exit_code=201
+         echo "ERROR: cannot parse line: $line" >&2
+         continue
+      fi
+      true "owner: '$owner' group: '$group' mode: '$mode' file_name: '$file_name'"
+
+      if [ "$remove_file" = "all" ]; then
+         do_proceed=true
+         verbose_maybe=""
+      else
+         if [ "$remove_file" = "$file_name" ]; then
+            do_proceed=true
+            verbose_maybe="--verbose"
+            remove_one=true
+         else
+            do_proceed=false
+            verbose_maybe=""
+         fi
+      fi
+
+      if [ "$do_proceed" = "false" ]; then
+         continue
+      fi
+
+      if [ "$remove_one" = "true" ]; then
+         set -x
+      fi
+
+      if test -e "$file_name" ; then
+         chown $verbose_maybe "${owner}:${group}" "$file_name" || exit_code=202
+         ## chmod need to be run after chown since chown removes suid.
+         ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature
+         chmod $verbose_maybe "$mode" "$file_name" || exit_code=203
+      else
+         echo "INFO: file_name: '$file_name' - does not exist. This is likely normal."
+      fi
+
+      dpkg-statoverride --remove "$file_name" &>/dev/null || true
+      dpkg-statoverride $dpkg_admindir_parameter_existing_mode --remove "$file_name" &>/dev/null || true
+      dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" &>/dev/null || true
+
+      if [ "$remove_one" = "true" ]; then
+         set +x
+         break
+      fi
+
+   done < "/var/lib/permission-hardening/existing_mode/statoverride"
+}
+
+undo_permission_hardening
+
+if [ ! "$remove_file" = "all" ]; then
+   if [ ! "$remove_one" = "true" ]; then
+      echo "INFO: none removed.
+
+File '$remove_file' has not removed from SUID Disabler and Permission Hardener during this invocation of this program.
+
+Note: This is expected if already done earlier.
+
+Note: This program expects the full path to the file. Example:
+
+$0 /usr/bin/newgrp
+
+The following syntax will not work:
+
+$0 program-name
+
+The following example will not work:
+
+$0 newgrp
+
+To remove all:
+
+$0 all
+
+This change might not be permanent (because of the permission-hardening.service systemd unit). For full instructions, see:
+https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener
+
+To view list of changed by SUID Disabler and Permission Hardener:
+https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener
+
+For re-enabling any specific SUID binary:
+https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries
+
+For completely disabling SUID Disabler and Permission Hardener:
+https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener"
+   fi
+fi
+
+if [ ! "$exit_code" = "0" ]; then
+   echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2
+fi
+
+exit "$exit_code"