move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS

README.md

@@ -159,7 +159,7 @@ be recovered. See:
 
 `/lib/systemd/system/remove-system-map.service`
 
-`/usr/lib/security-misc/remove-system.map`
+`/usr/libexec/security-misc/remove-system.map`
 
 * Coredumps are disabled as they may contain important information such as
 encryption keys or passwords. See:
@@ -233,7 +233,7 @@ users from using `su` to gain root access or to switch user accounts —
 that logging in from a virtual console is still possible — `debian/security-misc.postinst`
 
 * Abort login for users with locked passwords —
-`/usr/lib/security-misc/pam-abort-on-locked-password`.
+`/usr/libexec/security-misc/pam-abort-on-locked-password`.
 
 * Logging into the root account from a virtual, serial, whatnot console is
 prevented by shipping an existing and empty `/etc/securetty` file
@@ -294,8 +294,8 @@ Informational output during Linux PAM:
 See:
 
 * `/usr/share/pam-configs/tally2-security-misc`
-* `/usr/lib/security-misc/pam_tally2-info`
-* `/usr/lib/security-misc/pam-abort-on-locked-password`
+* `/usr/libexec/security-misc/pam_tally2-info`
+* `/usr/libexec/security-misc/pam-abort-on-locked-password`
 
 ## Access rights restrictions
 
@@ -317,7 +317,7 @@ to the installation of this package.
 See:
 
 * `debian/security-misc.postinst`
-* `/usr/lib/security-misc/permission-lockdown`
+* `/usr/libexec/security-misc/permission-lockdown`
 * `/usr/share/pam-configs/mkhomedir-security-misc`
 
 ### SUID / SGID removal and permission hardening
@@ -331,7 +331,7 @@ default for now during testing and can optionally be enabled by running
 
 See:
 
-* `/usr/lib/security-misc/permission-hardening`
+* `/usr/libexec/security-misc/permission-hardening`
 * `/lib/systemd/system/permission-hardening.service`
 * `/etc/permission-hardening.d`
 * https://forums.whonix.org/t/disable-suid-binaries/7706

debian/security-misc.postinst

@@ -43,7 +43,7 @@ esac
 
 pam-auth-update --package
 
-/usr/lib/security-misc/permission-lockdown
+/usr/libexec/security-misc/permission-lockdown
 
 ## https://phabricator.whonix.org/T377
 ## Debian has no update-grub trigger yet:

debian/security-misc.preinst

@@ -16,7 +16,7 @@ true "
 "
 
 user_groups_modifications() {
-   ## /usr/lib/security-misc/hide-hardware-info
+   ## /usr/libexec/security-misc/hide-hardware-info
    addgroup --system sysfs
    addgroup --system cpuinfo
 

etc/X11/Xsession.d/50panic_on_oops

@@ -3,6 +3,6 @@
 ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-if [ -x /usr/lib/security-misc/panic-on-oops ]; then
-   sudo --non-interactive /usr/lib/security-misc/panic-on-oops
+if [ -x /usr/libexec/security-misc/panic-on-oops ]; then
+   sudo --non-interactive /usr/libexec/security-misc/panic-on-oops
 fi

etc/kernel/postinst.d/30_remove-system-map

@@ -3,6 +3,6 @@
 ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-if test -x /usr/lib/security-misc/remove-system.map ; then
-   /usr/lib/security-misc/remove-system.map
+if test -x /usr/libexec/security-misc/remove-system.map ; then
+   /usr/libexec/security-misc/remove-system.map
 fi

etc/sudoers.d/pkexec-security-misc

@@ -2,7 +2,7 @@
 ## See the file COPYING for copying conditions.
 
 ## REVIEW: is it ok that users can find out the PATH setting of root?
-#%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path
+#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/echo-path
 
 ## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be
 ## set. Would otherwise error out with the following error message:

etc/sudoers.d/security-misc

@@ -1,5 +1,5 @@
 ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-user ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops
-%sudo ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops
+user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
+%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops

lib/systemd/system/hide-hardware-info.service

@@ -11,7 +11,7 @@ After=local-fs.target
 
 [Service]
 Type=oneshot
-ExecStart=/usr/lib/security-misc/hide-hardware-info
+ExecStart=/usr/libexec/security-misc/hide-hardware-info
 RemainAfterExit=yes
 
 [Install]

lib/systemd/system/permission-hardening.service

@@ -13,7 +13,7 @@ After=local-fs.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/lib/security-misc/permission-hardening
+ExecStart=/usr/libexec/security-misc/permission-hardening
 RemainAfterExit=yes
 
 [Install]

lib/systemd/system/remount-secure.service

@@ -15,7 +15,7 @@ After=qubes-sysinit.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/lib/security-misc/remount-secure
+ExecStart=/usr/libexec/security-misc/remount-secure
 RemainAfterExit=yes
 
 [Install]

lib/systemd/system/remove-system-map.service

@@ -11,7 +11,7 @@ After=local-fs.target
 
 [Service]
 Type=oneshot
-ExecStart=/usr/lib/security-misc/remove-system.map
+ExecStart=/usr/libexec/security-misc/remove-system.map
 RemainAfterExit=yes
 
 [Install]

rpm_spec/security-misc.spec.in

@@ -104,10 +104,10 @@ make %{?_smp_mflags}
 /lib/systemd/coredump.conf.d/disable-coredumps.conf
 /lib/systemd/system/proc-hidepid.service
 /lib/systemd/system/remove-system-map.service
-/usr/lib/security-misc/apt-get-update
-/usr/lib/security-misc/apt-get-update-sanity-test
-/usr/lib/security-misc/panic-on-oops
-/usr/lib/security-misc/remove-system.map
+/usr/libexec/security-misc/apt-get-update
+/usr/libexec/security-misc/apt-get-update-sanity-test
+/usr/libexec/security-misc/panic-on-oops
+/usr/libexec/security-misc/remove-system.map
 /usr/share/glib-2.0/schemas/30_security-misc.gschema.override
 /usr/share/lintian/overrides/security-misc
 /usr/share/pam-configs/usergroups

usr/bin/pkexec.security-misc

@@ -122,7 +122,7 @@ else
    ## This is required for gdebi.
    ## REVIEW: is it ok that users can find out the PATH setting of root?
    ## lxqt-sudo does not clear environment variable PATH.
-   PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)"
+   PATH="$(sudo --non-interactive /usr/libexec/security-misc/echo-path)"
    export PATH
    lxqt-sudo "$@" || { exit_code=$? ; true; };
 fi

usr/libexec/security-misc/pam_only_if_login

@@ -12,7 +12,7 @@ true "PAM_SERVICE: $PAM_SERVICE"
 if [ "$PAM_SERVICE" = "login" ]; then
    ## FIXME:
    ## Creates unwanted journal log entry.
-   ## pam_exec(login:account): /usr/lib/security-misc/pam_only_if_login failed: exit code 1
+   ## pam_exec(login:account): /usr/libexec/security-misc/pam_only_if_login failed: exit code 1
    exit 1
 else
    ## exit success so [success=1 default=ignore] will result in skipping the

usr/libexec/security-misc/pam_tally2_not_if_x

@@ -37,6 +37,6 @@ done
 ## next PAM module (the pam_tally2 module).
 ##
 ## Causes confusing error message:
-## pam_exec(sudo:auth): /usr/lib/security-misc/pam_tally2_not_if_x failed: exit code 1
+## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_tally2_not_if_x failed: exit code 1
 ## https://github.com/linux-pam/linux-pam/issues/329
 exit 1

usr/libexec/security-misc/permission-hardening

@@ -10,7 +10,7 @@
 ## meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride
 
 ## To undo:
-## sudo /usr/lib/security-misc/permission-hardening-undo
+## sudo /usr/libexec/security-misc/permission-hardening-undo
 
 #set -x
 set -e

usr/libexec/security-misc/permission-lockdown

@@ -4,32 +4,32 @@
 ## See the file COPYING for copying conditions.
 
 ## Doing this for all users would create many issues.
-# /usr/lib/security-misc/permission-lockdown: user: root | chmod o-rwx "/root"
-# /usr/lib/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin"
-# /usr/lib/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin"
-# /usr/lib/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev"
-# /usr/lib/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin"
-# /usr/lib/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games"
-# /usr/lib/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man"
-# /usr/lib/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail"
-# /usr/lib/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin"
-# /usr/lib/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups"
-# /usr/lib/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd"
-# /usr/lib/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif"
-# /usr/lib/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus"
-# /usr/lib/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy"
-# /usr/lib/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc"
-# /usr/lib/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord"
-# /usr/lib/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4"
-# /usr/lib/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor"
-# /usr/lib/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4"
-# /usr/lib/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine"
-# /usr/lib/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng"
-# /usr/lib/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs"
-# /usr/lib/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity"
-# /usr/lib/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd"
-# /usr/lib/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind"
-# /usr/lib/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue"
+# /usr/libexec/security-misc/permission-lockdown: user: root | chmod o-rwx "/root"
+# /usr/libexec/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin"
+# /usr/libexec/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin"
+# /usr/libexec/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev"
+# /usr/libexec/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin"
+# /usr/libexec/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games"
+# /usr/libexec/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man"
+# /usr/libexec/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail"
+# /usr/libexec/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin"
+# /usr/libexec/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups"
+# /usr/libexec/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd"
+# /usr/libexec/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif"
+# /usr/libexec/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus"
+# /usr/libexec/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy"
+# /usr/libexec/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc"
+# /usr/libexec/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord"
+# /usr/libexec/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4"
+# /usr/libexec/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor"
+# /usr/libexec/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4"
+# /usr/libexec/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine"
+# /usr/libexec/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng"
+# /usr/libexec/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs"
+# /usr/libexec/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity"
+# /usr/libexec/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd"
+# /usr/libexec/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind"
+# /usr/libexec/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue"
 
 home_folder_access_rights_lockdown() {
    shopt -s nullglob

usr/share/pam-configs/console-lockdown-security-misc

@@ -3,5 +3,5 @@ Default: no
 Priority: 280
 Account-Type: Primary
 Account:
-	[success=1 default=ignore]	pam_exec.so	seteuid quiet /usr/lib/security-misc/pam_only_if_login
+	[success=1 default=ignore]	pam_exec.so	seteuid quiet /usr/libexec/security-misc/pam_only_if_login
 	required	pam_access.so accessfile=/etc/security/access-security-misc.conf debug

usr/share/pam-configs/pam-abort-on-locked-password-security-misc

@@ -3,4 +3,4 @@ Default: yes
 Priority: 300
 Auth-Type: Primary
 Auth:
-	requisite	pam_exec.so	debug stdout seteuid /usr/lib/security-misc/pam-abort-on-locked-password
+	requisite	pam_exec.so	debug stdout seteuid /usr/libexec/security-misc/pam-abort-on-locked-password

usr/share/pam-configs/tally2-security-misc

@@ -3,8 +3,8 @@ Default: yes
 Priority: 290
 Auth-Type: Primary
 Auth:
-	optional	pam_exec.so	debug stdout seteuid /usr/lib/security-misc/pam_tally2-info
-	[success=1 default=ignore]	pam_exec.so	seteuid quiet /usr/lib/security-misc/pam_tally2_not_if_x
+	optional	pam_exec.so	debug stdout seteuid /usr/libexec/security-misc/pam_tally2-info
+	[success=1 default=ignore]	pam_exec.so	seteuid quiet /usr/libexec/security-misc/pam_tally2_not_if_x
 	requisite	pam_tally2.so even_deny_root deny=50 onerr=fail audit debug
 Account-Type: Primary
 Account: