From 50bdd097df4c87cd4507311df9c0b14d237c534b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 3 Aug 2021 12:56:31 -0400 Subject: [PATCH] move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS --- README.md | 12 ++--- debian/security-misc.postinst | 2 +- debian/security-misc.preinst | 2 +- etc/X11/Xsession.d/50panic_on_oops | 4 +- etc/kernel/postinst.d/30_remove-system-map | 4 +- etc/sudoers.d/pkexec-security-misc | 2 +- etc/sudoers.d/security-misc | 4 +- lib/systemd/system/hide-hardware-info.service | 2 +- .../system/permission-hardening.service | 2 +- lib/systemd/system/remount-secure.service | 2 +- lib/systemd/system/remove-system-map.service | 2 +- rpm_spec/security-misc.spec.in | 8 +-- usr/bin/pkexec.security-misc | 2 +- usr/libexec/security-misc/pam_only_if_login | 2 +- usr/libexec/security-misc/pam_tally2_not_if_x | 2 +- .../security-misc/permission-hardening | 2 +- usr/libexec/security-misc/permission-lockdown | 52 +++++++++---------- .../console-lockdown-security-misc | 2 +- ...pam-abort-on-locked-password-security-misc | 2 +- usr/share/pam-configs/tally2-security-misc | 4 +- 20 files changed, 57 insertions(+), 57 deletions(-) diff --git a/README.md b/README.md index c14357c..e716c44 100644 --- a/README.md +++ b/README.md @@ -159,7 +159,7 @@ be recovered. See: `/lib/systemd/system/remove-system-map.service` -`/usr/lib/security-misc/remove-system.map` +`/usr/libexec/security-misc/remove-system.map` * Coredumps are disabled as they may contain important information such as encryption keys or passwords. See: @@ -233,7 +233,7 @@ users from using `su` to gain root access or to switch user accounts — that logging in from a virtual console is still possible — `debian/security-misc.postinst` * Abort login for users with locked passwords — -`/usr/lib/security-misc/pam-abort-on-locked-password`. +`/usr/libexec/security-misc/pam-abort-on-locked-password`. * Logging into the root account from a virtual, serial, whatnot console is prevented by shipping an existing and empty `/etc/securetty` file @@ -294,8 +294,8 @@ Informational output during Linux PAM: See: * `/usr/share/pam-configs/tally2-security-misc` -* `/usr/lib/security-misc/pam_tally2-info` -* `/usr/lib/security-misc/pam-abort-on-locked-password` +* `/usr/libexec/security-misc/pam_tally2-info` +* `/usr/libexec/security-misc/pam-abort-on-locked-password` ## Access rights restrictions @@ -317,7 +317,7 @@ to the installation of this package. See: * `debian/security-misc.postinst` -* `/usr/lib/security-misc/permission-lockdown` +* `/usr/libexec/security-misc/permission-lockdown` * `/usr/share/pam-configs/mkhomedir-security-misc` ### SUID / SGID removal and permission hardening @@ -331,7 +331,7 @@ default for now during testing and can optionally be enabled by running See: -* `/usr/lib/security-misc/permission-hardening` +* `/usr/libexec/security-misc/permission-hardening` * `/lib/systemd/system/permission-hardening.service` * `/etc/permission-hardening.d` * https://forums.whonix.org/t/disable-suid-binaries/7706 diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 616c93b..cd4bf19 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -43,7 +43,7 @@ esac pam-auth-update --package -/usr/lib/security-misc/permission-lockdown +/usr/libexec/security-misc/permission-lockdown ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 6baabd6..f8c516d 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -16,7 +16,7 @@ true " " user_groups_modifications() { - ## /usr/lib/security-misc/hide-hardware-info + ## /usr/libexec/security-misc/hide-hardware-info addgroup --system sysfs addgroup --system cpuinfo diff --git a/etc/X11/Xsession.d/50panic_on_oops b/etc/X11/Xsession.d/50panic_on_oops index a43ea39..81d9a9f 100755 --- a/etc/X11/Xsession.d/50panic_on_oops +++ b/etc/X11/Xsession.d/50panic_on_oops @@ -3,6 +3,6 @@ ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -if [ -x /usr/lib/security-misc/panic-on-oops ]; then - sudo --non-interactive /usr/lib/security-misc/panic-on-oops +if [ -x /usr/libexec/security-misc/panic-on-oops ]; then + sudo --non-interactive /usr/libexec/security-misc/panic-on-oops fi diff --git a/etc/kernel/postinst.d/30_remove-system-map b/etc/kernel/postinst.d/30_remove-system-map index c192b80..acb9786 100755 --- a/etc/kernel/postinst.d/30_remove-system-map +++ b/etc/kernel/postinst.d/30_remove-system-map @@ -3,6 +3,6 @@ ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -if test -x /usr/lib/security-misc/remove-system.map ; then - /usr/lib/security-misc/remove-system.map +if test -x /usr/libexec/security-misc/remove-system.map ; then + /usr/libexec/security-misc/remove-system.map fi diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc index b45c2a1..d0d1d35 100644 --- a/etc/sudoers.d/pkexec-security-misc +++ b/etc/sudoers.d/pkexec-security-misc @@ -2,7 +2,7 @@ ## See the file COPYING for copying conditions. ## REVIEW: is it ok that users can find out the PATH setting of root? -#%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path +#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/echo-path ## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be ## set. Would otherwise error out with the following error message: diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index d1e41dc..1e4e16b 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -1,5 +1,5 @@ ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -user ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops -%sudo ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops +user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops +%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops diff --git a/lib/systemd/system/hide-hardware-info.service b/lib/systemd/system/hide-hardware-info.service index 8720c98..edc0dc1 100644 --- a/lib/systemd/system/hide-hardware-info.service +++ b/lib/systemd/system/hide-hardware-info.service @@ -11,7 +11,7 @@ After=local-fs.target [Service] Type=oneshot -ExecStart=/usr/lib/security-misc/hide-hardware-info +ExecStart=/usr/libexec/security-misc/hide-hardware-info RemainAfterExit=yes [Install] diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service index 607e542..bbe7eca 100644 --- a/lib/systemd/system/permission-hardening.service +++ b/lib/systemd/system/permission-hardening.service @@ -13,7 +13,7 @@ After=local-fs.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart=/usr/lib/security-misc/permission-hardening +ExecStart=/usr/libexec/security-misc/permission-hardening RemainAfterExit=yes [Install] diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service index 83a60ad..518c5ef 100644 --- a/lib/systemd/system/remount-secure.service +++ b/lib/systemd/system/remount-secure.service @@ -15,7 +15,7 @@ After=qubes-sysinit.service [Service] Type=oneshot RemainAfterExit=yes -ExecStart=/usr/lib/security-misc/remount-secure +ExecStart=/usr/libexec/security-misc/remount-secure RemainAfterExit=yes [Install] diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service index 3d0f44c..a0285b4 100644 --- a/lib/systemd/system/remove-system-map.service +++ b/lib/systemd/system/remove-system-map.service @@ -11,7 +11,7 @@ After=local-fs.target [Service] Type=oneshot -ExecStart=/usr/lib/security-misc/remove-system.map +ExecStart=/usr/libexec/security-misc/remove-system.map RemainAfterExit=yes [Install] diff --git a/rpm_spec/security-misc.spec.in b/rpm_spec/security-misc.spec.in index 63b6b91..bdc4e61 100644 --- a/rpm_spec/security-misc.spec.in +++ b/rpm_spec/security-misc.spec.in @@ -104,10 +104,10 @@ make %{?_smp_mflags} /lib/systemd/coredump.conf.d/disable-coredumps.conf /lib/systemd/system/proc-hidepid.service /lib/systemd/system/remove-system-map.service -/usr/lib/security-misc/apt-get-update -/usr/lib/security-misc/apt-get-update-sanity-test -/usr/lib/security-misc/panic-on-oops -/usr/lib/security-misc/remove-system.map +/usr/libexec/security-misc/apt-get-update +/usr/libexec/security-misc/apt-get-update-sanity-test +/usr/libexec/security-misc/panic-on-oops +/usr/libexec/security-misc/remove-system.map /usr/share/glib-2.0/schemas/30_security-misc.gschema.override /usr/share/lintian/overrides/security-misc /usr/share/pam-configs/usergroups diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc index 6d0f956..d483f1c 100755 --- a/usr/bin/pkexec.security-misc +++ b/usr/bin/pkexec.security-misc @@ -122,7 +122,7 @@ else ## This is required for gdebi. ## REVIEW: is it ok that users can find out the PATH setting of root? ## lxqt-sudo does not clear environment variable PATH. - PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)" + PATH="$(sudo --non-interactive /usr/libexec/security-misc/echo-path)" export PATH lxqt-sudo "$@" || { exit_code=$? ; true; }; fi diff --git a/usr/libexec/security-misc/pam_only_if_login b/usr/libexec/security-misc/pam_only_if_login index 55f3d1d..489e044 100755 --- a/usr/libexec/security-misc/pam_only_if_login +++ b/usr/libexec/security-misc/pam_only_if_login @@ -12,7 +12,7 @@ true "PAM_SERVICE: $PAM_SERVICE" if [ "$PAM_SERVICE" = "login" ]; then ## FIXME: ## Creates unwanted journal log entry. - ## pam_exec(login:account): /usr/lib/security-misc/pam_only_if_login failed: exit code 1 + ## pam_exec(login:account): /usr/libexec/security-misc/pam_only_if_login failed: exit code 1 exit 1 else ## exit success so [success=1 default=ignore] will result in skipping the diff --git a/usr/libexec/security-misc/pam_tally2_not_if_x b/usr/libexec/security-misc/pam_tally2_not_if_x index 1afc024..8534f5a 100755 --- a/usr/libexec/security-misc/pam_tally2_not_if_x +++ b/usr/libexec/security-misc/pam_tally2_not_if_x @@ -37,6 +37,6 @@ done ## next PAM module (the pam_tally2 module). ## ## Causes confusing error message: -## pam_exec(sudo:auth): /usr/lib/security-misc/pam_tally2_not_if_x failed: exit code 1 +## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_tally2_not_if_x failed: exit code 1 ## https://github.com/linux-pam/linux-pam/issues/329 exit 1 diff --git a/usr/libexec/security-misc/permission-hardening b/usr/libexec/security-misc/permission-hardening index e326c02..33b4f27 100755 --- a/usr/libexec/security-misc/permission-hardening +++ b/usr/libexec/security-misc/permission-hardening @@ -10,7 +10,7 @@ ## meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride ## To undo: -## sudo /usr/lib/security-misc/permission-hardening-undo +## sudo /usr/libexec/security-misc/permission-hardening-undo #set -x set -e diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 607bc83..c1dbaaa 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -4,32 +4,32 @@ ## See the file COPYING for copying conditions. ## Doing this for all users would create many issues. -# /usr/lib/security-misc/permission-lockdown: user: root | chmod o-rwx "/root" -# /usr/lib/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin" -# /usr/lib/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin" -# /usr/lib/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev" -# /usr/lib/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin" -# /usr/lib/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games" -# /usr/lib/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man" -# /usr/lib/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail" -# /usr/lib/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin" -# /usr/lib/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups" -# /usr/lib/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd" -# /usr/lib/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif" -# /usr/lib/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus" -# /usr/lib/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy" -# /usr/lib/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc" -# /usr/lib/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord" -# /usr/lib/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4" -# /usr/lib/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor" -# /usr/lib/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4" -# /usr/lib/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine" -# /usr/lib/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng" -# /usr/lib/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs" -# /usr/lib/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity" -# /usr/lib/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd" -# /usr/lib/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind" -# /usr/lib/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" +# /usr/libexec/security-misc/permission-lockdown: user: root | chmod o-rwx "/root" +# /usr/libexec/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin" +# /usr/libexec/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin" +# /usr/libexec/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev" +# /usr/libexec/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin" +# /usr/libexec/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games" +# /usr/libexec/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man" +# /usr/libexec/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail" +# /usr/libexec/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin" +# /usr/libexec/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups" +# /usr/libexec/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd" +# /usr/libexec/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif" +# /usr/libexec/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus" +# /usr/libexec/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy" +# /usr/libexec/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc" +# /usr/libexec/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord" +# /usr/libexec/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4" +# /usr/libexec/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor" +# /usr/libexec/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4" +# /usr/libexec/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine" +# /usr/libexec/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng" +# /usr/libexec/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs" +# /usr/libexec/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity" +# /usr/libexec/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd" +# /usr/libexec/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind" +# /usr/libexec/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" home_folder_access_rights_lockdown() { shopt -s nullglob diff --git a/usr/share/pam-configs/console-lockdown-security-misc b/usr/share/pam-configs/console-lockdown-security-misc index 61fec78..df57a85 100644 --- a/usr/share/pam-configs/console-lockdown-security-misc +++ b/usr/share/pam-configs/console-lockdown-security-misc @@ -3,5 +3,5 @@ Default: no Priority: 280 Account-Type: Primary Account: - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/lib/security-misc/pam_only_if_login + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_only_if_login required pam_access.so accessfile=/etc/security/access-security-misc.conf debug diff --git a/usr/share/pam-configs/pam-abort-on-locked-password-security-misc b/usr/share/pam-configs/pam-abort-on-locked-password-security-misc index 7298601..4d2ffa2 100644 --- a/usr/share/pam-configs/pam-abort-on-locked-password-security-misc +++ b/usr/share/pam-configs/pam-abort-on-locked-password-security-misc @@ -3,4 +3,4 @@ Default: yes Priority: 300 Auth-Type: Primary Auth: - requisite pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam-abort-on-locked-password + requisite pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-abort-on-locked-password diff --git a/usr/share/pam-configs/tally2-security-misc b/usr/share/pam-configs/tally2-security-misc index 0b23744..118db41 100644 --- a/usr/share/pam-configs/tally2-security-misc +++ b/usr/share/pam-configs/tally2-security-misc @@ -3,8 +3,8 @@ Default: yes Priority: 290 Auth-Type: Primary Auth: - optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam_tally2-info - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/lib/security-misc/pam_tally2_not_if_x + optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam_tally2-info + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_tally2_not_if_x requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug Account-Type: Primary Account: