move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS

2025-04-29 22:06:10 -04:00 · 2021-08-03 12:56:31 -04:00 · 2021-08-03 12:56:31 -04:00 · 50bdd097df
commit 50bdd097df
parent 4fadaad8c0
20 changed files with 57 additions and 57 deletions
--- a/README.md
+++ b/README.md
@ -159,7 +159,7 @@ be recovered. See:
 `/lib/systemd/system/remove-system-map.service`
-`/usr/lib/security-misc/remove-system.map`
+`/usr/libexec/security-misc/remove-system.map`
 * Coredumps are disabled as they may contain important information such as
 encryption keys or passwords. See:
@ -233,7 +233,7 @@ users from using `su` to gain root access or to switch user accounts —
 that logging in from a virtual console is still possible — `debian/security-misc.postinst`
 * Abort login for users with locked passwords —
-`/usr/lib/security-misc/pam-abort-on-locked-password`.
+`/usr/libexec/security-misc/pam-abort-on-locked-password`.
 * Logging into the root account from a virtual, serial, whatnot console is
 prevented by shipping an existing and empty `/etc/securetty` file
@ -294,8 +294,8 @@ Informational output during Linux PAM:
 See:
 * `/usr/share/pam-configs/tally2-security-misc`
-* `/usr/lib/security-misc/pam_tally2-info`
+* `/usr/libexec/security-misc/pam_tally2-info`
-* `/usr/lib/security-misc/pam-abort-on-locked-password`
+* `/usr/libexec/security-misc/pam-abort-on-locked-password`
 ## Access rights restrictions
@ -317,7 +317,7 @@ to the installation of this package.
 See:
 * `debian/security-misc.postinst`
-* `/usr/lib/security-misc/permission-lockdown`
+* `/usr/libexec/security-misc/permission-lockdown`
 * `/usr/share/pam-configs/mkhomedir-security-misc`
 ### SUID / SGID removal and permission hardening
@ -331,7 +331,7 @@ default for now during testing and can optionally be enabled by running
 See:
-* `/usr/lib/security-misc/permission-hardening`
+* `/usr/libexec/security-misc/permission-hardening`
 * `/lib/systemd/system/permission-hardening.service`
 * `/etc/permission-hardening.d`
 * https://forums.whonix.org/t/disable-suid-binaries/7706
--- a/debian/security-misc.postinst
+++ b/debian/security-misc.postinst
@ -43,7 +43,7 @@ esac
 pam-auth-update --package
-/usr/lib/security-misc/permission-lockdown
+/usr/libexec/security-misc/permission-lockdown
 ## https://phabricator.whonix.org/T377
 ## Debian has no update-grub trigger yet:
--- a/debian/security-misc.preinst
+++ b/debian/security-misc.preinst
@ -16,7 +16,7 @@ true "
 "
 user_groups_modifications() {
-   ## /usr/lib/security-misc/hide-hardware-info
+   ## /usr/libexec/security-misc/hide-hardware-info
   addgroup --system sysfs
   addgroup --system cpuinfo
--- a/etc/X11/Xsession.d/50panic_on_oops
+++ b/etc/X11/Xsession.d/50panic_on_oops
@ -3,6 +3,6 @@
 ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
-if [ -x /usr/lib/security-misc/panic-on-oops ]; then
+if [ -x /usr/libexec/security-misc/panic-on-oops ]; then
-   sudo --non-interactive /usr/lib/security-misc/panic-on-oops
+   sudo --non-interactive /usr/libexec/security-misc/panic-on-oops
 fi
--- a/etc/kernel/postinst.d/30_remove-system-map
+++ b/etc/kernel/postinst.d/30_remove-system-map
@ -3,6 +3,6 @@
 ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
-if test -x /usr/lib/security-misc/remove-system.map ; then
+if test -x /usr/libexec/security-misc/remove-system.map ; then
-   /usr/lib/security-misc/remove-system.map
+   /usr/libexec/security-misc/remove-system.map
 fi
--- a/etc/sudoers.d/pkexec-security-misc
+++ b/etc/sudoers.d/pkexec-security-misc
@ -2,7 +2,7 @@
 ## See the file COPYING for copying conditions.
 ## REVIEW: is it ok that users can find out the PATH setting of root?
-#%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path
+#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/echo-path
 ## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be
 ## set. Would otherwise error out with the following error message:
--- a/etc/sudoers.d/security-misc
+++ b/etc/sudoers.d/security-misc
@ -1,5 +1,5 @@
 ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
-user ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops
+user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
-%sudo ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops
+%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
--- a/lib/systemd/system/hide-hardware-info.service
+++ b/lib/systemd/system/hide-hardware-info.service
@ -11,7 +11,7 @@ After=local-fs.target
 [Service]
 Type=oneshot
-ExecStart=/usr/lib/security-misc/hide-hardware-info
+ExecStart=/usr/libexec/security-misc/hide-hardware-info
 RemainAfterExit=yes
 [Install]
--- a/lib/systemd/system/permission-hardening.service
+++ b/lib/systemd/system/permission-hardening.service
@ -13,7 +13,7 @@ After=local-fs.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/lib/security-misc/permission-hardening
+ExecStart=/usr/libexec/security-misc/permission-hardening
 RemainAfterExit=yes
 [Install]
--- a/lib/systemd/system/remount-secure.service
+++ b/lib/systemd/system/remount-secure.service
@ -15,7 +15,7 @@ After=qubes-sysinit.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/lib/security-misc/remount-secure
+ExecStart=/usr/libexec/security-misc/remount-secure
 RemainAfterExit=yes
 [Install]
--- a/lib/systemd/system/remove-system-map.service
+++ b/lib/systemd/system/remove-system-map.service
@ -11,7 +11,7 @@ After=local-fs.target
 [Service]
 Type=oneshot
-ExecStart=/usr/lib/security-misc/remove-system.map
+ExecStart=/usr/libexec/security-misc/remove-system.map
 RemainAfterExit=yes
 [Install]
--- a/rpm_spec/security-misc.spec.in
+++ b/rpm_spec/security-misc.spec.in
@ -104,10 +104,10 @@ make %{?_smp_mflags}
 /lib/systemd/coredump.conf.d/disable-coredumps.conf
 /lib/systemd/system/proc-hidepid.service
 /lib/systemd/system/remove-system-map.service
-/usr/lib/security-misc/apt-get-update
+/usr/libexec/security-misc/apt-get-update
-/usr/lib/security-misc/apt-get-update-sanity-test
+/usr/libexec/security-misc/apt-get-update-sanity-test
-/usr/lib/security-misc/panic-on-oops
+/usr/libexec/security-misc/panic-on-oops
-/usr/lib/security-misc/remove-system.map
+/usr/libexec/security-misc/remove-system.map
 /usr/share/glib-2.0/schemas/30_security-misc.gschema.override
 /usr/share/lintian/overrides/security-misc
 /usr/share/pam-configs/usergroups
--- a/usr/bin/pkexec.security-misc
+++ b/usr/bin/pkexec.security-misc
@ -122,7 +122,7 @@ else
   ## This is required for gdebi.
   ## REVIEW: is it ok that users can find out the PATH setting of root?
   ## lxqt-sudo does not clear environment variable PATH.
-   PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)"
+   PATH="$(sudo --non-interactive /usr/libexec/security-misc/echo-path)"
   export PATH
   lxqt-sudo "$@" || { exit_code=$? ; true; };
 fi
--- a/usr/libexec/security-misc/pam_only_if_login
+++ b/usr/libexec/security-misc/pam_only_if_login
@ -12,7 +12,7 @@ true "PAM_SERVICE: $PAM_SERVICE"
 if [ "$PAM_SERVICE" = "login" ]; then
   ## FIXME:
   ## Creates unwanted journal log entry.
-   ## pam_exec(login:account): /usr/lib/security-misc/pam_only_if_login failed: exit code 1
+   ## pam_exec(login:account): /usr/libexec/security-misc/pam_only_if_login failed: exit code 1
   exit 1
 else
   ## exit success so [success=1 default=ignore] will result in skipping the
--- a/usr/libexec/security-misc/pam_tally2_not_if_x
+++ b/usr/libexec/security-misc/pam_tally2_not_if_x
@ -37,6 +37,6 @@ done
 ## next PAM module (the pam_tally2 module).
 ##
 ## Causes confusing error message:
-## pam_exec(sudo:auth): /usr/lib/security-misc/pam_tally2_not_if_x failed: exit code 1
+## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_tally2_not_if_x failed: exit code 1
 ## https://github.com/linux-pam/linux-pam/issues/329
 exit 1
--- a/usr/libexec/security-misc/permission-hardening
+++ b/usr/libexec/security-misc/permission-hardening
@ -10,7 +10,7 @@
 ## meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride
 ## To undo:
-## sudo /usr/lib/security-misc/permission-hardening-undo
+## sudo /usr/libexec/security-misc/permission-hardening-undo
 #set -x
 set -e
--- a/usr/libexec/security-misc/permission-lockdown
+++ b/usr/libexec/security-misc/permission-lockdown
@ -4,32 +4,32 @@
 ## See the file COPYING for copying conditions.
 ## Doing this for all users would create many issues.
-# /usr/lib/security-misc/permission-lockdown: user: root | chmod o-rwx "/root"
+# /usr/libexec/security-misc/permission-lockdown: user: root | chmod o-rwx "/root"
-# /usr/lib/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin"
+# /usr/libexec/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin"
-# /usr/lib/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin"
+# /usr/libexec/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin"
-# /usr/lib/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev"
+# /usr/libexec/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev"
-# /usr/lib/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin"
+# /usr/libexec/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin"
-# /usr/lib/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games"
+# /usr/libexec/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games"
-# /usr/lib/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man"
+# /usr/libexec/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man"
-# /usr/lib/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail"
+# /usr/libexec/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail"
-# /usr/lib/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin"
+# /usr/libexec/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin"
-# /usr/lib/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups"
+# /usr/libexec/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups"
-# /usr/lib/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd"
+# /usr/libexec/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd"
-# /usr/lib/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif"
+# /usr/libexec/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif"
-# /usr/lib/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus"
+# /usr/libexec/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus"
-# /usr/lib/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy"
+# /usr/libexec/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy"
-# /usr/lib/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc"
+# /usr/libexec/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc"
-# /usr/lib/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord"
+# /usr/libexec/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord"
-# /usr/lib/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4"
+# /usr/libexec/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4"
-# /usr/lib/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor"
+# /usr/libexec/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor"
-# /usr/lib/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4"
+# /usr/libexec/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4"
-# /usr/lib/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine"
+# /usr/libexec/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine"
-# /usr/lib/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng"
+# /usr/libexec/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng"
-# /usr/lib/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs"
+# /usr/libexec/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs"
-# /usr/lib/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity"
+# /usr/libexec/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity"
-# /usr/lib/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd"
+# /usr/libexec/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd"
-# /usr/lib/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind"
+# /usr/libexec/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind"
-# /usr/lib/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue"
+# /usr/libexec/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue"
 home_folder_access_rights_lockdown() {
   shopt -s nullglob
--- a/usr/share/pam-configs/console-lockdown-security-misc
+++ b/usr/share/pam-configs/console-lockdown-security-misc
@ -3,5 +3,5 @@ Default: no
 Priority: 280
 Account-Type: Primary
 Account:
-	[success=1 default=ignore]	pam_exec.so	seteuid quiet /usr/lib/security-misc/pam_only_if_login
+	[success=1 default=ignore]	pam_exec.so	seteuid quiet /usr/libexec/security-misc/pam_only_if_login
 	required	pam_access.so accessfile=/etc/security/access-security-misc.conf debug
--- a/usr/share/pam-configs/pam-abort-on-locked-password-security-misc
+++ b/usr/share/pam-configs/pam-abort-on-locked-password-security-misc
@ -3,4 +3,4 @@ Default: yes
 Priority: 300
 Auth-Type: Primary
 Auth:
-	requisite	pam_exec.so	debug stdout seteuid /usr/lib/security-misc/pam-abort-on-locked-password
+	requisite	pam_exec.so	debug stdout seteuid /usr/libexec/security-misc/pam-abort-on-locked-password
--- a/usr/share/pam-configs/tally2-security-misc
+++ b/usr/share/pam-configs/tally2-security-misc
@ -3,8 +3,8 @@ Default: yes
 Priority: 290
 Auth-Type: Primary
 Auth:
-	optional	pam_exec.so	debug stdout seteuid /usr/lib/security-misc/pam_tally2-info
+	optional	pam_exec.so	debug stdout seteuid /usr/libexec/security-misc/pam_tally2-info
-	[success=1 default=ignore]	pam_exec.so	seteuid quiet /usr/lib/security-misc/pam_tally2_not_if_x
+	[success=1 default=ignore]	pam_exec.so	seteuid quiet /usr/libexec/security-misc/pam_tally2_not_if_x
 	requisite	pam_tally2.so even_deny_root deny=50 onerr=fail audit debug
 Account-Type: Primary
 Account: