From a330a9fd75314931639e7e873adc31c5cc65d555 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 26 Oct 2023 19:20:21 -0400
Subject: [PATCH] refactor permission-lockdown

---
 usr/libexec/security-misc/permission-lockdown | 25 +++++++++++++------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown
index a89e1ec..1035450 100755
--- a/usr/libexec/security-misc/permission-lockdown
+++ b/usr/libexec/security-misc/permission-lockdown
@@ -32,16 +32,25 @@
 # /usr/libexec/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue"
 
 home_folder_access_rights_lockdown() {
-   # Each users home directory to himself
-   for user in $(dir /home); do # lists directories only
-      if [ -f /var/cache/security-misc/state-files/$user ]; then
+   mkdir --parents /var/cache/security-misc/state-files
+   local user
+   for user in $(dir /home); do ## lists directories only
+      if [ -f "/var/cache/security-misc/state-files/$user" ]; then
          continue
       fi
-      if [ $(id --user $user) ]; then # check if user actually exists, and this is not some random directory
-         dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user
-         echo "Permission updated: chmod go-rwx /home/$user"
-         touch /var/cache/security-misc/state-files/$user # so that we know we did this one
-      fi
+      folder_name="/home/$user"
+      ## chmod:
+      ## The 'g' for 'group' is not needed.
+      ## Debian by default uses USERGROUPS=yes in /etc/adduser.conf.
+      ## The group which the user is being added to has the same name as the user.
+      ## If the username is user then the name of the group is also user.
+      ## Some background information here:
+      ## https://unix.stackexchange.com/questions/156473/reasons-behind-the-default-groups-and-users-on-linux
+      ## In short, this is useful for "file sharing". A if user1 wants to share data with user2 the command
+      ## required to run is sudo addgroup user1 user2.
+      echo "$0: chmod o-rwx \"$folder_name\""
+      chmod o-rwx "$folder_name"
+      touch "/var/cache/security-misc/state-files/$user"
    done
 }