Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-26 00:28:28 -05:00
Code Issues Projects Releases Packages Wiki Activity

Add pkexec remembered permissions fix for permission-hardener, fix some postinst bugs

Browse source
This commit is contained in:
Aaron Rainbolt 2025-11-23 16:27:59 -06:00
parent edda37809f
commit a3417e997d
No known key found for this signature in database
GPG key ID: A709160D73C79109
1 changed files with 32 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

35
debian/security-misc-shared.postinst vendored
View file

@ -37,14 +37,40 @@ permission_hardening() {
echo "$0: INFO: Permission hardening success." echo "$0: INFO: Permission hardening success."
} }
fix_pkexec_remembered_permissions() {
if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
return 0
fi
mkdir --parents '/var/lib/security-misc/do_once'
if ! [ -f "/var/lib/permission-hardener-v2/existing_mode/statoverride" ]; then
touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
return 0
fi
## The existing_mode database may incorrectly list the original permissions
## of pkexec as '755'. They should be '4755'. Fix this with str_replace. If
## this issue is not present, str_replace will do nothing.
str_replace 'root root 755 /usr/bin/pkexec' \
'root root 4755 /usr/bin/pkexec' \
/var/lib/permission-hardener-v2/existing_mode/statoverride
touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
}
install_permission_hardener_base_state() { install_permission_hardener_base_state() {
local state_str local state_str
if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
return 0 return 0
fi fi
mkdir --parents '/var/lib/security-misc/do_once' mkdir --parents '/var/lib/security-misc/do_once'
if [ -f "/var/lib/permission-hardener-v2/existing_mode/statoverride" ]; then
touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
return 0
fi
mkdir --parents -- '/var/lib/permission-hardener-v2/existing_mode' mkdir --parents -- '/var/lib/permission-hardener-v2/existing_mode'
state_str="root root 644 /etc/passwd- state_str="root root 644 /etc/passwd-
root root 755 /etc/cron.monthly root root 755 /etc/cron.monthly
@ -87,7 +113,7 @@ root root 644 /etc/issue
root root 755 /etc/cron.d" root root 755 /etc/cron.d"
printf '%s\n' "$state_str" | tee /var/lib/permission-hardener-v2/existing_mode/statoverride printf '%s\n' "$state_str" | tee /var/lib/permission-hardener-v2/existing_mode/statoverride
touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
} }
case "$1" in case "$1" in
@ -103,6 +129,9 @@ case "$1" in
## state dir for faillock ## state dir for faillock
mkdir -p /var/lib/security-misc/faillock mkdir -p /var/lib/security-misc/faillock
## Fix pkexec remembered permissions if necessary.
fix_pkexec_remembered_permissions
## Pre-populate permission-hardener state on first postinst run. ## Pre-populate permission-hardener state on first postinst run.
## Necessary because the first permission-hardener run may occur ## Necessary because the first permission-hardener run may occur
## before all permissions are set properly by package postinst ## before all permissions are set properly by package postinst