Rename file permission hardening script

Hardener as the script is the agent that is hardening the file
permissions.

README.md

@@ -430,23 +430,23 @@ include but are not limited to:
 -   Protecting the information of sudoers from others.
 -   Protecting various system relevant files and modules.
 
-##### permission-hardening #####
+##### permission-hardener #####
 
 `permission-hardener` removes SUID / SGID bits from non-essential binaries as
 these are often used in privilege escalation attacks. It runs at package
 installation and upgrade time.
 
 There is also an optional systemd unit which does the same at boot time that
-can be enabled by running `systemctl enable permission-hardening.service` as
+can be enabled by running `systemctl enable permission-hardener.service` as
 root. The hardening at boot time is not the default because this slows down
 the boot too much.
 
 See:
 
-* `/usr/bin/permission-hardening`
+* `/usr/bin/permission-hardener`
 * `debian/security-misc.postinst`
-* `/lib/systemd/system/permission-hardening.service`
+* `/lib/systemd/system/permission-hardener.service`
-* `/etc/permission-hardening.d`
+* `/etc/permission-hardener.d`
 * https://forums.whonix.org/t/disable-suid-binaries/7706
 * https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
 

debian/security-misc.postinst

@@ -20,8 +20,8 @@ permission_hardening() {
     echo "Running SUID Disabler and Permission Hardener... See also:"
     echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener"
     echo ""
-    echo "$0: INFO: running: permission-hardening"
+    echo "$0: INFO: running: permission-hardener"
-    if ! permission-hardening ; then
+    if ! permission-hardener ; then
         echo "$0: ERROR: Permission hardening failed." >&2
         return 0
     fi
@@ -59,7 +59,7 @@ esac
 pam-auth-update --package
 
 /usr/libexec/security-misc/permission-lockdown
-permission_hardening
+permission_hardener
 
 ## https://phabricator.whonix.org/T377
 ## Debian has no update-grub trigger yet:

etc/permission-hardener.d/25_default_passwd.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 # Keep the `passwd` utility executable to prevent issues with the

etc/permission-hardener.d/25_default_sudo.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 ## https://forums.whonix.org/t/restrict-root-access/7658/116

etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 /usr/bin/bwrap exactwhitelist

etc/permission-hardener.d/25_default_whitelist_chromium.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 chrome-sandbox matchwhitelist

etc/permission-hardener.d/25_default_whitelist_dbus.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 dbus-daemon-launch-helper matchwhitelist

etc/permission-hardener.d/25_default_whitelist_firejail.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 ## There is a controversy about firejail but those who choose to install it

etc/permission-hardener.d/25_default_whitelist_fuse.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 ## required for AppImages such as electrum Bitcoin wallet

etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 libhardened_malloc.so matchwhitelist

etc/permission-hardener.d/25_default_whitelist_mount.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 ## https://forums.whonix.org/t/disable-suid-binaries/7706/61

etc/permission-hardener.d/25_default_whitelist_pam.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 ## Without this, Xfce fails to start with a dbus-launch error.

etc/permission-hardener.d/25_default_whitelist_policykit.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 /usr/bin/pkexec exactwhitelist

etc/permission-hardener.d/25_default_whitelist_qubes.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 ## TODO: research

etc/permission-hardener.d/25_default_whitelist_selinux.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 /utempter/utempter matchwhitelist

etc/permission-hardener.d/25_default_whitelist_spice.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 spice-client-glib-usb-acl-helper matchwhitelist

etc/permission-hardener.d/25_default_whitelist_ssh.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 ## TODO: research

etc/permission-hardener.d/25_default_whitelist_sudo.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 /usr/bin/sudo exactwhitelist

etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 ## required for performing password validation from unprivileged user

etc/permission-hardener.d/25_default_whitelist_virtualbox.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 ## TODO: research

etc/permission-hardener.d/30_default.conf

@@ -1,8 +1,8 @@
 ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Please use "/etc/permission-hardening.d/20_user.conf" or
+## Please use "/etc/permission-hardener.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 ## File permission hardening.
@@ -60,8 +60,8 @@
 /home/ 0755 root root
 /root/ 0700 root root
 /boot/ 0700 root root
-/etc/permission-hardening.d 0600 root root
+/etc/permission-hardener.d 0600 root root
-/usr/local/etc/permission-hardening.d 0600 root root
+/usr/local/etc/permission-hardener.d 0600 root root
 /lib/modules/ 0700 root root
 /usr/src 0700 root root
 /etc/cups/cupsd.conf 0400 root root

lib/systemd/system-preset/50-security-misc.preset

@@ -5,7 +5,7 @@
 disable hide-hardware-info.service
 
 ## Disable for now until development finished / tested.
-disable permission-hardening.service
+disable permission-hardener.service
 
 ## Disable for now until development finished / tested.
 ## https://github.com/Kicksecure/security-misc/pull/152

lib/systemd/system/permission-hardener.service

@@ -13,7 +13,7 @@ After=local-fs.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=permission-hardening
+ExecStart=permission-hardener
 
 [Install]
 WantedBy=sysinit.target

usr/bin/permission-hardener

@@ -6,13 +6,10 @@
 ## https://forums.whonix.org/t/disable-suid-binaries/7706
 ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
 
-## To undo:
-## sudo permission-hardening disable
-
 set -o errexit -o nounset -o pipefail
 
 exit_code=0
-store_dir="/var/lib/permission-hardening"
+store_dir="/var/lib/permission-hardener"
 dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode"
 dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode"
 
@@ -507,6 +504,8 @@ parse_config_folder() {
 
   shopt -s nullglob
   for config_file in \
+    /etc/permission-hardener.d/*.conf \
+    /usr/local/etc/permission-hardener.d/*.conf \
     /etc/permission-hardening.d/*.conf \
     /usr/local/etc/permission-hardening.d/*.conf
   do
@@ -620,7 +619,7 @@ spare() {
   To remove all:
     $0 disable all
 
-  This change might not be permanent (because of the permission-hardening.service systemd unit). For full instructions, see:
+  This change might not be permanent (because of the permission-hardener.service systemd unit). For full instructions, see:
     https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
 
   To view list of changed by SUID Disabler and Permission Hardener: