Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-28 19:07:01 -05:00
Code Issues Packages Projects Releases Wiki Activity

security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed.

Browse Source 
Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
This commit is contained in:
Patrick Schleizer 2019-12-08 05:21:35 -05:00
parent edcc2de71d
commit c192644ee3
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
3 changed files with 4 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
debian/control vendored
View File

@ -212,14 +212,15 @@ Description: enhances misc security settings
Removes read, write and execute access for others for all users who have Removes read, write and execute access for others for all users who have
home folders under folder /home by running for example home folders under folder /home by running for example
"chmod o-rwx /home/user" "chmod o-rwx /home/user"
during package installation, upgrade or pam. This will be done only once per during package installation, upgrade or pam mkhomedir. This will be done only
once per
folder in folder /home so users who wish to relax file permissions are free to folder in folder /home so users who wish to relax file permissions are free to
do so. This is to protect previously created files in user home folder which do so. This is to protect previously created files in user home folder which
were previously created with lax file permissions prior installation of this were previously created with lax file permissions prior installation of this
package. package.
debian/security-misc.postinst debian/security-misc.postinst
/usr/share/pam-configs/permission-lockdown-security-misc
/usr/lib/security-misc/permission-lockdown /usr/lib/security-misc/permission-lockdown
/usr/share/pam-configs/mkhomedir-security-misc
. .
access rights relaxations: access rights relaxations:
. .

2
usr/share/pam-configs/mkhomedir-security-misc
View File

@ -4,4 +4,4 @@ Priority: 100
Session-Type: Additional Session-Type: Additional
Session-Interactive-Only: yes Session-Interactive-Only: yes
Session: Session:
optional pam_mkhomedir.so optional pam_mkhomedir.so umask=027

6
usr/share/pam-configs/permission-lockdown-security-misc
View File

@ -1,6 +0,0 @@
Name: prevent users from reading other users /home/user folders (by package security-misc)
Default: yes
Priority: 50
Session-Type: Additional
Session:
optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/permission-lockdown