mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-02-13 03:41:23 -05:00
Handle de-corruption of new_mode a bit better
This commit is contained in:
parent
a0f81958df
commit
c6f09748f3
26
debian/security-misc.postinst
vendored
26
debian/security-misc.postinst
vendored
@ -38,6 +38,7 @@ permission_hardening() {
|
||||
}
|
||||
|
||||
migrate_permission_hardener_state() {
|
||||
local existing_mode_dir new_mode_dir dpkg_statoverride_list
|
||||
## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded.
|
||||
if [ ! -d '/var/lib/permission-hardener' ]; then
|
||||
return 0
|
||||
@ -48,10 +49,27 @@ migrate_permission_hardener_state() {
|
||||
fi
|
||||
mkdir --parents '/var/lib/security-misc/do_once'
|
||||
|
||||
mkdir --parents '/var/lib/permission-hardener-v2/existing_mode'
|
||||
mkdir --parents '/var/lib/permission-hardener-v2/new_mode'
|
||||
cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride'
|
||||
cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/new_mode/statoverride'
|
||||
existing_mode_dir='/var/lib/permission-hardener-v2/existing_mode'
|
||||
new_mode_dir='/var/lib/permission-hardener-v2/new_mode'
|
||||
|
||||
mkdir --parents "${existing_mode_dir}";
|
||||
mkdir --parents "${new_mode_dir}";
|
||||
|
||||
cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' "${existing_mode_dir}/statoverride"
|
||||
cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' "${new_mode_dir}/statoverride"
|
||||
|
||||
dpkg_statoverride_list="$(dpkg-statoverride --admindir "${new_mode_dir}" --list)"
|
||||
|
||||
if [ "$(stat --format '%G' /usr/bin/sudo)" = 'sysmaint' ]; then
|
||||
if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/sudo' ]]; then
|
||||
dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/sudo'
|
||||
fi
|
||||
fi
|
||||
if [ "$(stat --format '%G' /usr/bin/pkexec)" = 'sysmaint' ]; then
|
||||
if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/pkexec' ]]; then
|
||||
dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/pkexec'
|
||||
fi
|
||||
fi
|
||||
|
||||
touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
|
||||
}
|
||||
|
@ -8,6 +8,7 @@ root root 744 /usr/bin/newgrp
|
||||
root root 700 /etc/cron.weekly
|
||||
root root 744 /usr/bin/su
|
||||
root root 700 /etc/cron.daily
|
||||
root root 755 /bin/ping
|
||||
root root 644 /etc/motd
|
||||
root _ssh 744 /usr/bin/ssh-agent
|
||||
root root 700 /boot
|
||||
|
Loading…
x
Reference in New Issue
Block a user