Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-03-13 10:26:30 -04:00
Code Issues Packages Projects Releases Wiki Activity

improve permission hardener migration code

Browse Source
This commit is contained in:
Patrick Schleizer 2025-01-15 09:44:48 -05:00
parent 2dfd30a44a
commit ca25716410
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 23 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
debian/security-misc.config vendored Normal file → Executable file
View File

@ -22,7 +22,7 @@ true "
" "
check_migrate_permission_hardener_state() { check_migrate_permission_hardener_state() {
local modified_pkg_data_str custom_hardening_arr config_file local pkg_list modified_pkg_data_str custom_hardening_arr config_file
## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded.
if [ ! -d '/var/lib/permission-hardener' ]; then if [ ! -d '/var/lib/permission-hardener' ]; then
@ -35,6 +35,8 @@ check_migrate_permission_hardener_state() {
fi fi
mkdir --parents '/var/lib/security-misc/do_once' mkdir --parents '/var/lib/security-misc/do_once'
source /usr/libexec/helper-scripts/package_installed_check.bsh
orig_hardening_arr=( orig_hardening_arr=(
'/usr/lib/permission-hardener.d/25_default_passwd.conf' '/usr/lib/permission-hardener.d/25_default_passwd.conf'
'/usr/lib/permission-hardener.d/25_default_sudo.conf' '/usr/lib/permission-hardener.d/25_default_sudo.conf'
@ -84,11 +86,24 @@ check_migrate_permission_hardener_state() {
'/etc/permission-hardener.d/30_default.conf' '/etc/permission-hardener.d/30_default.conf'
) )
pkg_list="security-misc"
if pkg_installed user-sysmaint-split ; then
pkg_list+=" user-sysmaint-split"
fi
if pkg_installed anon-apps-config ; then
pkg_list+=" anon-apps-config"
fi
## This will exit non-zero if some of the packages don't exist, but we ## This will exit non-zero if some of the packages don't exist, but we
## don't care. The packages that *are* installed will still be scanned. ## don't care. The packages that *are* installed will still be scanned.
modified_pkg_data_str="$(dpkg -V security-misc user-sysmaint-split anon-apps-config)" || true modified_pkg_data_str="$(dpkg --verify $pkg_list)" || true
## Example modified_pkg_data_str:
#modified_pkg_data_str='missing /usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}") readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}")
## If the above `dpkg -V` command doesn't return any permission-hardener
## If the above `dpkg --verify` command doesn't return any permission-hardener
## related lines, the array will contain no meaningful info, just a single ## related lines, the array will contain no meaningful info, just a single
## blank element at the start. Set the array to be explicitly empty in ## blank element at the start. Set the array to be explicitly empty in
## this scenario. ## this scenario.
@ -113,7 +128,11 @@ check_migrate_permission_hardener_state() {
if [ "${#custom_hardening_arr[@]}" != '0' ]; then if [ "${#custom_hardening_arr[@]}" != '0' ]; then
for custom_config_file in "${custom_hardening_arr[@]}"; do for custom_config_file in "${custom_hardening_arr[@]}"; do
echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'" if ! test -e "${custom_config_file}" ; then
echo "$0: INFO: Possible missing configuration file found: '${custom_config_file}'"
else
echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'"
fi
done done
## db_input will return code 30 if the message won't be displayed, which ## db_input will return code 30 if the message won't be displayed, which
## causes a non-interactive install to error out if you don't use || true ## causes a non-interactive install to error out if you don't use || true