From d2f6ac0491f179382f4b68455d19956049e6cd23 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Tue, 10 Dec 2019 03:50:23 -0500
Subject: [PATCH] fix, do user/group modifications in preinst rather than
 postinst

---
 debian/security-misc.postinst | 22 ----------------------
 debian/security-misc.preinst  | 22 ++++++++++++++++++++++
 2 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst
index 9cbd277..aabb3d5 100644
--- a/debian/security-misc.postinst
+++ b/debian/security-misc.postinst
@@ -30,28 +30,6 @@ case "$1" in
     ;;
 esac
 
-## /usr/lib/security-misc/hide-hardware-info
-addgroup --system sysfs
-addgroup --system cpuinfo
-
-## group 'sudo' membership required to use 'su'
-## /usr/share/pam-configs/wheel-security-misc
-addgroup root sudo
-
-## Related to Console Lockdown.
-## /usr/share/pam-configs/console-lockdown-security-misc
-## /etc/security/access-security-misc.conf
-addgroup --system console
-addgroup --system console-unrestricted
-addgroup --system ssh
-## This has no effect since by default this package also ships and an
-## /etc/securetty configuration file that contains nothing but comments, i.e.
-## an "empty" /etc/securetty.
-## In case a system administrator edits /etc/securetty, there is no need to
-## block for this to be still blocked by console lockdown. See also:
-## https://www.whonix.org/wiki/Root#Root_Login
-addgroup root console
-
 pam-auth-update --package
 
 /usr/lib/security-misc/permission-lockdown
diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst
index bd7fb61..7bb2c65 100644
--- a/debian/security-misc.preinst
+++ b/debian/security-misc.preinst
@@ -15,6 +15,28 @@ true "
 #####################################################################
 "
 
+## /usr/lib/security-misc/hide-hardware-info
+addgroup --system sysfs
+addgroup --system cpuinfo
+
+## group 'sudo' membership required to use 'su'
+## /usr/share/pam-configs/wheel-security-misc
+addgroup root sudo
+
+## Related to Console Lockdown.
+## /usr/share/pam-configs/console-lockdown-security-misc
+## /etc/security/access-security-misc.conf
+addgroup --system console
+addgroup --system console-unrestricted
+addgroup --system ssh
+## This has no effect since by default this package also ships and an
+## /etc/securetty configuration file that contains nothing but comments, i.e.
+## an "empty" /etc/securetty.
+## In case a system administrator edits /etc/securetty, there is no need to
+## block for this to be still blocked by console lockdown. See also:
+## https://www.whonix.org/wiki/Root#Root_Login
+addgroup root console
+
 sudo_users_check () {
    if command -v "qubesdb-read" &>/dev/null; then
       ## Qubes users can use dom0 to get a root terminal emulator.