Merge remote-tracking branch 'github-kicksecure/master'

etc/permission-hardening.d/25_default_passwd.conf

@@ -0,0 +1,14 @@
+## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardening.d/20_user.conf" or
+## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+# Keep the `passwd` utility executable to prevent issues with the
+# /usr/libexec/security-misc/pam-abort-on-locked-password script blocking
+# user logins with `su` and KScreenLocker
+#
+# See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd
+/usr/bin/passwd 0755 root root
+/bin/passwd 0755 root root

etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf

@@ -0,0 +1,11 @@
+## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardening.d/20_user.conf" or
+## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+## required for performing password validation from unprivileged user
+## processes such as KScreenLocker’s unlock prompt
+/usr/sbin/unix_chkpwd exactwhitelist
+/sbin/unix_chkpwd exactwhitelist