#!/bin/bash ## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi ## Required since this package uses debconf - this is mandatory even though ## the postinst itself does not use debconf commands. source /usr/share/debconf/confmodule set -e true " ##################################################################### ## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* ##################################################################### " permission_hardening_legacy_config_folder() { if ! test -d /etc/permission-hardening.d ; then return 0 fi rmdir --verbose --ignore-fail-on-non-empty /etc/permission-hardening.d || true } permission_hardening() { echo "Running SUID Disabler and Permission Hardener... See also:" echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" echo "$0: INFO: running: permission-hardener enable" if ! permission-hardener enable ; then echo "$0: ERROR: Permission hardening failed." >&2 return 0 fi echo "$0: INFO: Permission hardening success." } migrate_permission_hardener_state() { local v2_state_file if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then return 0 fi mkdir --parents '/var/lib/security-misc/do_once' ## This has to be stored in the postinst rather than installed by the ## package, because permission-hardener *will* change it and we *cannot* ## allow future package updates to overwrite it. v2_state_file="root root 644 /etc/passwd- root root 755 /etc/cron.monthly root root 755 /etc/sudoers.d root shadow 2755 /usr/bin/expiry root root 4755 /usr/bin/umount root root 4755 /usr/bin/gpasswd root root 755 /usr/lib/modules root root 644 /etc/issue.net root root 644 /etc/group- root root 4755 /usr/bin/newgrp root root 755 /etc/cron.weekly root root 644 /etc/hosts.deny root root 4755 /usr/bin/su root root 644 /etc/hosts.allow root root 700 /root root root 755 /etc/cron.daily root root 755 /bin/ping root root 777 /etc/motd root root 755 /boot root root 755 /home root shadow 2755 /usr/bin/chage root root 4755 /usr/bin/chsh root root 4755 /usr/bin/passwd root root 4755 /usr/bin/chfn root root 644 /etc/group root root 755 /etc/permission-hardener.d root root 644 /etc/passwd root root 755 /usr/src root root 4755 /usr/bin/mount root root 777 /etc/issue root root 755 /etc/cron.d" ## Not using sponge since moreutils might not be installed at this point. mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' echo "${v2_state_file}" > '/var/lib/permission-hardener-v2/existing_mode/statoverride' touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } case "$1" in configure) if [ -d /etc/skel/.gnupg ]; then ## Lintian warns against use of chmod --recursive. chmod 700 /etc/skel/.gnupg fi ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override glib-compile-schemas /usr/share/glib-2.0/schemas || true ## state dir for faillock mkdir -p /var/lib/security-misc/faillock ## migrate permission_hardener state to v2 if applicable migrate_permission_hardener_state ;; abort-upgrade|abort-remove|abort-deconfigure) ;; triggered) echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\*: '$*' 2: '$2'" /usr/share/security-misc/lkrg/lkrg-virtualbox || true /usr/libexec/security-misc/mmap-rnd-bits || true permission_hardening exit 0 ;; *) echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2 exit 1 ;; esac pam-auth-update --package /usr/libexec/security-misc/permission-lockdown permission_hardening ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: ## https://bugs.debian.org/481542 if command -v update-grub >/dev/null 2>&1; then update-grub || \ echo "$DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ERROR: Running \ 'update-grub' failed with exit code $?. $DPKG_MAINTSCRIPT_PACKAGE is most \ likely only the trigger, not the cause. Unless you know this is not an issue, \ you should fix running 'update-grub', otherwise your system might no longer \ boot." >&2 fi /usr/libexec/security-misc/mmap-rnd-bits || true true "INFO: debhelper beginning here." #DEBHELPER# true "INFO: Done with debhelper." permission_hardening_legacy_config_folder true " ##################################################################### ## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* ##################################################################### " ## Explicitly "exit 0", so eventually trapped errors can be ignored. exit 0