2017-02-20 05:25:28 +07:00
|
|
|
#!/bin/bash
|
|
|
|
|
2024-05-11 10:18:36 +07:00
|
|
|
## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
2017-02-20 05:25:28 +07:00
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
2021-08-03 23:48:57 +07:00
|
|
|
if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
|
|
|
|
source /usr/libexec/helper-scripts/pre.bsh
|
2017-02-20 05:25:28 +07:00
|
|
|
fi
|
|
|
|
|
|
|
|
set -e
|
|
|
|
|
|
|
|
true "
|
|
|
|
#####################################################################
|
2017-03-06 22:00:33 +07:00
|
|
|
## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
|
2017-02-20 05:25:28 +07:00
|
|
|
#####################################################################
|
|
|
|
"
|
|
|
|
|
2024-01-16 21:10:59 +07:00
|
|
|
permission_hardening_legacy_state_files() {
|
2024-01-16 20:45:13 +07:00
|
|
|
if test -d /var/lib/permission-hardener ; then
|
|
|
|
return 0
|
|
|
|
fi
|
|
|
|
if ! test -d /var/lib/permission-hardening ; then
|
|
|
|
return 0
|
|
|
|
fi
|
|
|
|
mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener
|
|
|
|
}
|
|
|
|
|
2024-01-16 21:10:59 +07:00
|
|
|
permission_hardening_legacy_config_folder() {
|
|
|
|
if ! test -d /etc/permission-hardening.d ; then
|
|
|
|
return 0
|
|
|
|
fi
|
|
|
|
rmdir --verbose --ignore-fail-on-non-empty /etc/permission-hardening.d || true
|
|
|
|
}
|
|
|
|
|
2023-10-26 23:20:48 +07:00
|
|
|
permission_hardening() {
|
|
|
|
echo "Running SUID Disabler and Permission Hardener... See also:"
|
|
|
|
echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener"
|
2024-01-16 20:32:52 +07:00
|
|
|
echo "$0: INFO: running: permission-hardener enable"
|
2024-01-18 01:23:20 +07:00
|
|
|
echo ""
|
2024-01-16 20:32:52 +07:00
|
|
|
if ! permission-hardener enable ; then
|
2023-10-26 23:20:48 +07:00
|
|
|
echo "$0: ERROR: Permission hardening failed." >&2
|
|
|
|
return 0
|
|
|
|
fi
|
|
|
|
echo ""
|
2024-01-18 01:23:20 +07:00
|
|
|
echo "$0: INFO: Permission hardening success."
|
2023-10-26 23:20:48 +07:00
|
|
|
}
|
|
|
|
|
2017-02-20 05:25:28 +07:00
|
|
|
case "$1" in
|
|
|
|
configure)
|
2020-04-06 20:25:45 +07:00
|
|
|
if [ -d /etc/skel/.gnupg ]; then
|
|
|
|
## Lintian warns against use of chmod --recursive.
|
|
|
|
chmod 700 /etc/skel/.gnupg
|
|
|
|
fi
|
|
|
|
|
2019-12-08 13:59:55 +07:00
|
|
|
## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override
|
2017-02-20 05:32:04 +07:00
|
|
|
glib-compile-schemas /usr/share/glib-2.0/schemas || true
|
2017-02-20 05:25:28 +07:00
|
|
|
;;
|
|
|
|
|
|
|
|
abort-upgrade|abort-remove|abort-deconfigure)
|
|
|
|
;;
|
|
|
|
|
2021-08-02 00:11:18 +07:00
|
|
|
triggered)
|
|
|
|
echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'"
|
|
|
|
/usr/share/security-misc/lkrg/lkrg-virtualbox || true
|
2023-04-22 11:08:20 +07:00
|
|
|
/usr/libexec/security-misc/mmap-rnd-bits || true
|
2024-01-18 01:23:20 +07:00
|
|
|
permission_hardening
|
2021-08-02 00:11:18 +07:00
|
|
|
exit 0
|
|
|
|
;;
|
|
|
|
|
2017-02-20 05:25:28 +07:00
|
|
|
*)
|
|
|
|
echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2
|
|
|
|
exit 1
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
2019-07-13 18:41:37 +07:00
|
|
|
pam-auth-update --package
|
2019-07-08 03:51:40 +07:00
|
|
|
|
2021-08-03 23:56:31 +07:00
|
|
|
/usr/libexec/security-misc/permission-lockdown
|
2024-01-16 21:10:59 +07:00
|
|
|
permission_hardening_legacy_state_files
|
|
|
|
|
2024-01-16 20:32:52 +07:00
|
|
|
permission_hardening
|
2019-07-13 23:20:14 +07:00
|
|
|
|
2019-09-07 12:44:23 +07:00
|
|
|
## https://phabricator.whonix.org/T377
|
|
|
|
## Debian has no update-grub trigger yet:
|
|
|
|
## https://bugs.debian.org/481542
|
|
|
|
if command -v update-grub >/dev/null 2>&1; then
|
|
|
|
update-grub || \
|
|
|
|
echo "$DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ERROR: Running \
|
|
|
|
'update-grub' failed with exit code $?. $DPKG_MAINTSCRIPT_PACKAGE is most \
|
|
|
|
likely only the trigger, not the cause. Unless you know this is not an issue, \
|
|
|
|
you should fix running 'update-grub', otherwise your system might no longer \
|
|
|
|
boot." >&2
|
|
|
|
fi
|
|
|
|
|
2023-05-05 21:44:29 +07:00
|
|
|
/usr/libexec/security-misc/mmap-rnd-bits || true
|
2023-03-24 19:32:58 +07:00
|
|
|
|
2017-02-20 05:25:28 +07:00
|
|
|
true "INFO: debhelper beginning here."
|
|
|
|
|
|
|
|
#DEBHELPER#
|
|
|
|
|
|
|
|
true "INFO: Done with debhelper."
|
|
|
|
|
2024-01-16 21:10:59 +07:00
|
|
|
permission_hardening_legacy_config_folder
|
|
|
|
|
2017-02-20 05:25:28 +07:00
|
|
|
true "
|
|
|
|
#####################################################################
|
2017-03-06 22:00:33 +07:00
|
|
|
## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
|
2017-02-20 05:25:28 +07:00
|
|
|
#####################################################################
|
|
|
|
"
|
|
|
|
|
|
|
|
## Explicitly "exit 0", so eventually trapped errors can be ignored.
|
|
|
|
exit 0
|