mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:23:36 +07:00
Removes read, write and execute access for others for all users who have home
folders under folder /home by running for example "chmod o-rwx /home/user" during package installation or upgrade. This will be done only once per folder in folder /home so users who wish to relax file permissions are free to do so. This is to protect previously created files in user home folder which were previously created with lax file permissions prior installation of this package.
This commit is contained in:
parent
4740e8b335
commit
3f031a297d
8
debian/control
vendored
8
debian/control
vendored
@ -143,6 +143,14 @@ Description: enhances misc security settings
|
||||
The default umask is changed to 006. This allows only the owner and group to
|
||||
read and write to newly created files.
|
||||
.
|
||||
Removes read, write and execute access for others for all users who have home
|
||||
folders under folder /home by running for example "chmod o-rwx /home/user"
|
||||
during package installation or upgrade. This will be done only once per folder
|
||||
in folder /home so users who wish to relax file permissions are free to do so.
|
||||
This is to protect previously created files in user home folder which were
|
||||
previously created with lax file permissions prior installation of this
|
||||
package.
|
||||
.
|
||||
The kernel now panics on oopses to prevent it from continuing running a
|
||||
flawed process.
|
||||
.
|
||||
|
28
debian/security-misc.postinst
vendored
28
debian/security-misc.postinst
vendored
@ -15,6 +15,32 @@ true "
|
||||
#####################################################################
|
||||
"
|
||||
|
||||
home_folder_access_rights_lockdown() {
|
||||
mkdir -p /var/cache/security-misc/state-files
|
||||
|
||||
shopt -s nullglob
|
||||
|
||||
## Not using dotglob.
|
||||
## touch /var/cache/security-misc/state-files//home/.Trash
|
||||
## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
|
||||
|
||||
local folder_name base_name
|
||||
|
||||
for folder_name in /home/* ; do
|
||||
base_name="$(basename "$folder_name")"
|
||||
if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
|
||||
continue
|
||||
fi
|
||||
chmod o-rwx "$folder_name"
|
||||
## Create a state-file so we do this only once.
|
||||
## Therefore a user who will manually undo this, will not get
|
||||
## annoyed by this being done over and over again.
|
||||
touch "/var/cache/security-misc/state-files/$base_name"
|
||||
done
|
||||
|
||||
shopt -u nullglob
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
configure)
|
||||
glib-compile-schemas /usr/share/glib-2.0/schemas || true
|
||||
@ -31,6 +57,8 @@ esac
|
||||
|
||||
pam-auth-update --package
|
||||
|
||||
home_folder_access_rights_lockdown
|
||||
|
||||
true "INFO: debhelper beginning here."
|
||||
|
||||
#DEBHELPER#
|
||||
|
Loading…
Reference in New Issue
Block a user