mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:03:35 +07:00
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS
This commit is contained in:
parent
4fadaad8c0
commit
50bdd097df
12
README.md
12
README.md
@ -159,7 +159,7 @@ be recovered. See:
|
||||
|
||||
`/lib/systemd/system/remove-system-map.service`
|
||||
|
||||
`/usr/lib/security-misc/remove-system.map`
|
||||
`/usr/libexec/security-misc/remove-system.map`
|
||||
|
||||
* Coredumps are disabled as they may contain important information such as
|
||||
encryption keys or passwords. See:
|
||||
@ -233,7 +233,7 @@ users from using `su` to gain root access or to switch user accounts —
|
||||
that logging in from a virtual console is still possible — `debian/security-misc.postinst`
|
||||
|
||||
* Abort login for users with locked passwords —
|
||||
`/usr/lib/security-misc/pam-abort-on-locked-password`.
|
||||
`/usr/libexec/security-misc/pam-abort-on-locked-password`.
|
||||
|
||||
* Logging into the root account from a virtual, serial, whatnot console is
|
||||
prevented by shipping an existing and empty `/etc/securetty` file
|
||||
@ -294,8 +294,8 @@ Informational output during Linux PAM:
|
||||
See:
|
||||
|
||||
* `/usr/share/pam-configs/tally2-security-misc`
|
||||
* `/usr/lib/security-misc/pam_tally2-info`
|
||||
* `/usr/lib/security-misc/pam-abort-on-locked-password`
|
||||
* `/usr/libexec/security-misc/pam_tally2-info`
|
||||
* `/usr/libexec/security-misc/pam-abort-on-locked-password`
|
||||
|
||||
## Access rights restrictions
|
||||
|
||||
@ -317,7 +317,7 @@ to the installation of this package.
|
||||
See:
|
||||
|
||||
* `debian/security-misc.postinst`
|
||||
* `/usr/lib/security-misc/permission-lockdown`
|
||||
* `/usr/libexec/security-misc/permission-lockdown`
|
||||
* `/usr/share/pam-configs/mkhomedir-security-misc`
|
||||
|
||||
### SUID / SGID removal and permission hardening
|
||||
@ -331,7 +331,7 @@ default for now during testing and can optionally be enabled by running
|
||||
|
||||
See:
|
||||
|
||||
* `/usr/lib/security-misc/permission-hardening`
|
||||
* `/usr/libexec/security-misc/permission-hardening`
|
||||
* `/lib/systemd/system/permission-hardening.service`
|
||||
* `/etc/permission-hardening.d`
|
||||
* https://forums.whonix.org/t/disable-suid-binaries/7706
|
||||
|
2
debian/security-misc.postinst
vendored
2
debian/security-misc.postinst
vendored
@ -43,7 +43,7 @@ esac
|
||||
|
||||
pam-auth-update --package
|
||||
|
||||
/usr/lib/security-misc/permission-lockdown
|
||||
/usr/libexec/security-misc/permission-lockdown
|
||||
|
||||
## https://phabricator.whonix.org/T377
|
||||
## Debian has no update-grub trigger yet:
|
||||
|
2
debian/security-misc.preinst
vendored
2
debian/security-misc.preinst
vendored
@ -16,7 +16,7 @@ true "
|
||||
"
|
||||
|
||||
user_groups_modifications() {
|
||||
## /usr/lib/security-misc/hide-hardware-info
|
||||
## /usr/libexec/security-misc/hide-hardware-info
|
||||
addgroup --system sysfs
|
||||
addgroup --system cpuinfo
|
||||
|
||||
|
@ -3,6 +3,6 @@
|
||||
## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
if [ -x /usr/lib/security-misc/panic-on-oops ]; then
|
||||
sudo --non-interactive /usr/lib/security-misc/panic-on-oops
|
||||
if [ -x /usr/libexec/security-misc/panic-on-oops ]; then
|
||||
sudo --non-interactive /usr/libexec/security-misc/panic-on-oops
|
||||
fi
|
||||
|
@ -3,6 +3,6 @@
|
||||
## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
if test -x /usr/lib/security-misc/remove-system.map ; then
|
||||
/usr/lib/security-misc/remove-system.map
|
||||
if test -x /usr/libexec/security-misc/remove-system.map ; then
|
||||
/usr/libexec/security-misc/remove-system.map
|
||||
fi
|
||||
|
@ -2,7 +2,7 @@
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## REVIEW: is it ok that users can find out the PATH setting of root?
|
||||
#%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path
|
||||
#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/echo-path
|
||||
|
||||
## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be
|
||||
## set. Would otherwise error out with the following error message:
|
||||
|
@ -1,5 +1,5 @@
|
||||
## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
user ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops
|
||||
%sudo ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops
|
||||
user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
|
||||
%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
|
||||
|
@ -11,7 +11,7 @@ After=local-fs.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/lib/security-misc/hide-hardware-info
|
||||
ExecStart=/usr/libexec/security-misc/hide-hardware-info
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
|
@ -13,7 +13,7 @@ After=local-fs.target
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/lib/security-misc/permission-hardening
|
||||
ExecStart=/usr/libexec/security-misc/permission-hardening
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
|
@ -15,7 +15,7 @@ After=qubes-sysinit.service
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/lib/security-misc/remount-secure
|
||||
ExecStart=/usr/libexec/security-misc/remount-secure
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
|
@ -11,7 +11,7 @@ After=local-fs.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/lib/security-misc/remove-system.map
|
||||
ExecStart=/usr/libexec/security-misc/remove-system.map
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
|
@ -104,10 +104,10 @@ make %{?_smp_mflags}
|
||||
/lib/systemd/coredump.conf.d/disable-coredumps.conf
|
||||
/lib/systemd/system/proc-hidepid.service
|
||||
/lib/systemd/system/remove-system-map.service
|
||||
/usr/lib/security-misc/apt-get-update
|
||||
/usr/lib/security-misc/apt-get-update-sanity-test
|
||||
/usr/lib/security-misc/panic-on-oops
|
||||
/usr/lib/security-misc/remove-system.map
|
||||
/usr/libexec/security-misc/apt-get-update
|
||||
/usr/libexec/security-misc/apt-get-update-sanity-test
|
||||
/usr/libexec/security-misc/panic-on-oops
|
||||
/usr/libexec/security-misc/remove-system.map
|
||||
/usr/share/glib-2.0/schemas/30_security-misc.gschema.override
|
||||
/usr/share/lintian/overrides/security-misc
|
||||
/usr/share/pam-configs/usergroups
|
||||
|
@ -122,7 +122,7 @@ else
|
||||
## This is required for gdebi.
|
||||
## REVIEW: is it ok that users can find out the PATH setting of root?
|
||||
## lxqt-sudo does not clear environment variable PATH.
|
||||
PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)"
|
||||
PATH="$(sudo --non-interactive /usr/libexec/security-misc/echo-path)"
|
||||
export PATH
|
||||
lxqt-sudo "$@" || { exit_code=$? ; true; };
|
||||
fi
|
||||
|
@ -12,7 +12,7 @@ true "PAM_SERVICE: $PAM_SERVICE"
|
||||
if [ "$PAM_SERVICE" = "login" ]; then
|
||||
## FIXME:
|
||||
## Creates unwanted journal log entry.
|
||||
## pam_exec(login:account): /usr/lib/security-misc/pam_only_if_login failed: exit code 1
|
||||
## pam_exec(login:account): /usr/libexec/security-misc/pam_only_if_login failed: exit code 1
|
||||
exit 1
|
||||
else
|
||||
## exit success so [success=1 default=ignore] will result in skipping the
|
||||
|
@ -37,6 +37,6 @@ done
|
||||
## next PAM module (the pam_tally2 module).
|
||||
##
|
||||
## Causes confusing error message:
|
||||
## pam_exec(sudo:auth): /usr/lib/security-misc/pam_tally2_not_if_x failed: exit code 1
|
||||
## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_tally2_not_if_x failed: exit code 1
|
||||
## https://github.com/linux-pam/linux-pam/issues/329
|
||||
exit 1
|
||||
|
@ -10,7 +10,7 @@
|
||||
## meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride
|
||||
|
||||
## To undo:
|
||||
## sudo /usr/lib/security-misc/permission-hardening-undo
|
||||
## sudo /usr/libexec/security-misc/permission-hardening-undo
|
||||
|
||||
#set -x
|
||||
set -e
|
||||
|
@ -4,32 +4,32 @@
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Doing this for all users would create many issues.
|
||||
# /usr/lib/security-misc/permission-lockdown: user: root | chmod o-rwx "/root"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: root | chmod o-rwx "/root"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind"
|
||||
# /usr/libexec/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue"
|
||||
|
||||
home_folder_access_rights_lockdown() {
|
||||
shopt -s nullglob
|
||||
|
@ -3,5 +3,5 @@ Default: no
|
||||
Priority: 280
|
||||
Account-Type: Primary
|
||||
Account:
|
||||
[success=1 default=ignore] pam_exec.so seteuid quiet /usr/lib/security-misc/pam_only_if_login
|
||||
[success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_only_if_login
|
||||
required pam_access.so accessfile=/etc/security/access-security-misc.conf debug
|
||||
|
@ -3,4 +3,4 @@ Default: yes
|
||||
Priority: 300
|
||||
Auth-Type: Primary
|
||||
Auth:
|
||||
requisite pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam-abort-on-locked-password
|
||||
requisite pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-abort-on-locked-password
|
||||
|
@ -3,8 +3,8 @@ Default: yes
|
||||
Priority: 290
|
||||
Auth-Type: Primary
|
||||
Auth:
|
||||
optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam_tally2-info
|
||||
[success=1 default=ignore] pam_exec.so seteuid quiet /usr/lib/security-misc/pam_tally2_not_if_x
|
||||
optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam_tally2-info
|
||||
[success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_tally2_not_if_x
|
||||
requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug
|
||||
Account-Type: Primary
|
||||
Account:
|
||||
|
Loading…
Reference in New Issue
Block a user