From d9f10c221a2b6794f0a3c5bcd1c15e2a4f352751 Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Thu, 26 Oct 2023 18:17:50 +0000
Subject: [PATCH 1/6] new permission-lockdown

---
 usr/libexec/security-misc/permission-lockdown | 45 ++++++++-----------
 1 file changed, 19 insertions(+), 26 deletions(-)

diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown
index 615bf6c..eab53b0 100755
--- a/usr/libexec/security-misc/permission-lockdown
+++ b/usr/libexec/security-misc/permission-lockdown
@@ -32,35 +32,28 @@
 # /usr/libexec/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue"
 
 home_folder_access_rights_lockdown() {
-   shopt -s nullglob
+   # Each users home directory to himself
+   for user in $(dir /home); do # lists directories only
+      if [ grep -q "$user" /etc/passwd ]; then # check if user actually exists, and this is not some random directory
+         if [ -f /var/cache/security-misc/state-files/$user ]
+            continue # only doing once
+         fi
+         touch "/var/cache/security-misc/state-files/$user # so that we know we did this one
+         dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself
+         find /home/$user -type d | while read directory; # doing this to all directories in the users home
+         do
+            chown $user $directory
+            chmod 700 $directory
+         done
 
-   ## Not using dotglob.
-   ## touch /var/cache/security-misc/state-files//home/.Trash
-   ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
-
-   local folder_name base_name
-
-   for folder_name in /home/* ; do
-      base_name="$(basename "$folder_name")"
-      if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
-         continue
+# not doing it because this sets all files to non executable
+#         find /home/$user -type f | while read file; # doing this to all files in the users home
+#         do
+#            chown $user $file
+#            chmod 600 $file
+#         done
       fi
-      if [ ! -d "$folder_name" ]; then
-         continue
-      fi
-      if [ "$folder_name" = "/home/" ]; then
-         continue
-      fi
-      mkdir -p /var/cache/security-misc/state-files
-      echo "$0: chmod o-rwx \"$folder_name\""
-      chmod o-rwx "$folder_name"
-      ## Create a state-file so we do this only once.
-      ## Therefore a user who will manually undo this, will not get
-      ## annoyed by this being done over and over again.
-      touch "/var/cache/security-misc/state-files/$base_name"
    done
-
-   shopt -u nullglob
 }
 
 home_folder_access_rights_lockdown

From 88cd5a905d8aa0f6033ac4ba72903fbad4a90b4b Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Thu, 26 Oct 2023 19:25:24 +0000
Subject: [PATCH 2/6] strip unnecessary

---
 usr/libexec/security-misc/permission-lockdown | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown
index eab53b0..8e807ff 100755
--- a/usr/libexec/security-misc/permission-lockdown
+++ b/usr/libexec/security-misc/permission-lockdown
@@ -38,21 +38,8 @@ home_folder_access_rights_lockdown() {
          if [ -f /var/cache/security-misc/state-files/$user ]
             continue # only doing once
          fi
-         touch "/var/cache/security-misc/state-files/$user # so that we know we did this one
          dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself
-         find /home/$user -type d | while read directory; # doing this to all directories in the users home
-         do
-            chown $user $directory
-            chmod 700 $directory
-         done
-
-# not doing it because this sets all files to non executable
-#         find /home/$user -type f | while read file; # doing this to all files in the users home
-#         do
-#            chown $user $file
-#            chmod 600 $file
-#         done
-      fi
+         touch /var/cache/security-misc/state-files/$user # so that we know we did this one
    done
 }
 

From f487752ba1b469eb0b2f85657e2ee0860f58496b Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Thu, 26 Oct 2023 19:30:58 +0000
Subject: [PATCH 3/6] not limiting ourselves. we do not do this not just once.

---
 usr/libexec/security-misc/permission-lockdown | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown
index 8e807ff..372fc2f 100755
--- a/usr/libexec/security-misc/permission-lockdown
+++ b/usr/libexec/security-misc/permission-lockdown
@@ -35,11 +35,9 @@ home_folder_access_rights_lockdown() {
    # Each users home directory to himself
    for user in $(dir /home); do # lists directories only
       if [ grep -q "$user" /etc/passwd ]; then # check if user actually exists, and this is not some random directory
-         if [ -f /var/cache/security-misc/state-files/$user ]
-            continue # only doing once
-         fi
          dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself
-         touch /var/cache/security-misc/state-files/$user # so that we know we did this one
+         echo "Permission updated: chmod go-rwx /home/$user"
+      fi
    done
 }
 

From b5ba03247a5b5bb1f4e010130e4a575ad1397117 Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Thu, 26 Oct 2023 19:31:25 +0000
Subject: [PATCH 4/6] readability

---
 usr/libexec/security-misc/permission-lockdown | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown
index 372fc2f..4449608 100755
--- a/usr/libexec/security-misc/permission-lockdown
+++ b/usr/libexec/security-misc/permission-lockdown
@@ -34,7 +34,7 @@
 home_folder_access_rights_lockdown() {
    # Each users home directory to himself
    for user in $(dir /home); do # lists directories only
-      if [ grep -q "$user" /etc/passwd ]; then # check if user actually exists, and this is not some random directory
+      if [ grep --quiet "$user" /etc/passwd ]; then # check if user actually exists, and this is not some random directory
          dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself
          echo "Permission updated: chmod go-rwx /home/$user"
       fi

From 88f396264ca9d072e4e5de4e1acaee54f3b39749 Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Thu, 26 Oct 2023 19:35:59 +0000
Subject: [PATCH 5/6] avoiding /etc/passwd

---
 usr/libexec/security-misc/permission-lockdown | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown
index 4449608..dfe0176 100755
--- a/usr/libexec/security-misc/permission-lockdown
+++ b/usr/libexec/security-misc/permission-lockdown
@@ -34,7 +34,7 @@
 home_folder_access_rights_lockdown() {
    # Each users home directory to himself
    for user in $(dir /home); do # lists directories only
-      if [ grep --quiet "$user" /etc/passwd ]; then # check if user actually exists, and this is not some random directory
+      if [ $(id --user $user) ]; then # check if user actually exists, and this is not some random directory
          dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself
          echo "Permission updated: chmod go-rwx /home/$user"
       fi

From 91c445244c47c163e2466f8c4dff710eda20c337 Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Thu, 26 Oct 2023 19:41:07 +0000
Subject: [PATCH 6/6] actually we do it once indeed

---
 usr/libexec/security-misc/permission-lockdown | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown
index dfe0176..a89e1ec 100755
--- a/usr/libexec/security-misc/permission-lockdown
+++ b/usr/libexec/security-misc/permission-lockdown
@@ -34,9 +34,13 @@
 home_folder_access_rights_lockdown() {
    # Each users home directory to himself
    for user in $(dir /home); do # lists directories only
+      if [ -f /var/cache/security-misc/state-files/$user ]; then
+         continue
+      fi
       if [ $(id --user $user) ]; then # check if user actually exists, and this is not some random directory
-         dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself
+         dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user
          echo "Permission updated: chmod go-rwx /home/$user"
+         touch /var/cache/security-misc/state-files/$user # so that we know we did this one
       fi
    done
 }