security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed.

Thereby fix apparmor issue. > Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 > Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied It is no longer required, because... existing linux user accounts: * Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`. new linux user accounts (created at first boot): * security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2024-12-23 01:23:36 +07:00 · 2019-12-08 05:21:35 -05:00 · 2019-12-08 05:21:35 -05:00 · c192644ee3
commit c192644ee3
parent edcc2de71d
3 changed files with 4 additions and 9 deletions
--- a/debian/control
+++ b/debian/control
@ -212,14 +212,15 @@ Description: enhances misc security settings
 Removes read, write and execute access for others for all users who have
 home folders under folder /home by running for example
 "chmod o-rwx /home/user"
- during package installation, upgrade or pam. This will be done only once per
+ during package installation, upgrade or pam mkhomedir. This will be done only
+ once per
 folder in folder /home so users who wish to relax file permissions are free to
 do so. This is to protect previously created files in user home folder which
 were previously created with lax file permissions prior installation of this
 package.
 debian/security-misc.postinst
- /usr/share/pam-configs/permission-lockdown-security-misc
 /usr/lib/security-misc/permission-lockdown
+ /usr/share/pam-configs/mkhomedir-security-misc
 .
 access rights relaxations:
 .
--- a/usr/share/pam-configs/mkhomedir-security-misc
+++ b/usr/share/pam-configs/mkhomedir-security-misc
@ -4,4 +4,4 @@ Priority: 100
 Session-Type: Additional
 Session-Interactive-Only: yes
 Session:
-	optional	pam_mkhomedir.so
+	optional	pam_mkhomedir.so umask=027
--- a/usr/share/pam-configs/permission-lockdown-security-misc
+++ b/usr/share/pam-configs/permission-lockdown-security-misc
@ -1,6 +0,0 @@
-Name: prevent users from reading other users /home/user folders (by package security-misc)
-Default: yes
-Priority: 50
-Session-Type: Additional
-Session:
-	optional	pam_exec.so	debug stdout seteuid /usr/lib/security-misc/permission-lockdown