Removes read, write and execute access for others for all users who …

…have home folders under folder /home by running for example "chmod o-rwx /home/user" during package installation or upgrade. This will be done only once per folder in folder /home so users who wish to relax file permissions are free to do so. This is to protect previously created files in user home folder which were previously created with lax file permissions prior installation of this package.
Kicksecure · Jul 13, 2019 · 3f031a2 · 3f031a2
1 parent 4740e8b
commit 3f031a2
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 0 deletions.
diff --git a/debian/control b/debian/control
@@ -143,6 +143,14 @@ Description: enhances misc security settings
  The default umask is changed to 006. This allows only the owner and group to
  read and write to newly created files.
  .
+ Removes read, write and execute access for others for all users who have home
+ folders under folder /home by running for example "chmod o-rwx /home/user"
+ during package installation or upgrade. This will be done only once per folder
+ in folder /home so users who wish to relax file permissions are free to do so.
+ This is to protect previously created files in user home folder which were
+ previously created with lax file permissions prior installation of this
+ package.
+ .
  The kernel now panics on oopses to prevent it from continuing running a
  flawed process.
  .

diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst
@@ -15,6 +15,32 @@ true "
 #####################################################################
 "
 
+home_folder_access_rights_lockdown() {
+   mkdir -p /var/cache/security-misc/state-files
+
+   shopt -s nullglob
+
+   ## Not using dotglob.
+   ## touch /var/cache/security-misc/state-files//home/.Trash
+   ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
+
+   local folder_name base_name
+
+   for folder_name in /home/* ; do
+      base_name="$(basename "$folder_name")"
+      if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
+         continue
+      fi
+      chmod o-rwx "$folder_name"
+      ## Create a state-file so we do this only once.
+      ## Therefore a user who will manually undo this, will not get
+      ## annoyed by this being done over and over again.
+      touch "/var/cache/security-misc/state-files/$base_name"
+   done
+
+   shopt -u nullglob
+}
+
 case "$1" in
     configure)
         glib-compile-schemas /usr/share/glib-2.0/schemas || true
@@ -31,6 +57,8 @@ esac
 
 pam-auth-update --package
 
+home_folder_access_rights_lockdown
+
 true "INFO: debhelper beginning here."
 
 #DEBHELPER#