From 420ffeac3ad3e73652e3a36db00959b4c5b33244 Mon Sep 17 00:00:00 2001 From: Ashlen Date: Wed, 15 Jul 2026 19:06:42 -0600 Subject: [PATCH] fix(pam): pass profile names to pam-auth-update --remove pam-auth-update --remove matches pam-config filenames under /usr/share/pam-configs/, but prerm and postrm passed $DPKG_MAINTSCRIPT_PACKAGE -- the package name security-misc-shared -- which matches no profile and is silently ignored. The prerm early-disable was therefore dead: on removal, /etc/pam.d/common-* kept referencing helper scripts under /usr/libexec/security-misc/ that dpkg then deleted, risking failed authentication (block-unsafe-logins is a Priority 1100 requisite entry). prerm now passes the eight profile filenames explicitly, guarded by command -v so a bulk purge cannot abort under set -e. postrm drops the ineffective --remove for a plain reconciliation scoped to remove|purge|disappear, so it never strips live hardening during an upgrade or abort. --- debian/security-misc-shared.postrm | 14 +++++++++++++- debian/security-misc-shared.prerm | 20 +++++++++++++++++++- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/debian/security-misc-shared.postrm b/debian/security-misc-shared.postrm index 13dc5884..23d7e074 100755 --- a/debian/security-misc-shared.postrm +++ b/debian/security-misc-shared.postrm @@ -16,7 +16,19 @@ true " " ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/11 -pam-auth-update --package --remove "$DPKG_MAINTSCRIPT_PACKAGE" +## Reconciliation safety net; the authoritative early-disable is in prerm. By the +## time postrm runs dpkg has deleted this package's /usr/share/pam-configs/ files, +## so a plain reconciliation drops the now-file-less profiles from common-*. +## Plain '--package' only (no '--remove '): on upgrade/abort states the +## config files are still present and '--remove' would strip live hardening +## mid-transaction, so those states are deliberately not matched here. +case "$1" in + remove|purge|disappear) + if command -v pam-auth-update >/dev/null 2>&1; then + pam-auth-update --package + fi + ;; +esac rm -f /etc/sysctl.d/30_security-misc_aslr-mmap.conf diff --git a/debian/security-misc-shared.prerm b/debian/security-misc-shared.prerm index 1c4cd871..c2b66445 100755 --- a/debian/security-misc-shared.prerm +++ b/debian/security-misc-shared.prerm @@ -16,7 +16,25 @@ true " " if [ "$1" = remove ]; then - pam-auth-update --package --remove "$DPKG_MAINTSCRIPT_PACKAGE" + ## 'pam-auth-update --remove' matches pam-config FILENAMES under + ## /usr/share/pam-configs/, not the package name. Disable our profiles while + ## the helper scripts they reference under /usr/libexec/security-misc/ still + ## exist (before dpkg deletes them), so /etc/pam.d/common-* is never left + ## referencing a deleted module -- block-unsafe-logins is a Priority 1100 + ## 'requisite' whose dangling reference would fail all logins. See + ## pam-auth-update(8). Keep in sync with security-misc-shared.install and + ## usr/share/pam-configs/. + if command -v pam-auth-update >/dev/null 2>&1; then + pam-auth-update --package --remove \ + block-unsafe-logins-security-misc \ + console-lockdown-security-misc \ + faillock-preauth-security-misc \ + mkhomedir-security-misc \ + pam-abort-on-locked-password-security-misc \ + umask-security-misc \ + unix-faillock-security-misc \ + wheel-security-misc + fi fi true "INFO: debhelper beginning here."