fix: security audit - multiple bug fixes across codebase

## Comments for reviewers:
## Threat model: Local files that can only be edited by root are
## out-of-scope and considered trusted.

emerg-shutdown.c:
- Fix strtok separator mismatch in load_list(): continuation call
  hardcoded "," instead of using the caller's separator, breaking
  pipe-separated key alias parsing (e.g. KEY_A|KEY_B).
- Fix FIFO permissions: mkfifo() used 0777, changed to 0600 to
  prevent unprivileged users from triggering emergency shutdown.
- Fix out-of-bounds read in netlink parsing: use strnlen() bounded
  by remaining buffer length instead of unbounded strlen().
- Fix NULL dereference on empty --timeout= argument.
- Add missing exit(0) after kill_system() in paranoid mode.
- Fix print() writing NUL terminator to output.

permission-hardener:
- Anchor user/group existence checks to line boundaries to prevent
  substring matches (e.g. 'roo' matching 'root:').
- Anchor dpkg-statoverride path lookups to prevent substring path
  matches (e.g. '/usr/bin/su' matching '/usr/bin/sudo').

pam-info:
- Add PAM_USER sanity check: reject control characters and values
  starting with '-' to prevent option injection into faillock.

pam_faillock_not_if_x:
- Remove set -x debug tracing from production PAM module to avoid
  leaking authentication details into system logs.

build-fm-shim-backend:
- Use atomic write pattern (compile to temp file, then mv) to
  prevent leaving a corrupted binary on interrupted compilation.

postinst:
- Add comments explaining that silent error handling for
  permission-hardener and update-grub is by design to avoid
  breaking APT.

hide-hardware-info, emerg-shutdown (shell):
- Add threat model comments documenting that root-owned config
  directories are trusted.

https://claude.ai/code/session_01LvyeXrhG1t4pNmiHt7iAbi

Author: claude

debian/security-misc-shared.postinst

@@ -30,6 +30,9 @@ permission_hardening() {
     echo "Running SUID Disabler and Permission Hardener... See also:"
     echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener"
     echo "$0: INFO: running: permission-hardener enable"
+    ## By design: report error but return 0 to avoid breaking APT.
+    ## A failing postinst would leave the package in a broken state,
+    ## preventing upgrades and further security updates.
     if ! permission-hardener enable ; then
         echo "$0: ERROR: Permission hardening failed." >&2
         return 0
@@ -190,6 +193,9 @@ permission_hardening
 ## https://phabricator.whonix.org/T377
 ## Debian has no update-grub trigger yet:
 ## https://bugs.debian.org/481542
+## By design: report error but do not fail to avoid breaking APT.
+## A failing postinst would leave the package in a broken state,
+## preventing upgrades and further security updates.
 if command -v update-grub >/dev/null 2>&1; then
    update-grub || \
       echo "$DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ERROR: Running \

usr/bin/permission-hardener#security-misc-shared

@@ -595,17 +595,20 @@ commit_policy() {
     if [ "${existing_owner}" != "${state_user_owner_item}" ] \
       || [ "${existing_group}" != "${state_group_owner_item}" ] \
       || [ "${existing_mode}" != "${state_mode_item}" ]; then
-      if ! [[ "${passwd_file_contents}" =~ "${state_user_owner_item}:" ]]; then
+      ## Anchor user/group lookups to line boundaries to prevent substring matches
+      ## (e.g. 'roo' must not match 'root:...')
+      if ! [[ $'\n'"${passwd_file_contents}" =~ $'\n'"${state_user_owner_item}:" ]]; then
         log error "Owner from config does not exist: '${state_user_owner_item}'" >&2
         continue
       fi
 
-      if ! [[ "${group_file_contents}" =~ "${state_group_owner_item}:" ]]; then
+      if ! [[ $'\n'"${group_file_contents}" =~ $'\n'"${state_group_owner_item}:" ]]; then
         log error "Group from config does not exist: '${state_group_owner_item}'" >&2
         continue
       fi
       ## Remove and reapply in main list
-      if [[ "${orig_main_statoverride_db}" =~ "${file_name_from_stat}" ]]; then
+      ## Anchor to line boundary to prevent substring path matches
+      if [[ $'\n'"${orig_main_statoverride_db}" =~ [[:space:]]"${file_name_from_stat}"($'\n'|$) ]]; then
         echo_wrapper_ignore silent dpkg-statoverride --remove \
           "${file_name_from_stat}"
       fi
@@ -614,7 +617,7 @@ commit_policy() {
         "${state_mode_item}" "${file_name_from_stat}"
 
       ## Update item in secondary list
-      if [[ "${orig_new_statoverride_db}" =~ "${file_name_from_stat}" ]]; then
+      if [[ $'\n'"${orig_new_statoverride_db}" =~ [[:space:]]"${file_name_from_stat}"($'\n'|$) ]]; then
         # shellcheck disable=SC2086
         echo_wrapper_ignore silent dpkg-statoverride \
           ${dpkg_admindir_parameter_new_mode} --remove \
@@ -699,12 +702,12 @@ undo_policy_for_file() {
       # shellcheck disable=SC2086
       orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true
 
-      if [[ "${orig_main_statoverride_db}" =~ "${undo_file}" ]]; then
+      if [[ $'\n'"${orig_main_statoverride_db}" =~ [[:space:]]"${undo_file}"($'\n'|$) ]]; then
         echo_wrapper_ignore silent dpkg-statoverride --remove \
           "${undo_file}"
       fi
 
-      if [[ "${orig_new_statoverride_db}" =~ "${undo_file}" ]]; then
+      if [[ $'\n'"${orig_new_statoverride_db}" =~ [[:space:]]"${undo_file}"($'\n'|$) ]]; then
         # shellcheck disable=SC2086
         echo_wrapper_ignore silent dpkg-statoverride \
           ${dpkg_admindir_parameter_new_mode} --remove \
@@ -871,12 +874,12 @@ print_fs_audit() {
     if [ "${existing_owner}" != "${state_user_owner_item}" ] \
       || [ "${existing_group}" != "${state_group_owner_item}" ] \
       || [ "${existing_mode}" != "${state_mode_item}" ]; then
-      if ! [[ "${passwd_file_contents}" =~ "${state_user_owner_item}:" ]]; then
+      if ! [[ $'\n'"${passwd_file_contents}" =~ $'\n'"${state_user_owner_item}:" ]]; then
         echo "!!! Owner from config does not exist: '${state_user_owner_item}'"
         continue
       fi
 
-      if ! [[ "${group_file_contents}" =~ "${state_group_owner_item}:" ]]; then
+      if ! [[ $'\n'"${group_file_contents}" =~ $'\n'"${state_group_owner_item}:" ]]; then
         echo "!!! Group from config does not exist: '${state_group_owner_item}'"
         continue
       fi

usr/libexec/security-misc/build-fm-shim-backend#security-misc-shared

@@ -44,16 +44,26 @@ gcc_hardening_options+=(
   "-Wl,--as-needed" "-Wl,--no-copy-dt-needed-entries" "-pie"
 )
 
+## Compile to a temporary file first, then atomically move into place.
+## This prevents leaving a corrupted binary if compilation is interrupted.
+tmp_output="$(mktemp /usr/bin/fm-shim-backend.XXXXXX)"
+trap 'rm -f "${tmp_output}"' EXIT
+
 gcc \
   -g \
   $(pkg-config --cflags dbus-1) \
   $(pkg-config --cflags libsystemd) \
   /usr/src/security-misc/fm-shim-backend.c \
-  -o /usr/bin/fm-shim-backend \
+  -o "${tmp_output}" \
   $(pkg-config --libs dbus-1) \
   $(pkg-config --libs libsystemd) \
   "${gcc_hardening_options[@]}" \
   || {
     printf "%s\n" 'Could not compile fm-shim-backend executable!'
+    rm -f "${tmp_output}"
     exit 1
   }
+
+chmod 0755 "${tmp_output}"
+mv -f "${tmp_output}" /usr/bin/fm-shim-backend
+trap - EXIT

usr/libexec/security-misc/emerg-shutdown#security-misc-shared

@@ -53,7 +53,10 @@ gcc_hardening_options+=(
   "-Wl,--as-needed" "-Wl,--no-copy-dt-needed-entries" "-pie"
 )
 
-## Read emergency shutdown key configuration
+## Read emergency shutdown key configuration.
+## Threat model: local files that can only be edited by root are
+## out-of-scope and considered trusted. These config directories
+## are root-owned, so sourcing their contents is acceptable.
 for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/security-misc/emerg-shutdown/*.conf; do
   if [ -f "${config_file}" ]; then
     bash -n "${config_file}"

usr/libexec/security-misc/hide-hardware-info#security-misc-shared

@@ -31,6 +31,9 @@ default_variables_set() {
 
 parse_configuration() {
   ## Allows for disabling the whitelist.
+  ## Threat model: local files that can only be edited by root are
+  ## out-of-scope and considered trusted. These config directories
+  ## are root-owned, so sourcing their contents is acceptable.
   local i
   for i in /usr/local/etc/hide-hardware-info.d/*.conf /etc/hide-hardware-info.d/*.conf ; do
     bash -n "${i}"

usr/libexec/security-misc/pam-info#security-misc-shared

@@ -65,6 +65,14 @@ if [ "$PAM_USER" = "" ]; then
    exit 0
 fi
 
+## PAM_USER is set by the PAM stack and is generally trusted.
+## Sanity check: reject control characters and values starting with '-'
+## to prevent option injection into commands like faillock.
+if [[ "$PAM_USER" =~ [[:cntrl:]] ]] || [[ "$PAM_USER" == -* ]]; then
+   true "$0: ERROR: PAM_USER contains suspicious characters: '$PAM_USER'"
+   exit 0
+fi
+
 grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" || true
 
 ## Check if grep matched something.

usr/libexec/security-misc/pam_faillock_not_if_x#security-misc-shared

@@ -5,7 +5,8 @@
 
 ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files
 
-set -x
+## set -x intentionally omitted in production to avoid leaking
+## PAM authentication details into system logs.
 
 true "PAM_SERVICE: $PAM_SERVICE"
 

usr/src/security-misc/emerg-shutdown.c#security-misc-shared

@@ -277,17 +277,14 @@ bool bitset_get(const uint64_t *bits, uint32_t i) {
 }
 
 void print(int fd, const char *str) {
-  size_t len = strlen(str) + 1;
-  while (true) {
+  size_t len = strlen(str);
+  while (len > 0) {
     ssize_t write_len = write(fd, str, len);
     if (write_len < 0) {
       /* File descriptor was closed, continue regardless */
       return;
     }
     len -= (size_t)write_len;
-    if (len == 0) {
-      return;
-    }
     str += write_len;
   }
 }
@@ -392,7 +389,7 @@ void load_list(const char *arg, size_t *result_list_len_ref, char ***result_list
     result_list = safe_reallocarray(result_list, result_list_len, sizeof(char *));
     result_list[result_list_len - 1] = safe_calloc(1, strlen(arg_part) + 1);
     strcpy(result_list[result_list_len - 1], arg_part);
-  } while ((arg_part = strtok(NULL, ",")) != NULL);
+  } while ((arg_part = strtok(NULL, sep)) != NULL);
 
   *result_list_len_ref = result_list_len;
   *result_list_ref = result_list;
@@ -834,6 +831,9 @@ void hw_monitor(int argc, char **argv) {
       }
 
       tmpbuf = buf;
+      /* Ensure buffer is NUL-terminated to prevent out-of-bounds reads
+       * from strlen/strcmp on truncated netlink messages. */
+      buf[sizeof(buf) - 1] = '\0';
       while (len > 0) {
         if (strcmp(tmpbuf, "ACTION=remove") == 0) {
           device_removed = true;
@@ -895,6 +895,7 @@ void hw_monitor(int argc, char **argv) {
             if (paranoid_mode) {
               /* Something was removed, we don't care what, shut down now */
               kill_system();
+              exit(0);
             }
 
             for (tdl_idx = 0; tdl_idx < target_dev_list_len; tdl_idx++) {
@@ -910,8 +911,11 @@ void hw_monitor(int argc, char **argv) {
         }
 
 next_str:
-        len = len - (ssize_t)(strlen(tmpbuf) + 1);
-        tmpbuf += strlen(tmpbuf) + 1;
+        {
+          size_t entry_len = strnlen(tmpbuf, (size_t)len) + 1;
+          len -= (ssize_t)entry_len;
+          tmpbuf += entry_len;
+        }
       }
     }
   }
@@ -952,6 +956,11 @@ void fifo_monitor(char **argv) {
   arg_part = strtok(arg_copy, "=");
   /* returns everything after the = sign */
   arg_part = strtok(NULL, "");
+  if (arg_part == NULL) {
+    print(fd_stderr, "Timeout value is missing!\n");
+    print_usage();
+    exit(1);
+  }
   errno = 0;
   monitor_fifo_timeout = strtol(arg_part, &arg_num_end, 10);
   if (errno == ERANGE || monitor_fifo_timeout > UINT_MAX) {
@@ -975,7 +984,7 @@ void fifo_monitor(char **argv) {
   arg_part = NULL;
   arg_num_end = NULL;
 
-  if (mkfifo(trigger_fifo_path, 0777) == -1) {
+  if (mkfifo(trigger_fifo_path, 0600) == -1) {
     print(fd_stderr, "Cannot create trigger fifo!\n");
     exit(1);
   }