2019-10-17 06:46:47 -04:00
|
|
|
#!/bin/bash
|
|
|
|
|
2019-10-31 11:19:44 -04:00
|
|
|
## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
2019-10-17 06:46:47 -04:00
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
|
|
|
if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
|
|
|
|
source /usr/lib/helper-scripts/pre.bsh
|
|
|
|
fi
|
|
|
|
|
|
|
|
set -e
|
|
|
|
|
|
|
|
true "
|
|
|
|
#####################################################################
|
|
|
|
## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
|
|
|
|
#####################################################################
|
|
|
|
"
|
|
|
|
|
2019-12-08 02:41:36 -05:00
|
|
|
sudo_users_check () {
|
2019-12-08 04:25:19 -05:00
|
|
|
if command -v "qubesdb-read" &>/dev/null; then
|
|
|
|
## Qubes users can use dom0 to get a root terminal emulator.
|
|
|
|
## For example:
|
|
|
|
## qvm-run -u root debian-10 xterm
|
|
|
|
return 0
|
|
|
|
fi
|
|
|
|
|
2019-10-18 06:38:25 -04:00
|
|
|
sudo_users="$(getent group sudo | cut -d: -f4)"
|
2019-10-17 06:46:47 -04:00
|
|
|
## example sudo_users:
|
|
|
|
## user,root
|
|
|
|
|
|
|
|
OLD_IFS="$IFS"
|
|
|
|
IFS=","
|
|
|
|
export IFS
|
|
|
|
|
|
|
|
for user_with_sudo in $sudo_users ; do
|
|
|
|
if [ "$user_with_sudo" = "root" ]; then
|
|
|
|
## root login is also restricted.
|
|
|
|
## Therefore user "root" being member of group "sudo" is
|
|
|
|
## considered insufficient.
|
|
|
|
continue
|
|
|
|
fi
|
|
|
|
are_there_any_sudo_users=yes
|
|
|
|
break
|
|
|
|
done
|
|
|
|
|
|
|
|
IFS="$OLD_IFS"
|
|
|
|
export IFS
|
|
|
|
|
2019-11-22 12:24:35 -05:00
|
|
|
## Prevent users from locking themselves out.
|
|
|
|
## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4
|
2019-10-17 06:46:47 -04:00
|
|
|
if [ ! "$are_there_any_sudo_users" = "yes" ]; then
|
|
|
|
echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2
|
2019-12-08 02:38:19 -05:00
|
|
|
echo "$0: ERROR: You probably want to run:" >&2
|
|
|
|
echo "" >&2
|
|
|
|
echo "sudo adduser user sudo" >&2
|
|
|
|
echo "sudo adduser user console" >&2
|
|
|
|
echo "" >&2
|
|
|
|
echo "$0: ERROR: See also installation instructions:" >&2
|
|
|
|
echo "https://www.whonix.org/wiki/security-misc#install" >&2
|
2019-10-17 06:46:47 -04:00
|
|
|
exit 200
|
|
|
|
fi
|
2019-12-08 02:41:36 -05:00
|
|
|
}
|
2019-12-08 02:38:19 -05:00
|
|
|
|
2019-12-08 02:41:36 -05:00
|
|
|
console_users_check() {
|
2019-12-08 02:38:19 -05:00
|
|
|
console_users="$(getent group console | cut -d: -f4)"
|
2019-12-08 02:42:30 -05:00
|
|
|
## example ssh_users:
|
2019-12-08 02:38:19 -05:00
|
|
|
## user
|
|
|
|
console_unrestricted_users="$(getent group console-unrestricted | cut -d: -f4)"
|
|
|
|
|
|
|
|
OLD_IFS="$IFS"
|
|
|
|
IFS=","
|
|
|
|
export IFS
|
|
|
|
|
2019-12-08 02:43:05 -05:00
|
|
|
for user_with_console in $console_users $console_unrestricted_users ; do
|
|
|
|
if [ "$user_with_console" = "root" ]; then
|
2019-12-08 02:38:19 -05:00
|
|
|
## root login is also restricted.
|
|
|
|
## Therefore user "root" being member of group "console" is
|
|
|
|
## considered insufficient.
|
|
|
|
continue
|
|
|
|
fi
|
|
|
|
are_there_any_console_users=yes
|
|
|
|
break
|
|
|
|
done
|
|
|
|
|
|
|
|
IFS="$OLD_IFS"
|
|
|
|
export IFS
|
|
|
|
|
|
|
|
## Prevent users from locking themselves out.
|
|
|
|
## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4
|
|
|
|
if [ ! "$are_there_any_console_users" = "yes" ]; then
|
|
|
|
echo "$0: ERROR: No user is a member of group 'console'. Installation aborted." >&2
|
|
|
|
echo "$0: ERROR: You probably want to run:" >&2
|
|
|
|
echo "" >&2
|
|
|
|
echo "sudo adduser user console" >&2
|
|
|
|
echo "" >&2
|
2019-12-08 03:27:12 -05:00
|
|
|
echo "$0: ERROR: See also installation instructions:" >&2
|
|
|
|
echo "https://www.whonix.org/wiki/security-misc#install" >&2
|
|
|
|
exit 201
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
ssh_users_check() {
|
|
|
|
if ! deb-systemd-helper --quiet was-enabled 'ssh.service'; then
|
|
|
|
return 0
|
|
|
|
fi
|
|
|
|
|
|
|
|
ssh_users="$(getent group ssh | cut -d: -f4)"
|
|
|
|
## example ssh_users:
|
|
|
|
## user
|
|
|
|
|
|
|
|
OLD_IFS="$IFS"
|
|
|
|
IFS=","
|
|
|
|
export IFS
|
|
|
|
|
|
|
|
for user_with_ssh in $ssh_users ; do
|
|
|
|
if [ "$user_with_ssh" = "root" ]; then
|
|
|
|
## root login is also restricted.
|
|
|
|
## Therefore user "root" being member of group "ssh" is
|
|
|
|
## considered insufficient.
|
|
|
|
continue
|
|
|
|
fi
|
|
|
|
are_there_any_ssh_users=yes
|
|
|
|
break
|
|
|
|
done
|
|
|
|
|
|
|
|
IFS="$OLD_IFS"
|
|
|
|
export IFS
|
|
|
|
|
|
|
|
## Prevent users from locking themselves out.
|
|
|
|
## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4
|
|
|
|
if [ ! "$are_there_any_ssh_users" = "yes" ]; then
|
|
|
|
echo "$0: ERROR: ssh.service is enabled but no user is a member of group 'ssh'." >&2
|
|
|
|
echo "$0: ERROR: Installation aborted since this would likely break SSH login." >&2
|
|
|
|
echo "$0: ERROR: You probably want to run:" >&2
|
|
|
|
echo "" >&2
|
|
|
|
echo "sudo adduser user ssh" >&2
|
2019-12-08 02:38:19 -05:00
|
|
|
echo "" >&2
|
|
|
|
echo "$0: ERROR: See also installation instructions:" >&2
|
|
|
|
echo "https://www.whonix.org/wiki/security-misc#install" >&2
|
|
|
|
exit 201
|
|
|
|
fi
|
2019-12-08 02:41:36 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then
|
|
|
|
sudo_users_check
|
|
|
|
console_users_check
|
2019-12-08 03:27:12 -05:00
|
|
|
ssh_users_check
|
2019-10-17 06:46:47 -04:00
|
|
|
fi
|
|
|
|
|
|
|
|
true "INFO: debhelper beginning here."
|
|
|
|
|
|
|
|
#DEBHELPER#
|
|
|
|
|
|
|
|
true "INFO: Done with debhelper."
|
|
|
|
|
|
|
|
true "
|
|
|
|
#####################################################################
|
|
|
|
## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
|
|
|
|
#####################################################################
|
|
|
|
"
|
|
|
|
|
|
|
|
## Explicitly "exit 0", so eventually trapped errors can be ignored.
|
|
|
|
exit 0
|