security-misc/debian/security-misc.preinst

163 lines
4.6 KiB
Plaintext
Raw Normal View History

#!/bin/bash
2019-10-31 11:19:44 -04:00
## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
source /usr/lib/helper-scripts/pre.bsh
fi
set -e
true "
#####################################################################
## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
#####################################################################
"
2019-12-08 02:41:36 -05:00
sudo_users_check () {
if command -v "qubesdb-read" &>/dev/null; then
## Qubes users can use dom0 to get a root terminal emulator.
## For example:
## qvm-run -u root debian-10 xterm
return 0
fi
sudo_users="$(getent group sudo | cut -d: -f4)"
## example sudo_users:
## user,root
OLD_IFS="$IFS"
IFS=","
export IFS
for user_with_sudo in $sudo_users ; do
if [ "$user_with_sudo" = "root" ]; then
## root login is also restricted.
## Therefore user "root" being member of group "sudo" is
## considered insufficient.
continue
fi
are_there_any_sudo_users=yes
break
done
IFS="$OLD_IFS"
export IFS
2019-11-22 12:24:35 -05:00
## Prevent users from locking themselves out.
## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4
if [ ! "$are_there_any_sudo_users" = "yes" ]; then
echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2
echo "$0: ERROR: You probably want to run:" >&2
echo "" >&2
echo "sudo adduser user sudo" >&2
echo "sudo adduser user console" >&2
echo "" >&2
echo "$0: ERROR: See also installation instructions:" >&2
echo "https://www.whonix.org/wiki/security-misc#install" >&2
exit 200
fi
2019-12-08 02:41:36 -05:00
}
2019-12-08 02:41:36 -05:00
console_users_check() {
console_users="$(getent group console | cut -d: -f4)"
2019-12-08 02:42:30 -05:00
## example ssh_users:
## user
console_unrestricted_users="$(getent group console-unrestricted | cut -d: -f4)"
OLD_IFS="$IFS"
IFS=","
export IFS
2019-12-08 02:43:05 -05:00
for user_with_console in $console_users $console_unrestricted_users ; do
if [ "$user_with_console" = "root" ]; then
## root login is also restricted.
## Therefore user "root" being member of group "console" is
## considered insufficient.
continue
fi
are_there_any_console_users=yes
break
done
IFS="$OLD_IFS"
export IFS
## Prevent users from locking themselves out.
## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4
if [ ! "$are_there_any_console_users" = "yes" ]; then
echo "$0: ERROR: No user is a member of group 'console'. Installation aborted." >&2
echo "$0: ERROR: You probably want to run:" >&2
echo "" >&2
echo "sudo adduser user console" >&2
echo "" >&2
echo "$0: ERROR: See also installation instructions:" >&2
echo "https://www.whonix.org/wiki/security-misc#install" >&2
exit 201
fi
}
ssh_users_check() {
if ! deb-systemd-helper --quiet was-enabled 'ssh.service'; then
return 0
fi
ssh_users="$(getent group ssh | cut -d: -f4)"
## example ssh_users:
## user
OLD_IFS="$IFS"
IFS=","
export IFS
for user_with_ssh in $ssh_users ; do
if [ "$user_with_ssh" = "root" ]; then
## root login is also restricted.
## Therefore user "root" being member of group "ssh" is
## considered insufficient.
continue
fi
are_there_any_ssh_users=yes
break
done
IFS="$OLD_IFS"
export IFS
## Prevent users from locking themselves out.
## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4
if [ ! "$are_there_any_ssh_users" = "yes" ]; then
echo "$0: ERROR: ssh.service is enabled but no user is a member of group 'ssh'." >&2
echo "$0: ERROR: Installation aborted since this would likely break SSH login." >&2
echo "$0: ERROR: You probably want to run:" >&2
echo "" >&2
echo "sudo adduser user ssh" >&2
echo "" >&2
echo "$0: ERROR: See also installation instructions:" >&2
echo "https://www.whonix.org/wiki/security-misc#install" >&2
exit 201
fi
2019-12-08 02:41:36 -05:00
}
if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then
sudo_users_check
console_users_check
ssh_users_check
fi
true "INFO: debhelper beginning here."
#DEBHELPER#
true "INFO: Done with debhelper."
true "
#####################################################################
## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
#####################################################################
"
## Explicitly "exit 0", so eventually trapped errors can be ignored.
exit 0