security-misc/etc/security/access-security-misc.conf

## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

## Console Lockdown
## https://forums.whonix.org/t/etc-security-hardening/8592

## This is the error message should this fail:
## sudo su
## sudo: PAM account management error: Permission denied

## see also:
## man access.conf
## man pam_access

## Usually tty7 is for X.
## Qubes uses tty1 for X.

## Qubes has 'pts/0' when for example running "sudo" from a terminal emulator.
## Qubes uses 'hvc0' when using in dom0 "sudo xl console vm-name".
## When using systemd-nspawn (chroot) then `login` requires console 'console' to be permitted.

## Allow members of group `console` to use:
## - 'console'
## - 'tty1' to 'tty7'
## - 'pts/0' to 'pts/9'
## - 'hvc0' to 'hvc9'
## serial console
## https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43
## - 'ttyS0' to 'ttyS9'
+:(console):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9

## Same as above also for members of group `sudo`.
## https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407
+:(sudo):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9

## Everyone else except members of group 'console-unrestricted'
## are restricted from everything else.
-:ALL EXCEPT (console-unrestricted):ALL
update copyright year 2020-04-01 08:49:59 -04:00			`## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>`
Console Lockdown. Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592 2019-12-07 05:40:20 -05:00			`## See the file COPYING for copying conditions.`

			`## Console Lockdown`
			`## https://forums.whonix.org/t/etc-security-hardening/8592`

comment 2019-12-07 05:52:06 -05:00			`## This is the error message should this fail:`
			`## sudo su`
			`## sudo: PAM account management error: Permission denied`

Console Lockdown. Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592 2019-12-07 05:40:20 -05:00			`## see also:`
			`## man access.conf`
			`## man pam_access`

			`## Usually tty7 is for X.`
			`## Qubes uses tty1 for X.`

comment 2019-12-07 06:02:45 -05:00			`## Qubes has 'pts/0' when for example running "sudo" from a terminal emulator.`
add hvc0 to hvc9 2019-12-07 06:04:45 -05:00			`## Qubes uses 'hvc0' when using in dom0 "sudo xl console vm-name".`
When using systemd-nspawn (chroot) then `login` requires console 'console' to be permitted. 2020-03-31 07:08:25 -04:00			## When using systemd-nspawn (chroot) then `login` requires console 'console' to be permitted.
comments 2020-04-02 05:58:16 -04:00
			## Allow members of group `console` to use:
			`## - 'console'`
			`## - 'tty1' to 'tty7'`
			`## - 'pts/0' to 'pts/9'`
			`## - 'hvc0' to 'hvc9'`
/etc/security/access-security-misc.conf white list ttyS0 etc. ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 Thanks to @subpar_marlin for the bug report and helping to fix this! https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43 https://forums.whonix.org/t/etc-security-hardening/8592 2020-04-13 06:50:32 -04:00			`## serial console`
			`## https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43`
			`## - 'ttyS0' to 'ttyS9'`
fix, allow group `sudo` and `console` to use consoles fix /etc/security/access-security-misc.conf syntax error Thanks to @81a989 for the bug report! https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/31 2020-08-03 08:12:19 -04:00			`+:(console):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9`
Console Lockdown. Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592 2019-12-07 05:40:20 -05:00
console lockdown: allow members of group `sudo` to use console https://forums.whonix.org/t/etc-security-hardening/8592 https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407 https://www.whonix.org/wiki/Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown 2020-04-02 06:04:45 -04:00			## Same as above also for members of group `sudo`.
			`## https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407`
fix, allow group `sudo` and `console` to use consoles fix /etc/security/access-security-misc.conf syntax error Thanks to @81a989 for the bug report! https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/31 2020-08-03 08:12:19 -04:00			`+:(sudo):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9`
console lockdown: allow members of group `sudo` to use console https://forums.whonix.org/t/etc-security-hardening/8592 https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407 https://www.whonix.org/wiki/Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown 2020-04-02 06:04:45 -04:00
Console Lockdown. Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592 2019-12-07 05:40:20 -05:00			`## Everyone else except members of group 'console-unrestricted'`
			`## are restricted from everything else.`
fix, allow group `sudo` and `console` to use consoles fix /etc/security/access-security-misc.conf syntax error Thanks to @81a989 for the bug report! https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/31 2020-08-03 08:12:19 -04:00			`-:ALL EXCEPT (console-unrestricted):ALL`