2020-04-01 08:49:59 -04:00
|
|
|
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
2019-12-07 05:40:20 -05:00
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
2021-01-05 02:11:08 -05:00
|
|
|
## To enable root login, see:
|
|
|
|
## https://www.whonix.org/wiki/Root#Root_Login
|
|
|
|
|
2019-12-07 05:40:20 -05:00
|
|
|
## Console Lockdown
|
|
|
|
## https://forums.whonix.org/t/etc-security-hardening/8592
|
|
|
|
|
2019-12-07 05:52:06 -05:00
|
|
|
## This is the error message should this fail:
|
|
|
|
## sudo su
|
|
|
|
## sudo: PAM account management error: Permission denied
|
|
|
|
|
2019-12-07 05:40:20 -05:00
|
|
|
## see also:
|
|
|
|
## man access.conf
|
|
|
|
## man pam_access
|
|
|
|
|
|
|
|
## Usually tty7 is for X.
|
|
|
|
## Qubes uses tty1 for X.
|
|
|
|
|
2019-12-07 06:02:45 -05:00
|
|
|
## Qubes has 'pts/0' when for example running "sudo" from a terminal emulator.
|
2019-12-07 06:04:45 -05:00
|
|
|
## Qubes uses 'hvc0' when using in dom0 "sudo xl console vm-name".
|
2020-03-31 07:08:25 -04:00
|
|
|
## When using systemd-nspawn (chroot) then `login` requires console 'console' to be permitted.
|
2020-04-02 05:58:16 -04:00
|
|
|
|
|
|
|
## Allow members of group `console` to use:
|
|
|
|
## - 'console'
|
|
|
|
## - 'tty1' to 'tty7'
|
|
|
|
## - 'pts/0' to 'pts/9'
|
|
|
|
## - 'hvc0' to 'hvc9'
|
2020-04-13 06:50:32 -04:00
|
|
|
## serial console
|
|
|
|
## https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43
|
|
|
|
## - 'ttyS0' to 'ttyS9'
|
2020-08-03 08:12:19 -04:00
|
|
|
+:(console):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9
|
2019-12-07 05:40:20 -05:00
|
|
|
|
2020-04-02 06:04:45 -04:00
|
|
|
## Same as above also for members of group `sudo`.
|
|
|
|
## https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407
|
2020-08-03 08:12:19 -04:00
|
|
|
+:(sudo):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9
|
2020-04-02 06:04:45 -04:00
|
|
|
|
2019-12-07 05:40:20 -05:00
|
|
|
## Everyone else except members of group 'console-unrestricted'
|
|
|
|
## are restricted from everything else.
|
2020-08-03 08:12:19 -04:00
|
|
|
-:ALL EXCEPT (console-unrestricted):ALL
|