Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist

This commit is contained in:
maybebyte 2025-05-27 18:25:47 +00:00 committed by GitHub
commit 017ee29eb3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 273 additions and 15 deletions

View file

@ -1,3 +1,175 @@
commit 45016146f7c77d383f2254d19dc66ba9b883b8f2
Merge: ace45d7 395169f
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue May 27 11:03:23 2025 -0400
Merge remote-tracking branch 'github-kicksecure/master'
commit 395169fbce1854bfed727d1784f4e5c0d8e7c6ff
Merge: ace45d7 e14b81b
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue May 27 10:58:50 2025 -0400
Merge pull request #308 from maybebyte/permission-hardener-speedboost
perf(permission-hardener): optimize string match
commit ace45d7c95ed6b83c1897f76da5af4a0c97cab10
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 22:06:02 2025 +0000
bumped changelog version
commit 142ea2118989faddafa17db48efed379c4ac3f45
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:42:16 2025 -0400
fix
commit a969fa350e28ca296966509821a7c62b68f09a5a
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:40:27 2025 -0400
fix
commit f023651c984c52a997bc241f99f118255cf60809
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:35:37 2025 -0400
nounset
commit f086787464191a07e028dd92649c48b145023858
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:35:23 2025 -0400
fix
commit d7643954d184846c8b7fb5eda7200779126274eb
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:33:50 2025 -0400
minor
commit aa905fc8875c5c56351f10f4e40e6d2a7dd6d918
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:32:16 2025 -0400
further validation of output of `faillock`
commit 92d3a36a0f43615db622c6b0daa7064b8e8ebbbb
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:29:01 2025 -0400
fix
commit 2c1abb23e03cfe449347ba692d35f5ba1f33cff4
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:26:46 2025 -0400
output
commit 0801b96ae74256f36dcf8757d0ba8abc66ea0b9b
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:25:49 2025 -0400
output
commit ef8515ba82996b137c386eeb91e6f853d58a515f
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:23:45 2025 -0400
improve error handling
commit 784867e24b4d6f2899fa9b215ec9e3c4e2fb9d84
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:21:45 2025 -0400
fix
commit 0eea681ce893a259563f8e9d5a2ec9722fbc635d
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 15:52:16 2025 +0000
bumped changelog version
commit e1bae1c68aabc424924b6386fe4980d657dc2cdf
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 11:50:59 2025 -0400
fix
commit bd01a683054b1f7d5a5f6cc4848da73b1b1ef5ff
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 13:58:18 2025 +0000
bumped changelog version
commit 14cf205579ff65fa765d7574e5d0e301a30a1904
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 08:36:16 2025 -0400
fix
commit ff6bc5d5b6097bcdddd8e66c2541106c2cbabbaf
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 11:23:39 2025 +0000
bumped changelog version
commit 353b6e83c55d52b47a2a35063406324cec7237c4
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 07:20:13 2025 -0400
test that `wc` is functional
https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246
commit 5930e270521e0e5d6a0a3877c813accbf5253051
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 07:05:25 2025 -0400
pam-info: improve error handling
https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246
commit 5c981e0891ef009c5c2355f5f6383aca22c45638
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 06:55:09 2025 -0400
pam-info: fix, consistently write errors and warnings to stderr
commit e14b81b15e479afbc4820a2b9bb60f3cf65bfb12
Author: Ashlen <dev@anthes.is>
Date: Tue May 20 21:34:03 2025 -0600
perf(permission-hardener): optimize string match
Replace subprocess grep calls with bash substring matching in
check_nosuid_whitelist function. This eliminates ~10k unneeded
subprocess spawns that were causing significant performance
degradation.
In testing, it improves overall script execution speed by an
order of magnitude:
Before patch:
$ sudo hyperfine -- './permission-hardener enable'
Benchmark 1: ./permission-hardener enable
Time (mean ± σ): 11.906 s ± 0.974 s [User: 3.639 s, System: 8.728 s]
Range (min … max): 10.430 s … 14.090 s 10 runs
After patch:
$ sudo hyperfine -- './permission-hardener enable'
Benchmark 1: ./permission-hardener enable
Time (mean ± σ): 802.8 ms ± 178.5 ms [User: 283.0 ms, System: 471.9 ms]
Range (min … max): 639.4 ms … 1092.3 ms 10 runs
commit 19d7e1af5d7acf6eb3a20fe3ebf5f14cef041f92
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue May 20 11:40:27 2025 +0000
bumped changelog version
commit 405880e63b92319626332d083a6c5ad5101dbf77
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sun May 18 06:44:42 2025 -0400

30
debian/changelog vendored
View file

@ -1,3 +1,33 @@
security-misc (3:45.8-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Tue, 27 May 2025 15:51:50 +0000
security-misc (3:45.7-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 21 May 2025 22:06:01 +0000
security-misc (3:45.6-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 21 May 2025 15:52:16 +0000
security-misc (3:45.5-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 21 May 2025 13:58:18 +0000
security-misc (3:45.4-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 21 May 2025 11:23:39 +0000
security-misc (3:45.3-1) unstable; urgency=medium
* New upstream version (local package).

View file

@ -4,8 +4,8 @@
## See the file COPYING for copying conditions.
if [ -z "$XDG_CONFIG_DIRS" ]; then
XDG_CONFIG_DIRS=/etc/xdg
XDG_CONFIG_DIRS="/etc/xdg"
fi
if ! echo "$XDG_CONFIG_DIRS" | grep --quiet /usr/share/security-misc/ ; then
export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS
if ! printf '%s\n' "$XDG_CONFIG_DIRS" | grep -- "/usr/share/security-misc/" >/dev/null 2>/dev/null ; then
export XDG_CONFIG_DIRS="/usr/share/security-misc/:$XDG_CONFIG_DIRS"
fi

View file

@ -256,8 +256,7 @@ check_nosuid_whitelist() {
[[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]] && return 1
for match_white_list_entry in "${policy_match_white_list[@]:-}"; do
if safe_echo "${target_file}" \
| grep --quiet --fixed-strings -- "${match_white_list_entry}"; then
if [[ "${target_file}" == *"${match_white_list_entry}"* ]]; then
return 1
fi
done

View file

@ -180,7 +180,7 @@ remount_secure() {
$output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'"
if echo "$old_mount_options" | grep --quiet "$intended_mount_options" ; then
if printf '%s\n' "$old_mount_options" | grep "$intended_mount_options" >/dev/null 2>/dev/null ; then
$output_command "INFO: '$mount_folder' has already intended mount options. ('$intended_mount_options')"
return 0
fi

View file

@ -7,5 +7,15 @@ set -x
set -e
set -o pipefail
if ! printf '%s\n' "" | wc -l >/dev/null ; then
printf '%s\n' "\
$0: ERROR: command 'wc' test failed! Do not ignore this!
'wc' can core dump. Example:
zsh: illegal hardware instruction (core dumped) wc -l
https://github.com/rspamd/rspamd/issues/5137" >&2
exit 1
fi
wc -L "/var/lib/apt/lists/"*InRelease
wc -L "/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}'

View file

@ -19,11 +19,41 @@ fi
true "$0: START PHASE 2"
set -o errexit
set -o errtrace
set -o pipefail
set -o nounset
error_handler() {
exit_code="$?"
printf '%s\n' "\
$0: ERROR: Unexpected error.
BASH_COMMAND: '$BASH_COMMAND'
exit_code: '$exit_code'
ERROR: Please report this bug." >&2
exit 1
}
trap error_handler ERR
if ! printf '%s\n' "" | wc -l >/dev/null ; then
printf '%s\n' "\
$0: ERROR: command 'wc' test failed! Do not ignore this!
'wc' can core dump. Example:
zsh: illegal hardware instruction (core dumped) wc -l
https://github.com/rspamd/rspamd/issues/5137" >&2
exit 1
fi
command -v str_replace &>/dev/null
## Named constants.
pam_faillock_state_dir="/var/lib/security-misc/faillock"
[[ -v PAM_USER ]] || PAM_USER=""
[[ -v SUDO_USER ]] || SUDO_USER=""
## Debugging.
who_ami="$(whoami)"
true "$0: who_ami: $who_ami"
@ -35,7 +65,7 @@ if [ "$PAM_USER" = "" ]; then
exit 0
fi
grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"
grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" || true
## Check if grep matched something.
if [ ! "$grep_result" = "" ]; then
@ -47,6 +77,7 @@ if [ ! "$grep_result" = "" ]; then
## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592
console_allowed=""
if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console"; then
console_allowed=true
fi
@ -76,7 +107,7 @@ if [ "$PAM_USER" = 'sysmaint' ]; then
sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true
sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")"
if [ "${sysmaint_lock_info}" = 'L' ]; then
printf '%s\n' "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint"
printf '%s\n' "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" >&2
fi
fi
@ -86,7 +117,7 @@ fi
if [ "$PAM_USER" != 'sysmaint' ]; then
if [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then
printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint"
printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" >&2
fi
fi
@ -100,7 +131,7 @@ fi
# if [ "$grep_result" = "" ]; then
# printf '%s\n' "\
# $0: ERROR: Root login is disabled.
# ERROR: This is because /etc/securetty is empty.
# ERROR: This is because file '/etc/securetty' is empty.
# See also:
# https://www.kicksecure.com/wiki/root#login
# " >&2
@ -160,12 +191,28 @@ user_name="$(printf '%s\n' "$pam_faillock_output_first_line" | str_replace ":" "
## user
## root
if [ "$PAM_USER" != "$user_name" ]; then
printf '%s\n' "\
$0: ERROR: Variable 'PAM_USER' '$PAM_USER' does not match variable 'user_name' '$user_name'.
ERROR: Please report this bug.
" >&2
exit 1
fi
pam_faillock_output_count="$(printf '%s\n' "$pam_faillock_output" | wc -l)"
## example pam_faillock_output_count:
## 2
## example pam_faillock_output_count:
## 4
if [[ "$pam_faillock_output_count" == *[!0-9]* ]]; then
printf '%s\n' "\
$0: ERROR: Variable 'pam_faillock_output_count' is not numeric. pam_faillock_output_count: '$pam_faillock_output_count'
ERROR: Please report this bug.
" >&2
exit 0
fi
## Do not count the first two informational textual output lines (starting with "user:" and "When") if present,
failed_login_counter=$(( pam_faillock_output_count - 2 ))
@ -174,7 +221,7 @@ failed_login_counter=$(( pam_faillock_output_count - 2 ))
## Ensuring failed_login_counter is not set to a negative value.
## https://github.com/Kicksecure/security-misc/pull/305
if [ "$failed_login_counter" -le "0" ]; then
if [ "$failed_login_counter" -lt "0" ]; then
true "$0: WARNING: Failed login counter is negative. Resetting to 0."
failed_login_counter=0
fi
@ -188,7 +235,7 @@ fi
deny=3
if test -f /etc/security/faillock.conf ; then
deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =")
deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") || true
deny="$(printf '%s\n' "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")"
## Example:
#deny=50
@ -196,13 +243,13 @@ fi
if [[ "$deny" == *[!0-9]* ]]; then
printf '%s\n' "\
$0: ERROR: deny is not numeric. deny: '$deny'
$0: ERROR: Variable 'deny' is not numeric. deny: '$deny'
ERROR: Please report this bug.
" >&2
exit 0
fi
remaining_attempts="$(( $deny - $failed_login_counter ))"
remaining_attempts="$(( deny - failed_login_counter ))"
if [ "$remaining_attempts" -le "0" ]; then
printf '%s\n' "\
@ -221,7 +268,7 @@ https://www.kicksecure.com/wiki/root#unlock
fi
printf '%s\n' "\
$0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'.
$0: WARNING: $failed_login_counter failed login attempts for account '$user_name'.
Login will be blocked after $deny attempts.
You have $remaining_attempts more attempts before unlock procedure is required.
" >&2