Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

abort installation if no user is a member of group "console"; output

Browse Source 
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7
This commit is contained in:
Patrick Schleizer 2019-12-08 02:38:19 -05:00
parent 1dbca1ea2d
commit 0f65b2e85c
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
debian/security-misc.preinst vendored
View File

@ -15,7 +15,7 @@ true "
##################################################################### #####################################################################
" "
if [ "$1" = "install" ]; then if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then
sudo_users="$(getent group sudo | cut -d: -f4)" sudo_users="$(getent group sudo | cut -d: -f4)"
## example sudo_users: ## example sudo_users:
## user,root ## user,root
@ -42,8 +42,53 @@ if [ "$1" = "install" ]; then
## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4
if [ ! "$are_there_any_sudo_users" = "yes" ]; then if [ ! "$are_there_any_sudo_users" = "yes" ]; then
echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2 echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2
echo "$0: ERROR: You probably want to run:" >&2
echo "" >&2
echo "sudo adduser user sudo" >&2
echo "sudo adduser user console" >&2
echo "" >&2
echo "" >&2
echo "$0: ERROR: See also installation instructions:" >&2
echo "https://www.whonix.org/wiki/security-misc#install" >&2
exit 200 exit 200
fi fi
console_users="$(getent group console | cut -d: -f4)"
## example sudo_users:
## user
console_unrestricted_users="$(getent group console-unrestricted | cut -d: -f4)"
OLD_IFS="$IFS"
IFS=","
export IFS
for user_with_sudo in $console_users $console_unrestricted_users ; do
if [ "$user_with_sudo" = "root" ]; then
## root login is also restricted.
## Therefore user "root" being member of group "console" is
## considered insufficient.
continue
fi
are_there_any_console_users=yes
break
done
IFS="$OLD_IFS"
export IFS
## Prevent users from locking themselves out.
## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4
if [ ! "$are_there_any_console_users" = "yes" ]; then
echo "$0: ERROR: No user is a member of group 'console'. Installation aborted." >&2
echo "$0: ERROR: You probably want to run:" >&2
echo "" >&2
echo "sudo adduser user console" >&2
echo "" >&2
echo "" >&2
echo "$0: ERROR: See also installation instructions:" >&2
echo "https://www.whonix.org/wiki/security-misc#install" >&2
exit 201
fi
fi fi
true "INFO: debhelper beginning here." true "INFO: debhelper beginning here."