mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-08-02 17:26:08 -04:00
Merge branch 'Kicksecure:master' into erst
This commit is contained in:
commit
1c35303204
6 changed files with 329 additions and 29 deletions
|
@ -1,3 +1,207 @@
|
||||||
|
commit 142ea2118989faddafa17db48efed379c4ac3f45
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 12:42:16 2025 -0400
|
||||||
|
|
||||||
|
fix
|
||||||
|
|
||||||
|
commit a969fa350e28ca296966509821a7c62b68f09a5a
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 12:40:27 2025 -0400
|
||||||
|
|
||||||
|
fix
|
||||||
|
|
||||||
|
commit f023651c984c52a997bc241f99f118255cf60809
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 12:35:37 2025 -0400
|
||||||
|
|
||||||
|
nounset
|
||||||
|
|
||||||
|
commit f086787464191a07e028dd92649c48b145023858
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 12:35:23 2025 -0400
|
||||||
|
|
||||||
|
fix
|
||||||
|
|
||||||
|
commit d7643954d184846c8b7fb5eda7200779126274eb
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 12:33:50 2025 -0400
|
||||||
|
|
||||||
|
minor
|
||||||
|
|
||||||
|
commit aa905fc8875c5c56351f10f4e40e6d2a7dd6d918
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 12:32:16 2025 -0400
|
||||||
|
|
||||||
|
further validation of output of `faillock`
|
||||||
|
|
||||||
|
commit 92d3a36a0f43615db622c6b0daa7064b8e8ebbbb
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 12:29:01 2025 -0400
|
||||||
|
|
||||||
|
fix
|
||||||
|
|
||||||
|
commit 2c1abb23e03cfe449347ba692d35f5ba1f33cff4
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 12:26:46 2025 -0400
|
||||||
|
|
||||||
|
output
|
||||||
|
|
||||||
|
commit 0801b96ae74256f36dcf8757d0ba8abc66ea0b9b
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 12:25:49 2025 -0400
|
||||||
|
|
||||||
|
output
|
||||||
|
|
||||||
|
commit ef8515ba82996b137c386eeb91e6f853d58a515f
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 12:23:45 2025 -0400
|
||||||
|
|
||||||
|
improve error handling
|
||||||
|
|
||||||
|
commit 784867e24b4d6f2899fa9b215ec9e3c4e2fb9d84
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 12:21:45 2025 -0400
|
||||||
|
|
||||||
|
fix
|
||||||
|
|
||||||
|
commit 0eea681ce893a259563f8e9d5a2ec9722fbc635d
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 15:52:16 2025 +0000
|
||||||
|
|
||||||
|
bumped changelog version
|
||||||
|
|
||||||
|
commit e1bae1c68aabc424924b6386fe4980d657dc2cdf
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 11:50:59 2025 -0400
|
||||||
|
|
||||||
|
fix
|
||||||
|
|
||||||
|
commit bd01a683054b1f7d5a5f6cc4848da73b1b1ef5ff
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 13:58:18 2025 +0000
|
||||||
|
|
||||||
|
bumped changelog version
|
||||||
|
|
||||||
|
commit 14cf205579ff65fa765d7574e5d0e301a30a1904
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 08:36:16 2025 -0400
|
||||||
|
|
||||||
|
fix
|
||||||
|
|
||||||
|
commit ff6bc5d5b6097bcdddd8e66c2541106c2cbabbaf
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 11:23:39 2025 +0000
|
||||||
|
|
||||||
|
bumped changelog version
|
||||||
|
|
||||||
|
commit 353b6e83c55d52b47a2a35063406324cec7237c4
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 07:20:13 2025 -0400
|
||||||
|
|
||||||
|
test that `wc` is functional
|
||||||
|
|
||||||
|
https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246
|
||||||
|
|
||||||
|
commit 5930e270521e0e5d6a0a3877c813accbf5253051
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 07:05:25 2025 -0400
|
||||||
|
|
||||||
|
pam-info: improve error handling
|
||||||
|
|
||||||
|
https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246
|
||||||
|
|
||||||
|
commit 5c981e0891ef009c5c2355f5f6383aca22c45638
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Wed May 21 06:55:09 2025 -0400
|
||||||
|
|
||||||
|
pam-info: fix, consistently write errors and warnings to stderr
|
||||||
|
|
||||||
|
commit 19d7e1af5d7acf6eb3a20fe3ebf5f14cef041f92
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Tue May 20 11:40:27 2025 +0000
|
||||||
|
|
||||||
|
bumped changelog version
|
||||||
|
|
||||||
|
commit 405880e63b92319626332d083a6c5ad5101dbf77
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Sun May 18 06:44:42 2025 -0400
|
||||||
|
|
||||||
|
handle case of non-existence of /proc/cmdline
|
||||||
|
|
||||||
|
commit 88235cc97b8b54f3fe78d6ad76f64326e8b53f3e
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Sun May 18 06:44:04 2025 -0400
|
||||||
|
|
||||||
|
refactoring
|
||||||
|
|
||||||
|
commit 601ea77b005d18b57a85e0701f3981edd61b7881
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Sun May 18 06:42:39 2025 -0400
|
||||||
|
|
||||||
|
end-of-options
|
||||||
|
|
||||||
|
commit d8feca12768441b0499ead7cc9f9bce4e89b1edf
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Sun May 18 06:41:41 2025 -0400
|
||||||
|
|
||||||
|
printf
|
||||||
|
|
||||||
|
commit 7f2ba0980d17360fc014c6a412fc4ee57e1032fd
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Sun May 18 06:40:50 2025 -0400
|
||||||
|
|
||||||
|
refactoring
|
||||||
|
|
||||||
|
commit 4d1f8c44d28895587abce586ed5b2fe354544f6a
|
||||||
|
Merge: 341dce3 e478750
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Sun May 18 06:36:08 2025 -0400
|
||||||
|
|
||||||
|
Merge remote-tracking branch 'github-kicksecure/master'
|
||||||
|
|
||||||
|
commit e478750814798f3d9aa60354b6cecbb84769ed53
|
||||||
|
Merge: 341dce3 91a76db
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Sun May 18 06:35:23 2025 -0400
|
||||||
|
|
||||||
|
Merge pull request #305 from DMHalford/pam-info-failed_login_counter-fix
|
||||||
|
|
||||||
|
Prevent erroneous "Login blocked after [negative number] attempts" errors
|
||||||
|
|
||||||
|
commit 91a76db66bb496ba4650ada38df31636297738cf
|
||||||
|
Author: DMHalford <161769419+DMHalford@users.noreply.github.com>
|
||||||
|
Date: Thu May 15 15:42:50 2025 -0400
|
||||||
|
|
||||||
|
Prevent erroneous "Login blocked after [negative number] attempts" errors
|
||||||
|
|
||||||
|
For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value.
|
||||||
|
|
||||||
|
This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking.
|
||||||
|
|
||||||
|
This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings.
|
||||||
|
|
||||||
|
* Only rudimentary local tests were conducted
|
||||||
|
|
||||||
|
commit 6c3be9ced071e73e78451c82e8def9c5a5b02598
|
||||||
|
Author: DMHalford <161769419+DMHalford@users.noreply.github.com>
|
||||||
|
Date: Thu May 15 15:06:10 2025 -0400
|
||||||
|
|
||||||
|
Prevent erroneous "Login blocked after [negative number] attempts" errors
|
||||||
|
|
||||||
|
For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value.
|
||||||
|
|
||||||
|
This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking.
|
||||||
|
|
||||||
|
This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings.
|
||||||
|
|
||||||
|
* Only rudimentary tests were conducted
|
||||||
|
|
||||||
|
commit 341dce33fb806ab03822470e6af91604662c22dd
|
||||||
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
|
Date: Fri Apr 25 09:54:23 2025 +0000
|
||||||
|
|
||||||
|
bumped changelog version
|
||||||
|
|
||||||
commit 06e1e44b0039807baa862102b12fc5e199c3ccb3
|
commit 06e1e44b0039807baa862102b12fc5e199c3ccb3
|
||||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||||
Date: Fri Apr 25 05:51:21 2025 -0400
|
Date: Fri Apr 25 05:51:21 2025 -0400
|
||||||
|
|
30
debian/changelog
vendored
30
debian/changelog
vendored
|
@ -1,3 +1,33 @@
|
||||||
|
security-misc (3:45.7-1) unstable; urgency=medium
|
||||||
|
|
||||||
|
* New upstream version (local package).
|
||||||
|
|
||||||
|
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 21 May 2025 22:06:01 +0000
|
||||||
|
|
||||||
|
security-misc (3:45.6-1) unstable; urgency=medium
|
||||||
|
|
||||||
|
* New upstream version (local package).
|
||||||
|
|
||||||
|
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 21 May 2025 15:52:16 +0000
|
||||||
|
|
||||||
|
security-misc (3:45.5-1) unstable; urgency=medium
|
||||||
|
|
||||||
|
* New upstream version (local package).
|
||||||
|
|
||||||
|
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 21 May 2025 13:58:18 +0000
|
||||||
|
|
||||||
|
security-misc (3:45.4-1) unstable; urgency=medium
|
||||||
|
|
||||||
|
* New upstream version (local package).
|
||||||
|
|
||||||
|
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 21 May 2025 11:23:39 +0000
|
||||||
|
|
||||||
|
security-misc (3:45.3-1) unstable; urgency=medium
|
||||||
|
|
||||||
|
* New upstream version (local package).
|
||||||
|
|
||||||
|
-- Patrick Schleizer <adrelanos@whonix.org> Tue, 20 May 2025 11:40:27 +0000
|
||||||
|
|
||||||
security-misc (3:45.2-1) unstable; urgency=medium
|
security-misc (3:45.2-1) unstable; urgency=medium
|
||||||
|
|
||||||
* New upstream version (local package).
|
* New upstream version (local package).
|
||||||
|
|
|
@ -4,8 +4,8 @@
|
||||||
## See the file COPYING for copying conditions.
|
## See the file COPYING for copying conditions.
|
||||||
|
|
||||||
if [ -z "$XDG_CONFIG_DIRS" ]; then
|
if [ -z "$XDG_CONFIG_DIRS" ]; then
|
||||||
XDG_CONFIG_DIRS=/etc/xdg
|
XDG_CONFIG_DIRS="/etc/xdg"
|
||||||
fi
|
fi
|
||||||
if ! echo "$XDG_CONFIG_DIRS" | grep --quiet /usr/share/security-misc/ ; then
|
if ! printf '%s\n' "$XDG_CONFIG_DIRS" | grep -- "/usr/share/security-misc/" >/dev/null 2>/dev/null ; then
|
||||||
export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS
|
export XDG_CONFIG_DIRS="/usr/share/security-misc/:$XDG_CONFIG_DIRS"
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -180,7 +180,7 @@ remount_secure() {
|
||||||
|
|
||||||
$output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'"
|
$output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'"
|
||||||
|
|
||||||
if echo "$old_mount_options" | grep --quiet "$intended_mount_options" ; then
|
if printf '%s\n' "$old_mount_options" | grep "$intended_mount_options" >/dev/null 2>/dev/null ; then
|
||||||
$output_command "INFO: '$mount_folder' has already intended mount options. ('$intended_mount_options')"
|
$output_command "INFO: '$mount_folder' has already intended mount options. ('$intended_mount_options')"
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -7,5 +7,15 @@ set -x
|
||||||
set -e
|
set -e
|
||||||
set -o pipefail
|
set -o pipefail
|
||||||
|
|
||||||
|
if ! printf '%s\n' "" | wc -l >/dev/null ; then
|
||||||
|
printf '%s\n' "\
|
||||||
|
$0: ERROR: command 'wc' test failed! Do not ignore this!
|
||||||
|
|
||||||
|
'wc' can core dump. Example:
|
||||||
|
zsh: illegal hardware instruction (core dumped) wc -l
|
||||||
|
https://github.com/rspamd/rspamd/issues/5137" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
wc -L "/var/lib/apt/lists/"*InRelease
|
wc -L "/var/lib/apt/lists/"*InRelease
|
||||||
wc -L "/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}'
|
wc -L "/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}'
|
||||||
|
|
|
@ -19,11 +19,41 @@ fi
|
||||||
|
|
||||||
true "$0: START PHASE 2"
|
true "$0: START PHASE 2"
|
||||||
|
|
||||||
|
set -o errexit
|
||||||
|
set -o errtrace
|
||||||
set -o pipefail
|
set -o pipefail
|
||||||
|
set -o nounset
|
||||||
|
|
||||||
|
error_handler() {
|
||||||
|
exit_code="$?"
|
||||||
|
printf '%s\n' "\
|
||||||
|
$0: ERROR: Unexpected error.
|
||||||
|
BASH_COMMAND: '$BASH_COMMAND'
|
||||||
|
exit_code: '$exit_code'
|
||||||
|
ERROR: Please report this bug." >&2
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
trap error_handler ERR
|
||||||
|
|
||||||
|
if ! printf '%s\n' "" | wc -l >/dev/null ; then
|
||||||
|
printf '%s\n' "\
|
||||||
|
$0: ERROR: command 'wc' test failed! Do not ignore this!
|
||||||
|
|
||||||
|
'wc' can core dump. Example:
|
||||||
|
zsh: illegal hardware instruction (core dumped) wc -l
|
||||||
|
https://github.com/rspamd/rspamd/issues/5137" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
command -v str_replace &>/dev/null
|
||||||
|
|
||||||
## Named constants.
|
## Named constants.
|
||||||
pam_faillock_state_dir="/var/lib/security-misc/faillock"
|
pam_faillock_state_dir="/var/lib/security-misc/faillock"
|
||||||
|
|
||||||
|
[[ -v PAM_USER ]] || PAM_USER=""
|
||||||
|
[[ -v SUDO_USER ]] || SUDO_USER=""
|
||||||
|
|
||||||
## Debugging.
|
## Debugging.
|
||||||
who_ami="$(whoami)"
|
who_ami="$(whoami)"
|
||||||
true "$0: who_ami: $who_ami"
|
true "$0: who_ami: $who_ami"
|
||||||
|
@ -35,18 +65,19 @@ if [ "$PAM_USER" = "" ]; then
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"
|
grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" || true
|
||||||
|
|
||||||
## Check if grep matched something.
|
## Check if grep matched something.
|
||||||
if [ ! "$grep_result" = "" ]; then
|
if [ ! "$grep_result" = "" ]; then
|
||||||
## Yes, grep matched.
|
## Yes, grep matched.
|
||||||
|
|
||||||
## Check if not out commented.
|
## Check if not out commented.
|
||||||
if ! echo "$grep_result" | grep --quiet -- "#" ; then
|
if ! printf '%s\n' "$grep_result" | grep --quiet -- "#" ; then
|
||||||
## Not out commented indeed.
|
## Not out commented indeed.
|
||||||
|
|
||||||
## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592
|
## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592
|
||||||
|
|
||||||
|
console_allowed=""
|
||||||
if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console"; then
|
if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console"; then
|
||||||
console_allowed=true
|
console_allowed=true
|
||||||
fi
|
fi
|
||||||
|
@ -55,7 +86,7 @@ if [ ! "$grep_result" = "" ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! "$console_allowed" = "true" ]; then
|
if [ ! "$console_allowed" = "true" ]; then
|
||||||
echo "\
|
printf '%s\n' "\
|
||||||
$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'
|
$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'
|
||||||
To unlock, run the following command as superuser:
|
To unlock, run the following command as superuser:
|
||||||
(If you still have a sudo/root shell somewhere.)
|
(If you still have a sudo/root shell somewhere.)
|
||||||
|
@ -76,15 +107,18 @@ if [ "$PAM_USER" = 'sysmaint' ]; then
|
||||||
sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true
|
sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true
|
||||||
sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")"
|
sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")"
|
||||||
if [ "${sysmaint_lock_info}" = 'L' ]; then
|
if [ "${sysmaint_lock_info}" = 'L' ]; then
|
||||||
echo "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint"
|
printf '%s\n' "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" >&2
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
kernel_cmdline="$(cat /proc/cmdline)"
|
if test -f /proc/cmdline; then
|
||||||
|
kernel_cmdline="$(cat -- /proc/cmdline)"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$PAM_USER" != 'sysmaint' ] \
|
if [ "$PAM_USER" != 'sysmaint' ]; then
|
||||||
&& [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then
|
if [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then
|
||||||
echo "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint"
|
printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" >&2
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
|
## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
|
||||||
|
@ -93,11 +127,11 @@ fi
|
||||||
## Also this should only run for login since securetty covers only login.
|
## Also this should only run for login since securetty covers only login.
|
||||||
# if [ "$PAM_USER" = "root" ]; then
|
# if [ "$PAM_USER" = "root" ]; then
|
||||||
# if [ -f /etc/securetty ]; then
|
# if [ -f /etc/securetty ]; then
|
||||||
# grep_result="$(grep "^[^#]" /etc/securetty)"
|
# grep_result="$(grep -- "^[^#]" /etc/securetty)"
|
||||||
# if [ "$grep_result" = "" ]; then
|
# if [ "$grep_result" = "" ]; then
|
||||||
# echo "\
|
# printf '%s\n' "\
|
||||||
# $0: ERROR: Root login is disabled.
|
# $0: ERROR: Root login is disabled.
|
||||||
# ERROR: This is because /etc/securetty is empty.
|
# ERROR: This is because file '/etc/securetty' is empty.
|
||||||
# See also:
|
# See also:
|
||||||
# https://www.kicksecure.com/wiki/root#login
|
# https://www.kicksecure.com/wiki/root#login
|
||||||
# " >&2
|
# " >&2
|
||||||
|
@ -143,7 +177,7 @@ fi
|
||||||
## Usage: faillock [--dir /path/to/tally-directory] [--user username] [--reset]
|
## Usage: faillock [--dir /path/to/tally-directory] [--user username] [--reset]
|
||||||
|
|
||||||
## Get first line.
|
## Get first line.
|
||||||
#pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)"
|
#pam_faillock_output_first_line="$(printf '%s\n' "$pam_faillock_output" | head --lines=1)"
|
||||||
while read -t 10 -r pam_faillock_output_first_line ; do
|
while read -t 10 -r pam_faillock_output_first_line ; do
|
||||||
break
|
break
|
||||||
done <<< "$pam_faillock_output"
|
done <<< "$pam_faillock_output"
|
||||||
|
@ -152,24 +186,46 @@ true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'"
|
||||||
## example pam_faillock_output_first_line:
|
## example pam_faillock_output_first_line:
|
||||||
## user:
|
## user:
|
||||||
|
|
||||||
user_name="$(echo "$pam_faillock_output_first_line" | str_replace ":" "")"
|
user_name="$(printf '%s\n' "$pam_faillock_output_first_line" | str_replace ":" "")"
|
||||||
## example user_name:
|
## example user_name:
|
||||||
## user
|
## user
|
||||||
## root
|
## root
|
||||||
|
|
||||||
pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)"
|
if [ "$PAM_USER" != "$user_name" ]; then
|
||||||
|
printf '%s\n' "\
|
||||||
|
$0: ERROR: Variable 'PAM_USER' '$PAM_USER' does not match variable 'user_name' '$user_name'.
|
||||||
|
ERROR: Please report this bug.
|
||||||
|
" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
pam_faillock_output_count="$(printf '%s\n' "$pam_faillock_output" | wc -l)"
|
||||||
## example pam_faillock_output_count:
|
## example pam_faillock_output_count:
|
||||||
## 2
|
## 2
|
||||||
## example pam_faillock_output_count:
|
## example pam_faillock_output_count:
|
||||||
## 4
|
## 4
|
||||||
|
|
||||||
## Do not count the first two informational textual output lines
|
if [[ "$pam_faillock_output_count" == *[!0-9]* ]]; then
|
||||||
## (starting with "user:" and "When").
|
printf '%s\n' "\
|
||||||
|
$0: ERROR: Variable 'pam_faillock_output_count' is not numeric. pam_faillock_output_count: '$pam_faillock_output_count'
|
||||||
|
ERROR: Please report this bug.
|
||||||
|
" >&2
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
## Do not count the first two informational textual output lines (starting with "user:" and "When") if present,
|
||||||
failed_login_counter=$(( pam_faillock_output_count - 2 ))
|
failed_login_counter=$(( pam_faillock_output_count - 2 ))
|
||||||
|
|
||||||
## example failed_login_counter:
|
## example failed_login_counter:
|
||||||
## 2
|
## 2
|
||||||
|
|
||||||
|
## Ensuring failed_login_counter is not set to a negative value.
|
||||||
|
## https://github.com/Kicksecure/security-misc/pull/305
|
||||||
|
if [ "$failed_login_counter" -lt "0" ]; then
|
||||||
|
true "$0: WARNING: Failed login counter is negative. Resetting to 0."
|
||||||
|
failed_login_counter=0
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$failed_login_counter" = "0" ]; then
|
if [ "$failed_login_counter" = "0" ]; then
|
||||||
true "$0: INFO: Failed login counter is 0, ok."
|
true "$0: INFO: Failed login counter is 0, ok."
|
||||||
exit 0
|
exit 0
|
||||||
|
@ -179,24 +235,24 @@ fi
|
||||||
deny=3
|
deny=3
|
||||||
|
|
||||||
if test -f /etc/security/faillock.conf ; then
|
if test -f /etc/security/faillock.conf ; then
|
||||||
deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =")
|
deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") || true
|
||||||
deny="$(echo "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")"
|
deny="$(printf '%s\n' "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")"
|
||||||
## Example:
|
## Example:
|
||||||
#deny=50
|
#deny=50
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "$deny" == *[!0-9]* ]]; then
|
if [[ "$deny" == *[!0-9]* ]]; then
|
||||||
echo "\
|
printf '%s\n' "\
|
||||||
$0: ERROR: deny is not numeric. deny: '$deny'
|
$0: ERROR: Variable 'deny' is not numeric. deny: '$deny'
|
||||||
ERROR: Please report this bug.
|
ERROR: Please report this bug.
|
||||||
" >&2
|
" >&2
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
remaining_attempts="$(( $deny - $failed_login_counter ))"
|
remaining_attempts="$(( deny - failed_login_counter ))"
|
||||||
|
|
||||||
if [ "$remaining_attempts" -le "0" ]; then
|
if [ "$remaining_attempts" -le "0" ]; then
|
||||||
echo "\
|
printf '%s\n' "\
|
||||||
$0: ERROR: Login blocked after $failed_login_counter attempts.
|
$0: ERROR: Login blocked after $failed_login_counter attempts.
|
||||||
To unlock, run the following command as superuser:
|
To unlock, run the following command as superuser:
|
||||||
(If you still have a sudo/root shell somewhere.)
|
(If you still have a sudo/root shell somewhere.)
|
||||||
|
@ -211,14 +267,14 @@ https://www.kicksecure.com/wiki/root#unlock
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "\
|
printf '%s\n' "\
|
||||||
$0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'.
|
$0: WARNING: $failed_login_counter failed login attempts for account '$user_name'.
|
||||||
Login will be blocked after $deny attempts.
|
Login will be blocked after $deny attempts.
|
||||||
You have $remaining_attempts more attempts before unlock procedure is required.
|
You have $remaining_attempts more attempts before unlock procedure is required.
|
||||||
" >&2
|
" >&2
|
||||||
|
|
||||||
if [ "$PAM_SERVICE" = "su" ]; then
|
if [ "$PAM_SERVICE" = "su" ]; then
|
||||||
echo "\
|
printf '%s\n' "\
|
||||||
$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown.
|
$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown.
|
||||||
" >&2
|
" >&2
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue