Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 12:56:23 -05:00
Code Issues Projects Releases Packages Wiki Activity

refactoring

Browse source
This commit is contained in:
Patrick Schleizer 2025-11-10 02:15:30 -05:00
parent ddb59a3b01
commit 61637a5ff0
No known key found for this signature in database
GPG key ID: CB8D50BB77BB3C48
1 changed files with 74 additions and 74 deletions
Download patch file Download diff file Expand all files Collapse all files

148
usr/libexec/security-misc/block-unsafe-logins#security-misc-shared
View file

@ -28,81 +28,81 @@ if [[ "$kernel_cmdline" =~ 'boot-role=sysmaint' ]]; then
fi fi
true 'INFO: Running in sysmaint session and logging into sysmaint account, allowing authentication to proceed.' true 'INFO: Running in sysmaint session and logging into sysmaint account, allowing authentication to proceed.'
exit 0 exit 0
else fi
if ! output="$(/usr/libexec/helper-scripts/get-user-list)"; then
printf '%s\n' 'ERROR: Failed to get user list!'
exit 1
fi
readarray -t user_list <<< "$output"
if [ "${#user_list[@]}" = '0' ] || [ -z "${user_list[0]}" ]; then
printf '%s\n' 'ERROR: No user accounts found!'
exit 1
fi
## Minor race condition here, quick deletion of users during this process if ! output="$(/usr/libexec/helper-scripts/get-user-list)"; then
## could result in user_list and passwd_status_list becoming misaligned. This printf '%s\n' 'ERROR: Failed to get user list!'
## attack would require root privileges to execute though, so this is likely exit 1
## not a concern. We do this before checking if $PAM_USER is in the list of fi
## interactive users to keep the race window as short as possible. readarray -t user_list <<< "$output"
if ! output="$(/usr/libexec/helper-scripts/get-password-status-list)"; then if [ "${#user_list[@]}" = '0' ] || [ -z "${user_list[0]}" ]; then
printf '%s\n' 'ERROR: Failed to get password status list!' printf '%s\n' 'ERROR: No user accounts found!'
exit 1 exit 1
fi
## Minor race condition here, quick deletion of users during this process
## could result in user_list and passwd_status_list becoming misaligned. This
## attack would require root privileges to execute though, so this is likely
## not a concern. We do this before checking if $PAM_USER is in the list of
## interactive users to keep the race window as short as possible.
if ! output="$(/usr/libexec/helper-scripts/get-password-status-list)"; then
printf '%s\n' 'ERROR: Failed to get password status list!'
exit 1
fi
readarray -t passwd_status_list <<< "$output"
if [ "${#passwd_status_list[@]}" = '0' ] \
|| [ -z "${passwd_status_list[0]}" ] \
|| (( ${#passwd_status_list[@]} != ${#user_list[@]} )); then
printf '%s\n' 'ERROR: Unexpected number of password status entries!'
exit 1
fi
if [ "$PAM_USER" = 'sysmaint' ]; then
printf '%s\n' 'ERROR: Rejecting sysmaint account in user session!'
exit 1
fi
interactive_user_idx='-1'
for user_idx in "${!user_list[@]}"; do
if [ "${user_list[user_idx]}" = "$PAM_USER" ]; then
interactive_user_idx="$user_idx"
break
fi fi
readarray -t passwd_status_list <<< "$output" done
if [ "${#passwd_status_list[@]}" = '0' ] \ if [ "$interactive_user_idx" = '-1' ]; then
|| [ -z "${passwd_status_list[0]}" ] \ ## This isn't a user account we care about (it's not an interactive
|| (( ${#passwd_status_list[@]} != ${#user_list[@]} )); then ## account), therefore allow authentication to proceed.
printf '%s\n' 'ERROR: Unexpected number of password status entries!' true "INFO: Account '$PAM_USER' is not an interactive account, allowing authentication to proceed."
exit 1
fi
if [ "$PAM_USER" = 'sysmaint' ]; then
printf '%s\n' 'ERROR: Rejecting sysmaint account in user session!'
exit 1
fi
interactive_user_idx='-1'
for user_idx in "${!user_list[@]}"; do
if [ "${user_list[user_idx]}" = "$PAM_USER" ]; then
interactive_user_idx="$user_idx"
break
fi
done
if [ "$interactive_user_idx" = '-1' ]; then
## This isn't a user account we care about (it's not an interactive
## account), therefore allow authentication to proceed.
true "INFO: Account '$PAM_USER' is not an interactive account, allowing authentication to proceed."
exit 0
fi
IFS=' ' read -r -a user_gid_list < <(id --groups "$PAM_USER")
sensitive_group_list=( 'sudo' 'root' 'sysmaint' )
is_user_sensitive='false'
for sensitive_group in "${sensitive_group_list[@]}"; do
sensitive_gid="$(accountctl "$sensitive_group" get-entry group gid)"
for user_gid in "${user_gid_list[@]}"; do
if [ "$sensitive_gid" = "$user_gid" ]; then
is_user_sensitive='true'
break
fi
done
if [ "$is_user_sensitive" = 'true' ]; then
break
fi
done
if [ "$is_user_sensitive" = 'true' ]; then
if [ "${passwd_status_list[interactive_user_idx]}" = 'Absent' ]; then
## User account is sensitive and passwordless, deny authentication
printf '%s\n' "ERROR: Rejecting passwordless sensitive account '$PAM_USER'!"
exit 1
else
true "INFO: Account '$PAM_USER' is sensitive but protected, allowing authentication to proceed."
exit 0
fi
fi
true "INFO: Account '$PAM_USER' is not sensitive, allowing authentication to proceed."
exit 0 exit 0
fi fi
IFS=' ' read -r -a user_gid_list < <(id --groups "$PAM_USER")
sensitive_group_list=( 'sudo' 'root' 'sysmaint' )
is_user_sensitive='false'
for sensitive_group in "${sensitive_group_list[@]}"; do
sensitive_gid="$(accountctl "$sensitive_group" get-entry group gid)"
for user_gid in "${user_gid_list[@]}"; do
if [ "$sensitive_gid" = "$user_gid" ]; then
is_user_sensitive='true'
break
fi
done
if [ "$is_user_sensitive" = 'true' ]; then
break
fi
done
if [ "$is_user_sensitive" = 'true' ]; then
if [ "${passwd_status_list[interactive_user_idx]}" = 'Absent' ]; then
## User account is sensitive and passwordless, deny authentication
printf '%s\n' "ERROR: Rejecting passwordless sensitive account '$PAM_USER'!"
exit 1
else
true "INFO: Account '$PAM_USER' is sensitive but protected, allowing authentication to proceed."
exit 0
fi
fi
true "INFO: Account '$PAM_USER' is not sensitive, allowing authentication to proceed."
exit 0