add console lockdown to pam info output

This commit is contained in:
Patrick Schleizer 2019-12-07 06:25:45 -05:00
parent 021b06dac9
commit 8b3f5a555b
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 24 additions and 0 deletions

View File

@ -28,6 +28,7 @@
owner /etc/nsswitch.conf r,
owner /etc/pam.d/* r,
owner /etc/passwd r,
owner /etc/group r,
owner /usr/share/zoneinfo/** r,
owner /var/log/tallylog rw,

View File

@ -5,6 +5,29 @@
## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
if grep -q "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account ; then
if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console"; then
console_allowed=true
fi
if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console-unrestricted"; then
console_allowed=true
fi
if [ ! "$console_allowed" = "true" ]; then
echo "$0: ERROR: PAM_USER: $PAM_USER is not a member of group 'console'" >&2
echo "$0: To unlock, run the following command as superuser:" >&2
echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
echo "" >&2
echo "addgroup $PAM_USER console" >&2
echo "" >&2
echo "$0: However, possibly unlock procedure is required." >&2
echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2
echo "$0: See also:" >&2
echo "https://www.whonix.org/wiki/root#console" >&2
echo "" >&2
exit 0
fi
fi
if [ ! "$(id -u)" = "0" ]; then
## as user "user"
## /sbin/pam_tally2 -u user