add user "user" to group "console" in Whonix and Kicksecure

enable Console Lockdown in Whonix and Kicksecure
2024-10-01 08:25:45 -04:00 · 2019-12-31 05:55:44 -05:00 · 2019-12-31 05:55:44 -05:00 · e89552c984
commit e89552c984
parent b5a2d1dc58
1 changed files with 35 additions and 0 deletions
--- a/debian/security-misc.preinst
+++ b/debian/security-misc.preinst
@ -138,7 +138,42 @@ console_users_check() {
   fi
 }

+legacy() {
+   if [ -f "/var/lib/legacy/do_once/${FUNCNAME}_version_1" ]; then
+      return 0
+   fi
+
+   if [ -f "/usr/share/whonix/marker" ]; then
+      continue_yes=true
+   if [ -f "/usr/share/kicksecure/marker" ]; then
+      continue_yes=true
+   fi
+
+   if [ "$continue_yes" = "yes" ]; then
+      return 0
+   fi
+
+   if command -v "qubesdb-read" &>/dev/null; then
+      ## Qubes users can use dom0 to get a root terminal emulator.
+      ## For example:
+      ## qvm-run -u root debian-10 xterm
+      return 0
+   fi
+
+   ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7
+
+   user_to_be_created=user
+
+   addgroup "$user_to_be_created" console
+
+   pam-auth-update --enable console-lockdown-security-misc
+
+   mkdir --parents "/var/lib/legacy/do_once"
+   touch "/var/lib/legacy/do_once/${FUNCNAME}_version_1"
+}
+
 user_groups_modifications
+legacy

 if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then
   sudo_users_check