From e89552c9846f85b4bbf73595080d71dcd873fe29 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Tue, 31 Dec 2019 05:55:44 -0500
Subject: [PATCH] add user "user" to group "console" in Whonix and Kicksecure

enable Console Lockdown in Whonix and Kicksecure
---
 debian/security-misc.preinst | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst
index 4fa5c52..60b3733 100644
--- a/debian/security-misc.preinst
+++ b/debian/security-misc.preinst
@@ -138,7 +138,42 @@ console_users_check() {
    fi
 }
 
+legacy() {
+   if [ -f "/var/lib/legacy/do_once/${FUNCNAME}_version_1" ]; then
+      return 0
+   fi
+
+   if [ -f "/usr/share/whonix/marker" ]; then
+      continue_yes=true
+   if [ -f "/usr/share/kicksecure/marker" ]; then
+      continue_yes=true
+   fi
+
+   if [ "$continue_yes" = "yes" ]; then
+      return 0
+   fi
+
+   if command -v "qubesdb-read" &>/dev/null; then
+      ## Qubes users can use dom0 to get a root terminal emulator.
+      ## For example:
+      ## qvm-run -u root debian-10 xterm
+      return 0
+   fi
+
+   ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7
+
+   user_to_be_created=user
+
+   addgroup "$user_to_be_created" console
+
+   pam-auth-update --enable console-lockdown-security-misc
+
+   mkdir --parents "/var/lib/legacy/do_once"
+   touch "/var/lib/legacy/do_once/${FUNCNAME}_version_1"
+}
+
 user_groups_modifications
+legacy
 
 if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then
    sudo_users_check