Merge branch 'Kicksecure:master' into framebuffer

2024-10-01 08:25:45 -04:00 · 2022-12-13 05:14:56 +00:00 · 2022-12-13 05:14:56 +00:00 · f81714be50
commit f81714be50
parent d67845fea8 98f753d8ff
4 changed files with 325 additions and 64 deletions
--- a/changelog.upstream
+++ b/changelog.upstream
@ -1,3 +1,167 @@
+commit 6d7a78262464c054c46df155605a480f1b32f22c
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 07:21:46 2022 -0500
+
+    fix
+
+commit 421f03ae9e648d366146415532d4dd9dda106980
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 07:20:56 2022 -0500
+
+    fix
+
+commit ad1e722879ef049ef421f0062ee383770d66bfee
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 07:00:33 2022 -0500
+
+    bumped changelog version
+
+commit a806c782d78d691617dd650808a0403ce72d4a1a
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 07:00:23 2022 -0500
+
+    fix
+
+commit 4601e106c4823f2cb0dc7a8ba601670395c96326
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 06:49:26 2022 -0500
+
+    bumped changelog version
+
+commit 39b35ef9ac7489685df5486334a0acf5936e9b47
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 06:49:15 2022 -0500
+
+    fix
+
+commit 73963a9e6847fd8099093da1253267d79db7d261
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 06:31:37 2022 -0500
+
+    bumped changelog version
+
+commit d05c10172178d04781976026243297fa153125a0
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 06:31:24 2022 -0500
+
+    debugging
+
+commit 36454c2dbf43de4805f2f156b05d263c37b9615a
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 06:25:47 2022 -0500
+
+    debugging
+
+commit e06b173a1be8c0e3e47a9c4bab2d94fe88d422e0
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 06:24:14 2022 -0500
+
+    debugging
+
+commit 97722d1926bc106a0645783fcb55b7d5691c873b
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 06:14:15 2022 -0500
+
+    bumped changelog version
+
+commit 497b5b45442b1293b130fef63de1b84d091d27eb
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 06:14:04 2022 -0500
+
+    fix
+
+commit d7222b5678aa182866c389d8a88f55b6488e74e0
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 22 06:03:13 2022 -0500
+
+    bumped changelog version
+
+commit e5255a630ad3c9c99b6b7ffa4c7be43a44dffba9
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 22 05:57:30 2022 -0500
+
+    pam-info: support non-root environments (such as during graphical display manager login and xscreensaver)
+
+commit d419898ee494fb159ed6811a719dbb4a5ffb469a
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 17 10:15:36 2022 -0500
+
+    bumped changelog version
+
+commit 09e6af5c080f776d56d7e2390f88c4ae7e01bdb7
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Nov 16 02:01:23 2022 -0500
+
+    pam-info refactoring
+
+commit caf0099064747a2048363e3600a53af51df549ad
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Nov 16 02:00:32 2022 -0500
+
+    pam-info refactoring
+
+commit 487f63bb01c6dfc71d0e4efef2c70dae94093dce
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Nov 16 01:56:01 2022 -0500
+
+    comment
+
+commit f59f959a8d43ebd80a4037e65ec26df7143bcaf5
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Nov 16 01:55:14 2022 -0500
+
+    pam-info fix
+
+commit ae113442a162969561a24fcf17718ceb6a11d928
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Nov 16 01:49:45 2022 -0500
+
+    pam-info refactoring
+
+commit bb6b509d06a1ae34ee407cb309c530e5dddfedfd
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Nov 16 01:44:21 2022 -0500
+
+    pam-info refactoring
+
+commit e5d7ab7082908e64596ccd1da835a781cae22456
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 15 12:44:12 2022 -0500
+
+    comment
+
+commit 23b936b573c8989222a50d1ef8c35dc95589bb0e
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 15 12:31:14 2022 -0500
+
+    also support /usr/local/etc/pam-info-debug
+
+commit 95487346dbb18c4ac9133fc21b4abed12dc346b3
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 15 12:29:41 2022 -0500
+
+    pam-info: create debug log file ~/pam-info-debug.txt
+    
+    when file /etc/pam-info-debug exists
+
+commit 2872c2ab52ae9a1eaa25ea8b9852401e82d5616a
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 15 12:00:59 2022 -0500
+
+    comments
+
+commit 6033de78152cb5d7a9659f58aa8035ae2a7d6532
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 15 11:58:50 2022 -0500
+
+    debugging
+
+commit 2319458e9f1a0ae2b60cf5786122c19459bbaea1
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Aug 24 18:28:39 2022 -0400
+
+    bumped changelog version
+
 commit cdfc175953a8ab358bb8e6db2610df11733ba258
 Merge: ff84514 ae4d498
 Author: Patrick Schleizer <adrelanos@whonix.org>
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,45 @@
+security-misc (3:26.6-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Thu, 24 Nov 2022 12:21:58 +0000
+
+security-misc (3:26.5-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Thu, 24 Nov 2022 12:00:33 +0000
+
+security-misc (3:26.4-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Thu, 24 Nov 2022 11:49:25 +0000
+
+security-misc (3:26.3-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Thu, 24 Nov 2022 11:31:37 +0000
+
+security-misc (3:26.2-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Thu, 24 Nov 2022 11:14:15 +0000
+
+security-misc (3:26.1-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Tue, 22 Nov 2022 11:03:13 +0000
+
+security-misc (3:26.0-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Thu, 17 Nov 2022 15:15:36 +0000
+
 security-misc (3:25.9-1) unstable; urgency=medium

  * New upstream version (local package).
--- a/etc/sudoers.d/security-misc
+++ b/etc/sudoers.d/security-misc
@ -3,3 +3,4 @@

 user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
 %sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
+
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@ -3,6 +3,35 @@
 ## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.

+## To enable debug log, run:
+## sudo touch /etc/pam-info-debug
+##
+## Debug log if enabled can be found in file:
+## /root/pam-info-debug.txt
+
+true "$0: START PHASE 1"
+
+if test -f /etc/pam-info-debug || test -f /usr/local/etc/pam-info-debug ; then
+   set -x
+   exec 5>&1 1>> ~/pam-info-debug.txt
+   exec 6>&2 2>> ~/pam-info-debug.txt
+fi
+
+true "$0: START PHASE 2"
+
+set -o pipefail
+
+## Debugging.
+who_ami="$(whoami)"
+true "$0: who_ami: $who_ami"
+true "$0: PAM_USER: $PAM_USER"
+true "$0: SUDO_USER: $SUDO_USER"
+
+if [ "$PAM_USER" = "" ]; then
+   true "$0: ERROR: Environment variable PAM_USER is unset!"
+   exit 0
+fi
+
 grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"

 ## Check if grep matched something.
@ -23,17 +52,18 @@ if [ ! "$grep_result" = "" ]; then
      fi

      if [ ! "$console_allowed" = "true" ]; then
-         echo "$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'" >&2
-         echo "$0: To unlock, run the following command as superuser:" >&2
-         echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
-         echo "" >&2
-         echo "adduser $PAM_USER console" >&2
-         echo "" >&2
-         echo "$0: However, possibly unlock procedure is required." >&2
-         echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2
-         echo "$0: See also:" >&2
-         echo "https://www.kicksecure.com/wiki/root#console" >&2
-         echo "" >&2
+         echo "\
+$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'
+To unlock, run the following command as superuser:
+(If you still have a sudo/root shell somewhere.)
+
+adduser $PAM_USER console
+
+However, possibly unlock procedure is required.
+First boot into recovery mode at grub boot menu and then run above command.
+See also:
+https://www.kicksecure.com/wiki/root#console
+" >&2
         exit 0
      fi
   fi
@ -41,73 +71,91 @@ fi

 ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698

-if [ ! "$(id -u)" = "0" ]; then
-   ## as user "user"
-   ## /usr/sbin/faillock -u user
-   ## faillock: Error opening /var/log/tallylog for update: Permission denied
-   ## /usr/sbin/faillock: Authentication error
-   ##
-   ## xscreensaver runs as user "user", therefore pam_faillock cannot function.
-   ## xscreensaver has its own failed login counter.
-   ##
-   ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
-   ##
-   ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
-   ## TODO: echo -> true
-   echo "$0: not started as root, exiting."
-   exit 0
-fi
-
 ## Does not work (yet) for login, pam_securetty runs before and aborts.
 ## Also this should only run for login since securetty covers only login.
 # if [ "$PAM_USER" = "root" ]; then
 #    if [ -f /etc/securetty ]; then
 #       grep_result="$(grep "^[^#]" /etc/securetty)"
 #       if [ "$grep_result" = "" ]; then
-#          echo "$0: ERROR: Root login is disabled." >&2
-#          echo "$0: ERROR: This is because /etc/securetty is empty." >&2
-#          echo "$0: See also:" >&2
-#          echo "https://www.kicksecure.com/wiki/root#login" >&2
-#          echo "" >&2
+#          echo "\
+# $0: ERROR: Root login is disabled.
+# ERROR: This is because /etc/securetty is empty.
+# See also:
+# https://www.kicksecure.com/wiki/root#login
+# " >&2
 #          exit 0
 #       fi
 #    fi
 # fi

-## Using || true to not break read-only disk boot without ro-mode-init or grub-live.
-pam_faillock_output="$(faillock --user "$PAM_USER")" || true
+## as user "user"
+## /usr/sbin/faillock -u user
+## faillock: Error opening /var/log/tallylog for update: Permission denied
+## /usr/sbin/faillock: Authentication error
+##
+## xscreensaver runs as user "user", therefore pam_faillock cannot function.
+## xscreensaver has its own failed login counter.
+##
+## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
+##
+## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
+##
+## Checking exit code to avoid breaking when read-only disk boot but
+## without ro-mode-init or grub-live being used.
+if ! pam_faillock_output="$(faillock --user "$PAM_USER")" ; then
+   true "$0: faillock non-zero exit code."
+   exit 0
+fi

 if [ "$pam_faillock_output" = "" ]; then
   true "$0: no failed login"
   exit 0
 fi

-## Example:
+## example pam_faillock_output (stdout):
 ## user:
 ## When                Type  Source                                           Valid
 ## 2021-08-10 16:26:33 RHOST                                                      V
 ## 2021-08-10 16:26:54 RHOST                                                      V

-pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head -1)"
+## example pam_faillock_output (stderr):
+## faillock: No user name supplied.
+## Usage: faillock [--dir /path/to/tally-directory] [--user username] [--reset]
+
+## Get first line.
+#pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)"
+while read -t 10 -r pam_faillock_output_first_line ; do
+   break
+done <<< "$pam_faillock_output"
+
+true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'"
+## example pam_faillock_output_first_line:
+## user:
+
 user_name="$(echo "$pam_faillock_output_first_line" | LANG=C str_replace ":" "")"
+## example user_name:
+## user
+## root

 pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)"
+## example pam_faillock_output_count:
+## 2
+## example pam_faillock_output_count:
+## 4

+## Do not count the first two informational textual output lines
+## (starting with "user:" and "When").
 failed_login_counter=$(( pam_faillock_output_count - 2 ))

-if [ ! "$PAM_USER" = "$user_name" ]; then
-   echo "$0: ERROR: PAM_USER: '$PAM_USER' does not equal user_name: '$user_name'." >&2
-   echo "$0: ERROR: Please report this bug." >&2
-   echo "" >&2
-   exit 0
-fi
+## example failed_login_counter:
+## 2

 if [ "$failed_login_counter" = "0" ]; then
   true "$0: INFO: Failed login counter is 0, ok."
   exit 0
 fi

-## pam_faillock default
+## pam_faillock default if it cannot be determined below.
 deny=3

 if test -f /etc/security/faillock.conf ; then
@ -118,37 +166,43 @@ if test -f /etc/security/faillock.conf ; then
 fi

 if [[ "$deny" == *[!0-9]* ]]; then
-   echo "$0: ERROR: deny is not numeric. deny: '$deny'" >&2
-   echo "$0: ERROR: Please report this bug." >&2
-   echo "" >&2
+   echo "\
+$0: ERROR: deny is not numeric. deny: '$deny'
+ERROR: Please report this bug.
+" >&2
   exit 0
 fi

 remaining_attempts="$(( $deny - $failed_login_counter ))"

 if [ "$remaining_attempts" -le "0" ]; then
-   echo "$0: ERROR: Login blocked after $failed_login_counter attempts." >&2
-   echo "$0: To unlock, run the following command as superuser:" >&2
-   echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
-   echo "" >&2
-   echo "faillock --reset --user $PAM_USER" >&2
-   echo "" >&2
-   echo "$0: However, most likely unlock procedure is required." >&2
-   echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2
-   echo "$0: See also:" >&2
-   echo "https://www.kicksecure.com/wiki/root#unlock" >&2
-   echo "" >&2
+   echo "\
+$0: ERROR: Login blocked after $failed_login_counter attempts.
+To unlock, run the following command as superuser:
+(If you still have a sudo/root shell somewhere.)
+
+faillock --reset --user $PAM_USER
+
+However, most likely unlock procedure is required.
+First boot into recovery mode at grub boot menu and then run above command.
+See also:
+https://www.kicksecure.com/wiki/root#unlock
+" >&2
   exit 0
 fi

-echo "$0: WARNING: $failed_login_counter failed login attempts." >&2
-echo "$0: Login will be blocked after $deny attempts." >&2
-echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2
-echo "" >&2
+echo "\
+$0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'.
+Login will be blocked after $deny attempts.
+You have $remaining_attempts more attempts before unlock procedure is required.
+" >&2

 if [ "$PAM_SERVICE" = "su" ]; then
-   echo "$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown." >&2
-   echo "" >&2
+   echo "\
+$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown.
+" >&2
 fi

+true "$0: END"
+
 exit 0