mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-28 14:29:32 -05:00
Merge branch 'Kicksecure:master' into framebuffer
This commit is contained in:
commit
f81714be50
@ -1,3 +1,167 @@
|
||||
commit 6d7a78262464c054c46df155605a480f1b32f22c
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Thu Nov 24 07:21:46 2022 -0500
|
||||
|
||||
fix
|
||||
|
||||
commit 421f03ae9e648d366146415532d4dd9dda106980
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Thu Nov 24 07:20:56 2022 -0500
|
||||
|
||||
fix
|
||||
|
||||
commit ad1e722879ef049ef421f0062ee383770d66bfee
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Thu Nov 24 07:00:33 2022 -0500
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit a806c782d78d691617dd650808a0403ce72d4a1a
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Thu Nov 24 07:00:23 2022 -0500
|
||||
|
||||
fix
|
||||
|
||||
commit 4601e106c4823f2cb0dc7a8ba601670395c96326
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Thu Nov 24 06:49:26 2022 -0500
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit 39b35ef9ac7489685df5486334a0acf5936e9b47
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Thu Nov 24 06:49:15 2022 -0500
|
||||
|
||||
fix
|
||||
|
||||
commit 73963a9e6847fd8099093da1253267d79db7d261
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Thu Nov 24 06:31:37 2022 -0500
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit d05c10172178d04781976026243297fa153125a0
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Thu Nov 24 06:31:24 2022 -0500
|
||||
|
||||
debugging
|
||||
|
||||
commit 36454c2dbf43de4805f2f156b05d263c37b9615a
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Thu Nov 24 06:25:47 2022 -0500
|
||||
|
||||
debugging
|
||||
|
||||
commit e06b173a1be8c0e3e47a9c4bab2d94fe88d422e0
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Thu Nov 24 06:24:14 2022 -0500
|
||||
|
||||
debugging
|
||||
|
||||
commit 97722d1926bc106a0645783fcb55b7d5691c873b
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Thu Nov 24 06:14:15 2022 -0500
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit 497b5b45442b1293b130fef63de1b84d091d27eb
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Thu Nov 24 06:14:04 2022 -0500
|
||||
|
||||
fix
|
||||
|
||||
commit d7222b5678aa182866c389d8a88f55b6488e74e0
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Tue Nov 22 06:03:13 2022 -0500
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit e5255a630ad3c9c99b6b7ffa4c7be43a44dffba9
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Tue Nov 22 05:57:30 2022 -0500
|
||||
|
||||
pam-info: support non-root environments (such as during graphical display manager login and xscreensaver)
|
||||
|
||||
commit d419898ee494fb159ed6811a719dbb4a5ffb469a
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Thu Nov 17 10:15:36 2022 -0500
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit 09e6af5c080f776d56d7e2390f88c4ae7e01bdb7
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Wed Nov 16 02:01:23 2022 -0500
|
||||
|
||||
pam-info refactoring
|
||||
|
||||
commit caf0099064747a2048363e3600a53af51df549ad
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Wed Nov 16 02:00:32 2022 -0500
|
||||
|
||||
pam-info refactoring
|
||||
|
||||
commit 487f63bb01c6dfc71d0e4efef2c70dae94093dce
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Wed Nov 16 01:56:01 2022 -0500
|
||||
|
||||
comment
|
||||
|
||||
commit f59f959a8d43ebd80a4037e65ec26df7143bcaf5
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Wed Nov 16 01:55:14 2022 -0500
|
||||
|
||||
pam-info fix
|
||||
|
||||
commit ae113442a162969561a24fcf17718ceb6a11d928
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Wed Nov 16 01:49:45 2022 -0500
|
||||
|
||||
pam-info refactoring
|
||||
|
||||
commit bb6b509d06a1ae34ee407cb309c530e5dddfedfd
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Wed Nov 16 01:44:21 2022 -0500
|
||||
|
||||
pam-info refactoring
|
||||
|
||||
commit e5d7ab7082908e64596ccd1da835a781cae22456
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Tue Nov 15 12:44:12 2022 -0500
|
||||
|
||||
comment
|
||||
|
||||
commit 23b936b573c8989222a50d1ef8c35dc95589bb0e
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Tue Nov 15 12:31:14 2022 -0500
|
||||
|
||||
also support /usr/local/etc/pam-info-debug
|
||||
|
||||
commit 95487346dbb18c4ac9133fc21b4abed12dc346b3
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Tue Nov 15 12:29:41 2022 -0500
|
||||
|
||||
pam-info: create debug log file ~/pam-info-debug.txt
|
||||
|
||||
when file /etc/pam-info-debug exists
|
||||
|
||||
commit 2872c2ab52ae9a1eaa25ea8b9852401e82d5616a
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Tue Nov 15 12:00:59 2022 -0500
|
||||
|
||||
comments
|
||||
|
||||
commit 6033de78152cb5d7a9659f58aa8035ae2a7d6532
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Tue Nov 15 11:58:50 2022 -0500
|
||||
|
||||
debugging
|
||||
|
||||
commit 2319458e9f1a0ae2b60cf5786122c19459bbaea1
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Wed Aug 24 18:28:39 2022 -0400
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit cdfc175953a8ab358bb8e6db2610df11733ba258
|
||||
Merge: ff84514 ae4d498
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
|
42
debian/changelog
vendored
42
debian/changelog
vendored
@ -1,3 +1,45 @@
|
||||
security-misc (3:26.6-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@whonix.org> Thu, 24 Nov 2022 12:21:58 +0000
|
||||
|
||||
security-misc (3:26.5-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@whonix.org> Thu, 24 Nov 2022 12:00:33 +0000
|
||||
|
||||
security-misc (3:26.4-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@whonix.org> Thu, 24 Nov 2022 11:49:25 +0000
|
||||
|
||||
security-misc (3:26.3-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@whonix.org> Thu, 24 Nov 2022 11:31:37 +0000
|
||||
|
||||
security-misc (3:26.2-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@whonix.org> Thu, 24 Nov 2022 11:14:15 +0000
|
||||
|
||||
security-misc (3:26.1-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@whonix.org> Tue, 22 Nov 2022 11:03:13 +0000
|
||||
|
||||
security-misc (3:26.0-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@whonix.org> Thu, 17 Nov 2022 15:15:36 +0000
|
||||
|
||||
security-misc (3:25.9-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
@ -3,3 +3,4 @@
|
||||
|
||||
user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
|
||||
%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
|
||||
|
||||
|
@ -3,6 +3,35 @@
|
||||
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## To enable debug log, run:
|
||||
## sudo touch /etc/pam-info-debug
|
||||
##
|
||||
## Debug log if enabled can be found in file:
|
||||
## /root/pam-info-debug.txt
|
||||
|
||||
true "$0: START PHASE 1"
|
||||
|
||||
if test -f /etc/pam-info-debug || test -f /usr/local/etc/pam-info-debug ; then
|
||||
set -x
|
||||
exec 5>&1 1>> ~/pam-info-debug.txt
|
||||
exec 6>&2 2>> ~/pam-info-debug.txt
|
||||
fi
|
||||
|
||||
true "$0: START PHASE 2"
|
||||
|
||||
set -o pipefail
|
||||
|
||||
## Debugging.
|
||||
who_ami="$(whoami)"
|
||||
true "$0: who_ami: $who_ami"
|
||||
true "$0: PAM_USER: $PAM_USER"
|
||||
true "$0: SUDO_USER: $SUDO_USER"
|
||||
|
||||
if [ "$PAM_USER" = "" ]; then
|
||||
true "$0: ERROR: Environment variable PAM_USER is unset!"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"
|
||||
|
||||
## Check if grep matched something.
|
||||
@ -23,17 +52,18 @@ if [ ! "$grep_result" = "" ]; then
|
||||
fi
|
||||
|
||||
if [ ! "$console_allowed" = "true" ]; then
|
||||
echo "$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'" >&2
|
||||
echo "$0: To unlock, run the following command as superuser:" >&2
|
||||
echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
|
||||
echo "" >&2
|
||||
echo "adduser $PAM_USER console" >&2
|
||||
echo "" >&2
|
||||
echo "$0: However, possibly unlock procedure is required." >&2
|
||||
echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2
|
||||
echo "$0: See also:" >&2
|
||||
echo "https://www.kicksecure.com/wiki/root#console" >&2
|
||||
echo "" >&2
|
||||
echo "\
|
||||
$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'
|
||||
To unlock, run the following command as superuser:
|
||||
(If you still have a sudo/root shell somewhere.)
|
||||
|
||||
adduser $PAM_USER console
|
||||
|
||||
However, possibly unlock procedure is required.
|
||||
First boot into recovery mode at grub boot menu and then run above command.
|
||||
See also:
|
||||
https://www.kicksecure.com/wiki/root#console
|
||||
" >&2
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
@ -41,73 +71,91 @@ fi
|
||||
|
||||
## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
|
||||
|
||||
if [ ! "$(id -u)" = "0" ]; then
|
||||
## as user "user"
|
||||
## /usr/sbin/faillock -u user
|
||||
## faillock: Error opening /var/log/tallylog for update: Permission denied
|
||||
## /usr/sbin/faillock: Authentication error
|
||||
##
|
||||
## xscreensaver runs as user "user", therefore pam_faillock cannot function.
|
||||
## xscreensaver has its own failed login counter.
|
||||
##
|
||||
## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
|
||||
##
|
||||
## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
|
||||
## TODO: echo -> true
|
||||
echo "$0: not started as root, exiting."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
## Does not work (yet) for login, pam_securetty runs before and aborts.
|
||||
## Also this should only run for login since securetty covers only login.
|
||||
# if [ "$PAM_USER" = "root" ]; then
|
||||
# if [ -f /etc/securetty ]; then
|
||||
# grep_result="$(grep "^[^#]" /etc/securetty)"
|
||||
# if [ "$grep_result" = "" ]; then
|
||||
# echo "$0: ERROR: Root login is disabled." >&2
|
||||
# echo "$0: ERROR: This is because /etc/securetty is empty." >&2
|
||||
# echo "$0: See also:" >&2
|
||||
# echo "https://www.kicksecure.com/wiki/root#login" >&2
|
||||
# echo "" >&2
|
||||
# echo "\
|
||||
# $0: ERROR: Root login is disabled.
|
||||
# ERROR: This is because /etc/securetty is empty.
|
||||
# See also:
|
||||
# https://www.kicksecure.com/wiki/root#login
|
||||
# " >&2
|
||||
# exit 0
|
||||
# fi
|
||||
# fi
|
||||
# fi
|
||||
|
||||
## Using || true to not break read-only disk boot without ro-mode-init or grub-live.
|
||||
pam_faillock_output="$(faillock --user "$PAM_USER")" || true
|
||||
## as user "user"
|
||||
## /usr/sbin/faillock -u user
|
||||
## faillock: Error opening /var/log/tallylog for update: Permission denied
|
||||
## /usr/sbin/faillock: Authentication error
|
||||
##
|
||||
## xscreensaver runs as user "user", therefore pam_faillock cannot function.
|
||||
## xscreensaver has its own failed login counter.
|
||||
##
|
||||
## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
|
||||
##
|
||||
## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
|
||||
##
|
||||
## Checking exit code to avoid breaking when read-only disk boot but
|
||||
## without ro-mode-init or grub-live being used.
|
||||
if ! pam_faillock_output="$(faillock --user "$PAM_USER")" ; then
|
||||
true "$0: faillock non-zero exit code."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$pam_faillock_output" = "" ]; then
|
||||
true "$0: no failed login"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
## Example:
|
||||
## example pam_faillock_output (stdout):
|
||||
## user:
|
||||
## When Type Source Valid
|
||||
## 2021-08-10 16:26:33 RHOST V
|
||||
## 2021-08-10 16:26:54 RHOST V
|
||||
|
||||
pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head -1)"
|
||||
## example pam_faillock_output (stderr):
|
||||
## faillock: No user name supplied.
|
||||
## Usage: faillock [--dir /path/to/tally-directory] [--user username] [--reset]
|
||||
|
||||
## Get first line.
|
||||
#pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)"
|
||||
while read -t 10 -r pam_faillock_output_first_line ; do
|
||||
break
|
||||
done <<< "$pam_faillock_output"
|
||||
|
||||
true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'"
|
||||
## example pam_faillock_output_first_line:
|
||||
## user:
|
||||
|
||||
user_name="$(echo "$pam_faillock_output_first_line" | LANG=C str_replace ":" "")"
|
||||
## example user_name:
|
||||
## user
|
||||
## root
|
||||
|
||||
pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)"
|
||||
## example pam_faillock_output_count:
|
||||
## 2
|
||||
## example pam_faillock_output_count:
|
||||
## 4
|
||||
|
||||
## Do not count the first two informational textual output lines
|
||||
## (starting with "user:" and "When").
|
||||
failed_login_counter=$(( pam_faillock_output_count - 2 ))
|
||||
|
||||
if [ ! "$PAM_USER" = "$user_name" ]; then
|
||||
echo "$0: ERROR: PAM_USER: '$PAM_USER' does not equal user_name: '$user_name'." >&2
|
||||
echo "$0: ERROR: Please report this bug." >&2
|
||||
echo "" >&2
|
||||
exit 0
|
||||
fi
|
||||
## example failed_login_counter:
|
||||
## 2
|
||||
|
||||
if [ "$failed_login_counter" = "0" ]; then
|
||||
true "$0: INFO: Failed login counter is 0, ok."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
## pam_faillock default
|
||||
## pam_faillock default if it cannot be determined below.
|
||||
deny=3
|
||||
|
||||
if test -f /etc/security/faillock.conf ; then
|
||||
@ -118,37 +166,43 @@ if test -f /etc/security/faillock.conf ; then
|
||||
fi
|
||||
|
||||
if [[ "$deny" == *[!0-9]* ]]; then
|
||||
echo "$0: ERROR: deny is not numeric. deny: '$deny'" >&2
|
||||
echo "$0: ERROR: Please report this bug." >&2
|
||||
echo "" >&2
|
||||
echo "\
|
||||
$0: ERROR: deny is not numeric. deny: '$deny'
|
||||
ERROR: Please report this bug.
|
||||
" >&2
|
||||
exit 0
|
||||
fi
|
||||
|
||||
remaining_attempts="$(( $deny - $failed_login_counter ))"
|
||||
|
||||
if [ "$remaining_attempts" -le "0" ]; then
|
||||
echo "$0: ERROR: Login blocked after $failed_login_counter attempts." >&2
|
||||
echo "$0: To unlock, run the following command as superuser:" >&2
|
||||
echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
|
||||
echo "" >&2
|
||||
echo "faillock --reset --user $PAM_USER" >&2
|
||||
echo "" >&2
|
||||
echo "$0: However, most likely unlock procedure is required." >&2
|
||||
echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2
|
||||
echo "$0: See also:" >&2
|
||||
echo "https://www.kicksecure.com/wiki/root#unlock" >&2
|
||||
echo "" >&2
|
||||
echo "\
|
||||
$0: ERROR: Login blocked after $failed_login_counter attempts.
|
||||
To unlock, run the following command as superuser:
|
||||
(If you still have a sudo/root shell somewhere.)
|
||||
|
||||
faillock --reset --user $PAM_USER
|
||||
|
||||
However, most likely unlock procedure is required.
|
||||
First boot into recovery mode at grub boot menu and then run above command.
|
||||
See also:
|
||||
https://www.kicksecure.com/wiki/root#unlock
|
||||
" >&2
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "$0: WARNING: $failed_login_counter failed login attempts." >&2
|
||||
echo "$0: Login will be blocked after $deny attempts." >&2
|
||||
echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2
|
||||
echo "" >&2
|
||||
echo "\
|
||||
$0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'.
|
||||
Login will be blocked after $deny attempts.
|
||||
You have $remaining_attempts more attempts before unlock procedure is required.
|
||||
" >&2
|
||||
|
||||
if [ "$PAM_SERVICE" = "su" ]; then
|
||||
echo "$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown." >&2
|
||||
echo "" >&2
|
||||
echo "\
|
||||
$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown.
|
||||
" >&2
|
||||
fi
|
||||
|
||||
true "$0: END"
|
||||
|
||||
exit 0
|
||||
|
Loading…
Reference in New Issue
Block a user