Patrick Schleizer
2ceea8d1fe
update copyright year
2020-04-01 08:49:59 -04:00
Patrick Schleizer
d2f6ac0491
fix, do user/group modifications in preinst rather than postinst
2019-12-10 03:50:23 -05:00
Patrick Schleizer
6b01e5be14
comment
2019-12-08 02:01:22 -05:00
Patrick Schleizer
52e0f104cc
comment
2019-12-08 01:59:55 -05:00
Patrick Schleizer
731d486fa0
refactoring
2019-12-08 01:58:58 -05:00
Patrick Schleizer
221a2df2a2
refactoring
2019-12-08 01:58:37 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc
2019-12-08 01:57:43 -05:00
Patrick Schleizer
d36669596f
comment
2019-12-08 01:56:30 -05:00
Patrick Schleizer
1a0f353708
comment
2019-12-08 01:47:40 -05:00
Patrick Schleizer
eed1f0a462
comment
2019-12-08 01:46:32 -05:00
Patrick Schleizer
2491b62393
refactoring, add all groups first before adding any users to any groups
2019-12-08 01:43:45 -05:00
Patrick Schleizer
c1800b13fe
separate group "ssh" for incoming ssh console permission
...
Thanks to @madaidan
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16
2019-12-07 11:26:39 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown.
...
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
Patrick Schleizer
203d5cfa68
copyright
2019-10-31 11:19:44 -04:00
madaidan
af607d5eb2
Create sysfs and cpuinfo groups
2019-10-15 21:02:03 +00:00
Patrick Schleizer
8132052ce0
run update-grub from postinst so /etc/default/grub.d changes take effect
2019-09-07 05:44:23 +00:00
Patrick Schleizer
21489111d1
run permission lockdown during pam
...
https://forums.whonix.org/t/change-default-umask/7416
2019-08-14 08:34:03 +00:00
Patrick Schleizer
404f597c0a
description
2019-07-31 07:29:42 +00:00
Patrick Schleizer
3f031a297d
Removes read, write and execute access for others for all users who have home
...
folders under folder /home by running for example "chmod o-rwx /home/user"
during package installation or upgrade. This will be done only once per folder
in folder /home so users who wish to relax file permissions are free to do so.
This is to protect previously created files in user home folder which were
previously created with lax file permissions prior installation of this
package.
2019-07-13 16:20:14 +00:00
Patrick Schleizer
4079632d1a
remove modifying to /etc/pam.d directly (unrelased)
...
config-package-dev displace /etc/securetty
remove trailing spaces
https://forums.whonix.org/t/restrict-root-access/7658/31
2019-07-13 11:41:37 +00:00
Patrick Schleizer
673aab6bc2
shut up pam-auth-update
2019-07-07 22:18:47 +00:00
Patrick Schleizer
67ff83262b
move to pam-auth-update --force
...
--package hangs in Qubes updater since it starts whiptail for interactive dpkg configuration dialog.
2019-07-07 21:31:56 +00:00
Patrick Schleizer
91fb21aafb
Due to error:
...
Jul 07 20:35:39 host sudo[16090]: PAM unable to dlopen(pam_cgfs.so): /lib/security/pam_cgfs.so: cannot open shared object file: No such file or directory
Jul 07 20:35:39 host sudo[16090]: PAM adding faulty module: pam_cgfs.so
run:
pam-auth-update --package
from Debian maintainer scripts
2019-07-07 16:51:40 -04:00
Patrick Schleizer
06b86229a4
update path to pre.bsh
2019-05-12 02:58:45 -04:00
Patrick Schleizer
5b3fc2f6b9
update copyright
2018-01-29 15:22:05 +00:00
Patrick Schleizer
c3b6a44e97
update copyright
2018-01-29 15:15:17 +00:00
Patrick Schleizer
ff28f5932c
update copyright
2018-01-29 15:09:42 +00:00
Patrick Schleizer
99bb1e877e
"$@"
2017-03-06 15:00:33 +00:00
Patrick Schleizer
dfe8a569b6
override glib-compile-schemas with || true in postinst
...
https://phabricator.whonix.org/T500
2017-02-19 22:32:04 +00:00
Patrick Schleizer
5ba2a5b6ff
disable previews in nautilus by default for better security
...
copied solution by @unman
https://github.com/QubesOS/qubes-issues/issues/1108
https://github.com/QubesOS/qubes-core-agent-linux/pull/39
https://phabricator.whonix.org/T500
2017-02-19 22:25:28 +00:00