#!/bin/bash ## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/lib/helper-scripts/pre.bsh ]; then source /usr/lib/helper-scripts/pre.bsh fi set -e true " ##################################################################### ## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ ##################################################################### " sudo_users_check () { sudo_users="$(getent group sudo | cut -d: -f4)" ## example sudo_users: ## user,root OLD_IFS="$IFS" IFS="," export IFS for user_with_sudo in $sudo_users ; do if [ "$user_with_sudo" = "root" ]; then ## root login is also restricted. ## Therefore user "root" being member of group "sudo" is ## considered insufficient. continue fi are_there_any_sudo_users=yes break done IFS="$OLD_IFS" export IFS ## Prevent users from locking themselves out. ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 if [ ! "$are_there_any_sudo_users" = "yes" ]; then echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2 echo "$0: ERROR: You probably want to run:" >&2 echo "" >&2 echo "sudo adduser user sudo" >&2 echo "sudo adduser user console" >&2 echo "" >&2 echo "$0: ERROR: See also installation instructions:" >&2 echo "https://www.whonix.org/wiki/security-misc#install" >&2 exit 200 fi } console_users_check() { console_users="$(getent group console | cut -d: -f4)" ## example ssh_users: ## user console_unrestricted_users="$(getent group console-unrestricted | cut -d: -f4)" OLD_IFS="$IFS" IFS="," export IFS for user_with_console in $console_users $console_unrestricted_users ; do if [ "$user_with_console" = "root" ]; then ## root login is also restricted. ## Therefore user "root" being member of group "console" is ## considered insufficient. continue fi are_there_any_console_users=yes break done IFS="$OLD_IFS" export IFS ## Prevent users from locking themselves out. ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 if [ ! "$are_there_any_console_users" = "yes" ]; then echo "$0: ERROR: No user is a member of group 'console'. Installation aborted." >&2 echo "$0: ERROR: You probably want to run:" >&2 echo "" >&2 echo "sudo adduser user console" >&2 echo "" >&2 echo "$0: ERROR: See also installation instructions:" >&2 echo "https://www.whonix.org/wiki/security-misc#install" >&2 exit 201 fi } ssh_users_check() { if ! deb-systemd-helper --quiet was-enabled 'ssh.service'; then return 0 fi ssh_users="$(getent group ssh | cut -d: -f4)" ## example ssh_users: ## user OLD_IFS="$IFS" IFS="," export IFS for user_with_ssh in $ssh_users ; do if [ "$user_with_ssh" = "root" ]; then ## root login is also restricted. ## Therefore user "root" being member of group "ssh" is ## considered insufficient. continue fi are_there_any_ssh_users=yes break done IFS="$OLD_IFS" export IFS ## Prevent users from locking themselves out. ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 if [ ! "$are_there_any_ssh_users" = "yes" ]; then echo "$0: ERROR: ssh.service is enabled but no user is a member of group 'ssh'." >&2 echo "$0: ERROR: Installation aborted since this would likely break SSH login." >&2 echo "$0: ERROR: You probably want to run:" >&2 echo "" >&2 echo "sudo adduser user ssh" >&2 echo "" >&2 echo "$0: ERROR: See also installation instructions:" >&2 echo "https://www.whonix.org/wiki/security-misc#install" >&2 exit 201 fi } if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then sudo_users_check console_users_check ssh_users_check fi true "INFO: debhelper beginning here." #DEBHELPER# true "INFO: Done with debhelper." true " ##################################################################### ## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ ##################################################################### " ## Explicitly "exit 0", so eventually trapped errors can be ignored. exit 0