## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## To enable root login, see: ## https://www.whonix.org/wiki/Root#Root_Login ## Console Lockdown ## https://forums.whonix.org/t/etc-security-hardening/8592 ## This is the error message should this fail: ## sudo su ## sudo: PAM account management error: Permission denied ## see also: ## man access.conf ## man pam_access ## Usually tty7 is for X. ## Qubes uses tty1 for X. ## Qubes has 'pts/0' when for example running "sudo" from a terminal emulator. ## Qubes uses 'hvc0' when using in dom0 "sudo xl console vm-name". ## When using systemd-nspawn (chroot) then `login` requires console 'console' to be permitted. ## Allow members of group `console` to use: ## - 'console' ## - 'tty1' to 'tty7' ## - 'pts/0' to 'pts/9' ## - 'hvc0' to 'hvc9' ## serial console ## https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43 ## - 'ttyS0' to 'ttyS9' +:(console):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 ## Same as above also for members of group `sudo`. ## https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407 +:(sudo):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 ## Everyone else except members of group 'console-unrestricted' ## are restricted from everything else. -:ALL EXCEPT (console-unrestricted):ALL