#!/bin/bash ## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/lib/helper-scripts/pre.bsh ]; then source /usr/lib/helper-scripts/pre.bsh fi set -e true " ##################################################################### ## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ ##################################################################### " user_groups_modifications() { ## /usr/lib/security-misc/hide-hardware-info addgroup --system sysfs addgroup --system cpuinfo ## group 'sudo' membership required to use 'su' ## /usr/share/pam-configs/wheel-security-misc addgroup root sudo ## Useful to create groups in preinst rather than postinst. ## Otherwise if a user saw an error message such as this: ## ## /var/lib/ dpkg/tmp.ci/preinst: ERROR: No user is a member of group 'console'. Installation aborted. ## /var/lib/ dpkg/tmp.ci/preinst: ERROR: You probably want to run: ## sudo adduser user console ## ## Then the user could not run 'sudo adduser user console' but also would ## have to create the groups himself. ## Related to Console Lockdown. ## /usr/share/pam-configs/console-lockdown-security-misc ## /etc/security/access-security-misc.conf addgroup --system console addgroup --system console-unrestricted ## This has no effect since by default this package also ships and an ## /etc/securetty configuration file that contains nothing but comments, i.e. ## an "empty" /etc/securetty. ## In case a system administrator edits /etc/securetty, there is no need to ## block for this to be still blocked by console lockdown. See also: ## https://www.whonix.org/wiki/Root#Root_Login addgroup root console } sudo_users_check () { if command -v "qubesdb-read" &>/dev/null; then ## Qubes users can use dom0 to get a root terminal emulator. ## For example: ## qvm-run -u root debian-10 xterm return 0 fi sudo_users="$(getent group sudo | cut -d: -f4)" ## example sudo_users: ## user,root OLD_IFS="$IFS" IFS="," export IFS for user_with_sudo in $sudo_users ; do if [ "$user_with_sudo" = "root" ]; then ## root login is also restricted. ## Therefore user "root" being member of group "sudo" is ## considered insufficient. continue fi are_there_any_sudo_users=yes break done IFS="$OLD_IFS" export IFS ## Prevent users from locking themselves out. ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 if [ ! "$are_there_any_sudo_users" = "yes" ]; then echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2 echo "$0: ERROR: You probably want to run:" >&2 echo "" >&2 echo "sudo adduser user sudo" >&2 echo "sudo adduser user console" >&2 echo "" >&2 echo "$0: ERROR: See also installation instructions:" >&2 echo "https://www.whonix.org/wiki/security-misc#install" >&2 exit 200 fi } console_users_check() { if command -v "qubesdb-read" &>/dev/null; then ## Qubes users can use dom0 to get a root terminal emulator. ## For example: ## qvm-run -u root debian-10 xterm return 0 fi console_users="$(getent group console | cut -d: -f4)" ## example ssh_users: ## user console_unrestricted_users="$(getent group console-unrestricted | cut -d: -f4)" OLD_IFS="$IFS" IFS="," export IFS for user_with_console in $console_users $console_unrestricted_users ; do if [ "$user_with_console" = "root" ]; then ## root login is also restricted. ## Therefore user "root" being member of group "console" is ## considered insufficient. continue fi are_there_any_console_users=yes break done IFS="$OLD_IFS" export IFS ## Prevent users from locking themselves out. ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 if [ ! "$are_there_any_console_users" = "yes" ]; then echo "$0: ERROR: No user is a member of group 'console'. Installation aborted." >&2 echo "$0: ERROR: You probably want to run:" >&2 echo "" >&2 echo "sudo adduser user console" >&2 echo "" >&2 echo "$0: ERROR: See also installation instructions:" >&2 echo "https://www.whonix.org/wiki/security-misc#install" >&2 exit 201 fi } legacy() { if [ -f "/var/lib/legacy/do_once/${FUNCNAME}_version_1" ]; then return 0 fi if [ -f "/usr/share/whonix/marker" ]; then continue_yes=true if [ -f "/usr/share/kicksecure/marker" ]; then continue_yes=true fi if [ "$continue_yes" = "yes" ]; then return 0 fi if command -v "qubesdb-read" &>/dev/null; then ## Qubes users can use dom0 to get a root terminal emulator. ## For example: ## qvm-run -u root debian-10 xterm return 0 fi ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7 user_to_be_created=user addgroup "$user_to_be_created" console pam-auth-update --enable console-lockdown-security-misc mkdir --parents "/var/lib/legacy/do_once" touch "/var/lib/legacy/do_once/${FUNCNAME}_version_1" } user_groups_modifications legacy if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then sudo_users_check console_users_check fi true "INFO: debhelper beginning here." #DEBHELPER# true "INFO: Done with debhelper." true " ##################################################################### ## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ ##################################################################### " ## Explicitly "exit 0", so eventually trapped errors can be ignored. exit 0