mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
6479c883bf
Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592
20 lines
552 B
Plaintext
20 lines
552 B
Plaintext
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
|
## See the file COPYING for copying conditions.
|
|
|
|
## Console Lockdown
|
|
## https://forums.whonix.org/t/etc-security-hardening/8592
|
|
|
|
## see also:
|
|
## man access.conf
|
|
## man pam_access
|
|
|
|
## Usually tty7 is for X.
|
|
## Qubes uses tty1 for X.
|
|
|
|
## Allow members of group 'console' to use tty1 to tty7.
|
|
+:console:tty1 tty2 tty3 tty4 tty5 tty6 tty7
|
|
|
|
## Everyone else except members of group 'console-unrestricted'
|
|
## are restricted from everything else.
|
|
-:ALL EXCEPT console-unrestricted :ALL
|