mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-27 00:19:44 -05:00
6479c883bf
Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592
70 lines
1.8 KiB
Bash
70 lines
1.8 KiB
Bash
#!/bin/bash
|
|
|
|
## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
|
## See the file COPYING for copying conditions.
|
|
|
|
if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
|
|
source /usr/lib/helper-scripts/pre.bsh
|
|
fi
|
|
|
|
set -e
|
|
|
|
true "
|
|
#####################################################################
|
|
## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
|
|
#####################################################################
|
|
"
|
|
|
|
case "$1" in
|
|
configure)
|
|
glib-compile-schemas /usr/share/glib-2.0/schemas || true
|
|
;;
|
|
|
|
abort-upgrade|abort-remove|abort-deconfigure)
|
|
;;
|
|
|
|
*)
|
|
echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
addgroup root sudo
|
|
addgroup --system sysfs
|
|
addgroup --system cpuinfo
|
|
addgroup --system console
|
|
addgroup --system console-unrestricted
|
|
|
|
addgroup root console
|
|
|
|
pam-auth-update --package
|
|
|
|
/usr/lib/security-misc/permission-lockdown
|
|
|
|
## https://phabricator.whonix.org/T377
|
|
## Debian has no update-grub trigger yet:
|
|
## https://bugs.debian.org/481542
|
|
if command -v update-grub >/dev/null 2>&1; then
|
|
update-grub || \
|
|
echo "$DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ERROR: Running \
|
|
'update-grub' failed with exit code $?. $DPKG_MAINTSCRIPT_PACKAGE is most \
|
|
likely only the trigger, not the cause. Unless you know this is not an issue, \
|
|
you should fix running 'update-grub', otherwise your system might no longer \
|
|
boot." >&2
|
|
fi
|
|
|
|
true "INFO: debhelper beginning here."
|
|
|
|
#DEBHELPER#
|
|
|
|
true "INFO: Done with debhelper."
|
|
|
|
true "
|
|
#####################################################################
|
|
## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
|
|
#####################################################################
|
|
"
|
|
|
|
## Explicitly "exit 0", so eventually trapped errors can be ignored.
|
|
exit 0
|