diff --git a/debian/control b/debian/control index b9f0fd1..8b833f0 100644 --- a/debian/control +++ b/debian/control @@ -180,6 +180,12 @@ Description: enhances misc security settings . access rights relaxations: . + Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with + hidepid. + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 + https://forums.whonix.org/t/cannot-use-pkexec/8129 + /usr/bin/pkexec.security-misc + . This package does (not yet) automatically lock the root account password. It is not clear that would be sane in such a package. It is recommended to lock and expire the root account. diff --git a/debian/security-misc.displace b/debian/security-misc.displace index c94cc0f..ec8a20b 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -1,4 +1,5 @@ ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +/usr/bin/pkexec.security-misc /etc/securetty.security-misc diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index aa48b61..95c8558 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -3,3 +3,5 @@ user ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops %sudo ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops + +%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc new file mode 100755 index 0000000..24d6008 --- /dev/null +++ b/usr/bin/pkexec.security-misc @@ -0,0 +1,89 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with +## hidepid. +## * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 +## * https://forums.whonix.org/t/cannot-use-pkexec/8129 + +set -e + +## If hidepid is not in use, just use pkexec normally. +if ! mount | grep "/proc" | grep "hidepid=2" ; then + pkexec.security-misc-orig "$@" + exit $? +fi + +## Prefer lxqt-sudo. +use_sudo=false + +original_args="$@" + +## Thanks to: +## http://mywiki.wooledge.org/BashFAQ/035 + +while : +do + case $1 in + ## Should show 'pkexec --version' or fail? + --version) + shift + pkexec.security-misc-orig "$original_args" + exit $? + ;; + ## Should show 'pkexec --help' or fail? + --help) + shift + pkexec.security-misc-orig "$original_args" + exit $? + ;; + ## Drop --disable-internal-agent as not needed and breaking both, + ## lxqt-sudo and sudo. + --disable-internal-agent) + shift + ;; + --user) + ## lxqt-sudo does not support "--user". + ## We should not make this wrapper run something as root which + ## is supposed to run under a different user. Try using + ## "sudo -A --user user --set-home" instead. + user_pkexec_wrapper="$2" + if [ "$user_pkexec_wrapper" = "" ]; then + shift + else + shift 2 + fi + use_sudo=true + ;; + --) + shift + break + ;; + *) + break + ;; + esac +done + +## If there are input files (for example) that follow the options, they +## will remain in the "$@" positional parameters. + +if [[ "$@" = "" ]]; then + ## Call original pkexec in case there are no arguments. + pkexec.security-misc-orig "$original_args" + exit $? +fi + +## set PATH same as root +## This is required for gdebi. +## REVIEW: is it ok that users can find out the PATH setting of root? +PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)" +export PATH + +if [ "$use_sudo" = "true" ]; then + sudo -A --user "$user_pkexec_wrapper" --set-home "$@" +else + lxqt-sudo "$@" +fi diff --git a/usr/lib/security-misc/echo-path b/usr/lib/security-misc/echo-path new file mode 100755 index 0000000..374e300 --- /dev/null +++ b/usr/lib/security-misc/echo-path @@ -0,0 +1,8 @@ +#/bin/bash + +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -e + +echo "$PATH"